Table of Contents
Intel cares about securing your most sensitive data. It’s one of the main reasons why we’ve been an Intel trusted partner for decades.
They offer a smorgasbord of advanced technologies that help users keep sensitive data from prying eyes and mitigate nation-state attacks. They even offer a vast product specifications library (ARK) that lets users know whether their products utilize these very technologies.
Today, we’re looking at one of Intel's CPU technologies in depth: Intel® SGX. We’ll describe what it is, what it’s used for, how it works, who uses it, which Intel CPUs support it, how to enable and disable it and whether you should consider the latter, and finally, we’ll talk about availability.
Without further ado, let’s jump right into this awesome technology.
Intel Software Guard Extensions (SGX) is a security instruction set baked into many of Intel’s x86-based central processing units (CPUs). SGX gives developers the ability to split a computer’s memory into what are called enclaves, which are private, predefined areas in memory that can better protect users’ sensitive information.
Put a different way, SGX encrypts sections of memory using security instructions native to the CPU. It’s a form of hardware-based encryption that allows users to protect their most-sensitive data by placing it into a highly secured environment within memory.
SGX is relatively new, debuting in Intel’s sixth-generation Core processors and Xeon E3 v6 server processors five years ago.
According to a paper published by MIT’s Computer Science and Artificial Intelligence Laboratory, SGX’s original goal was to solve the problem of secure remote computation, or “the problem of executing software on a remote computer owned and maintained by an untrusted party.”
The trusted hardware establishes a secure container, and the remote computation service user uploads the desired computation and data into the secure container. The trusted hardware protects the data’s confidentiality and integrity while the computation is being performed on it.
- MIT's Intel SGX Explained
If you’re interested in learning how to utilize Intel SGX in your server or workstation, check out this thorough SGX tutorial by Daniel Ehnes, writing for Medium, to learn how to program a secure enclave.
Infographic: Intel Software Guard Extensions (SGX)
Intel SGX is a set of instructions used for boosting the security of application code and data, which gives users a greater degree of protection from disclosure or alteration of said data. Essentially, Intel SGX helps keep users’ sensitive data from being revealed or modified by creating a trusted execution environment within memory.
Such sensitive data includes information like medical records, financial records, passwords, encryption keys, biometric identification factors – any information that, if disclosed or modified, could cause harm.
SGX is used for protecting against many known and active cybersecurity threats, such as a malicious software attack, by reducing the attack surface of servers and workstations via its use of secure enclaves, which protect information from processes running at higher privilege levels.
So, if sophisticated malware, for example, attacks the OS, BIOS, VMM, or SMM layers, Intel SGX is there to offer an additional layer of protection via placement of your sensitive data within an isolated, encrypted portion of memory. So, these layers can be compromised, but your data is still protected, as the application data stored within the enclave itself is inaccessible to external, non-verified parties and is thus safe from being destroyed, manipulated, or edited by unauthorized users, i.e., hackers.
Using this new application-layer trusted execution environment, developers can enable increased identity and records privacy, more secure browsing, digital rights management (DRM), hardened endpoint protection, and many high assurance security use cases that need to store secrets more safely or protect data.
- Intel
There’s a myriad of use cases for SGX, including but not limited to:
Visit Intel’s SGX webpage for a full list of use cases.
Quarkslab offers a great explanation of the Intel SGX process, complete with easy-to-understand diagrams, so definitely check out their overview.
Also, Intel maintains that SGX has a low learning curve, so developers won’t have to spend a ton of time figuring out how it works and how to properly take advantage of it.
But in short, this is how Intel SGX works:
The process can seem a bit abstract, especially if you’re not incredibly familiar with SGX. Thankfully, Intel does a great job of breaking it down in their Intel SGX Product Brief.
At runtime, Intel SGX instructions build and execute the enclave into a special encrypted memory region with restricted entry/exit location defined by the developer. This helps prevent data leakage. Enclave code and data inside the CPU perimeter runs in the clear, and enclave data written to memory is encrypted and its integrity checked, helping provide some assurance that no unauthorized access or memory snooping of the enclave occurs.
