Article ID: 000091423 Content Type: Product Information & Documentation Last Reviewed: 07/06/2022

Does Launching an Enclave in Pre-release Mode Enforce Memory Isolation in Intel® Software Guard Extensions (Intel® SGX)?

BUILT IN - ARTICLE INTRO SECOND COMPONENT
Summary

Launching an enclave in pre-release mode does not protect the enclave's data at the hardware level.

Description

When launching an enclave in pre-release mode (DisableDebug = 0), values inside the enclave are able to be accessed by the untrusted application. When the enclave is compiled in pre-release mode, is the memory isolation enforced by Intel® SGX? Is it possible to enforce memory isolation without having the enclave signed by Intel/have a commercial license?

Resolution

In an enclave compiled in pre-release mode, the data is not necessarily protected by the hardware. In release mode, access to the enclave memory (by untrusted apps, debugger, etc) is disabled at a hardware level, which is why some values in pre-release mode may be leaked.

For full memory isolation and protection, the enclave needs to be signed by Intel.

Additional information

Ensure that the flags are correctly set before running in pre-release mode:

sgx_prerelease =1

sgx_debug=0

sgx_mode=hw

Related Products

This article applies to 1 products