- Intel
Anyone with SGX-capable Intel CPUs can secure selections of their most sensitive data using SGX. Military, commercial, and industrial programs and applications that rely on servers and workstations with these CPUs have access to the technology. It has widespread use across a variety of industries, because it’s baked right into the CPU and serves a purpose that’s not unique to any one industry: protecting sensitive application data from unauthorized access. Read more about an SGX use case here.
That wonderful paper published by MIT details some SGX scenarios, though. One use case listed is for medical imaging, and by reading it, you’ll see how the technology can be advantageous across multiple industries.
A cloud computing service that processes confidential medical images could take advantage of SGX by having users upload encrypted images, with the encryption keys being sent by the users to the software running within a secure enclave. This enclave, of course, contains the processing algorithm and the protected code for encrypting and decrypting the images. The code that receives the uploaded encrypted images and stores them would be left outside the enclave.
For more information on how Intel SGX is implemented, check out Intel’s SGX video series.
Here’s a step-by-step process to determine which Intel CPUs use Intel SGX:
To determine whether your CPU supports Intel SGX, you can:
Photo: You'll have to play around with some BIOS settings to enable, disable, or set automatic enablement of Intel SGX.
According to Intel, before an application can use Intel SGX, four conditions must be met:
Within your BIOS, assuming your BIOS supports BIOS configuration and SGX’s enable, disable, and software-controlled functions, users can enable SGX, disable SGX, or have the server or workstation automatically enable SGX upon boot, the last of which is what the software-controlled function is for. The software-controlled function is great for users who don’t want, or need, to access the BIOS each time the system boots.
Intel has a fantastic guide detailing SGX setup and verification for both Windows and Linux systems. Be sure to check it out and make use of the table of contents in the left-hand section of this guide.
If your CPUs don’t support Intel SGX, then attempting to enable SGX is futile. If the CPU does support it, however, the next step of enabling SGX is to verify that your BIOS supports SGX. You can check whether your BIOS supports SGX by navigating the BIOS manually or using Intel’s feature detection procedures.
Enabling Intel SGX is neither complex nor difficult. Courtesy of Intel, here’s how to enable Intel SGX in the BIOS in just four steps:
So, to summarize, it’s important for application installers to verify whether their servers’ and workstations’ CPUs and BIOSes support Intel SGX, whether the SGX Platform Software has been installed, and finally, whether SGX has been enabled, disabled, or set to autopilot. Some applications actually require Intel SGX to run and will report a user error if Intel SGX is not detected or enabled.
Graphic: As to whether you should disable Intel SGX, the short answer is no. Even better, ask yourself, "Why would I disable SGX?"
Generally, you shouldn’t disable Intel SGX under any circumstances.
If you plan to use Intel SGX to help secure your applications and sensitive data, disablement should be completely avoided, as disablement offers no application or data protection whatsoever. You won’t even be able to install the Intel SGX Platform Software if SGX is disabled.
To avoid unintentionally disabling Intel SGX, just set the BIOS function to software-controlled. That way, you don’t have to worry about accessing the enablement and disablement features every time your system boots. You can just boot your system knowing that Intel SGX has been automatically enabled.
Photos: Trenton Systems' rugged servers and workstations incorporate Intel Core and Xeon CPUs that support Intel SGX.
Well, there you have it. We talked about:
As cybersecurity threats become increasingly sophisticated – think SolarWinds – knowing about your data security options is vital.
Here at Trenton Systems, our servers and workstations incorporate CPUs that support Intel SGX, as well as Intel PFR and Intel TME, and our amazing support team is happy to assist customers with setting up SGX in the BIOS.
And because we’re a longtime Intel solutions partner, we also have a direct line to Intel for assistance with any advanced SGX inquiries.
If you’re curious about the options available to you, our team is here to help.