SGX可信执行环境ppt

LectureEmbeddedSystemSecurityTrustedExecutionEnvironmentsIntelSGXProf.Dr.-Ing.Ahmad-RezaSadeghiSystemSecurityLabTechnischeUniversitätDarmstadt(CASED)GermanySummerTerm20141SYSTEMSECURITYLABSlideNr.2,LectureEmbeddedSystemSecurity,SS2014A.-R.Sadeghi©TUDarmstadt,2007-2014TrustedExecutionEnvironments/IntelSGXSecuritycriticalcodeisolatedinenclaveOnlyCPUistrustedTransparentmemoryencryption18newinstructionsEnclavescannotharmthesystemOnlyunprivilegedcode(CPUring3)MemoryprotectionDesignedforMulti-CoresystemsMulti-threadedexecutionofenclavesParallelexecutionofenclavesanduntrustedcodeEnclavesareinterruptibleProgrammingReferenceavailableIntel®SoftwareGuardExtensions(SGX)APP2HardwareAPP1EnclaveSecurityServiceOperatingSystemCPUSGXTrustedUntrusted[McKeenetal,Hoekstraetal.,Anatietal.,HASP’13]SYSTEMSECURITYLABSlideNr.3,LectureEmbeddedSystemSecurity,SS2014A.-R.Sadeghi©TUDarmstadt,2007-2014TrustedExecutionEnvironments/IntelSGXEnclavesareisolatedmemoryregionsofcodeanddataOnepartofphysicalmemory(RAM)isreservedforenclavesItiscalledEnclavePageCache(EPC)EPCmemoryisencryptedinthemainmemory(RAM)TrustedhardwareconsistsoftheCPU-DieonlyEPCismanagedbyOS/VMMSGXEnclavesRAM:RandomAccessMemoryOS:OperatingSystemVMM:VirtualMachineMonitor(alsoknownasHypervisor)SYSTEMSECURITYLABSlideNr.4,LectureEmbeddedSystemSecurity,SS2014A.-R.Sadeghi©TUDarmstadt,2007-2014TrustedExecutionEnvironments/IntelSGX18Instruction13SupervisorInstructions5UserInstructions13DataStructures8datastructuresassociatedtoacertainenclave3datastructuresassociatedtocertainmemorypage(s)2datastructuresassociatedtooverallresourcemanagementSGXInstructionsandDataStructuresSYSTEMSECURITYLABSlideNr.5,LectureEmbeddedSystemSecurity,SS2014A.-R.Sadeghi©TUDarmstadt,2007-2014TrustedExecutionEnvironments/IntelSGXSupervisorInstructionDescriptionUserInstructionDescriptionENCLS[EADD]AddapageENCLU[EENTER]EnteranEnclaveENCLS[EBLOCK]BlockanEPCpageENCLU[EEXIT]ExitanEnclaveENCLS[ECREATE]CreateanenclaveENCLU[EGETKEY]CreateacryptographickeyENCLS[EDBGRD]ReaddatabydebuggerENCLU[EREPORT]CreateacryptographicreportENCLS[EDBGWR]WritedatabydebuggerENCLU[ERESUME]Re-enteranEnclaveENCLS[EEXTEND]ExtendEPCpagemeasurementENCLS[EINIT]InitializeanenclaveENCLS[ELDB]LoadanEPCpageasblockedENCLS[ELDU]LoadanEPCpageasunblockedENCLS[EPA]AddversionarrayENCLS[EREMOVE]RemoveapagefromEPCENCLS[ETRACK]ActivateEBLOCKchecksENCLS[EWB]Writeback/invalidateanEPCpageSGXInstructionsSYSTEMSECURITYLABSlideNr.6,LectureEmbeddedSystemSecurity,SS2014A.-R.Sadeghi©TUDarmstadt,2007-2014TrustedExecutionEnvironments/IntelSGXSGXEnclaveControlStructure(SECS)ThreadControlStructure(TCS)StateSaveArea(SSA)PageInformation(PAGEINFO)SecurityInformation(SECINFO)PagingCryptoMetaData(PCMD)EnclaveSignatureStructure(SIGSTRUCT)EINTTokenStructure(EINITTOKEN)Report(REPORT)ReportTargetInfo(TARGETINFO)KeyRequest(KEYREQUEST)VersionArray(VA)EnclavePageCacheMap(EPCM)SGXDataStructuresSYSTEMSECURITYLABSlideNr.7,LectureEmbeddedSystemSecurity,SS2014A.-R.Sadeghi©TUDarmstadt,2007-2014TrustedExecutionEnvironments/IntelSGXSGXEnclaveControlStructure(SECS)RepresentsoneenclaveContains,forinstance,Hash,ID,sizeetc.ThreadControlStructure(TCS)EachexecutingthreadintheenclaveisassociatedwithaThreadControlStructureContains,forinstance,Entrypoint,pointertoSSAStateSaveArea(SSA)WhenanAEXoccurswhilerunninginanenclave,thearchitecturalstateissavedinthethread’sSSASGXDataStructuresDetailsAEX:AsynchronousEnclaveExitSYSTEMSECURITYLABSlideNr.8,LectureEmbeddedSystemSecurity,SS2014A.-R.Sadeghi©TUDarmstadt,2007-2014TrustedExecutionEnvironments/IntelSGXPageInformation(PAGEINFO)PAGEINFOisanarchitecturaldatastructurethatisusedasaparametertotheEPC-managementinstructionsLinearAddressEffectiveaddressofthepage(akavirtualaddress)SECINFOSECSSecurityInformation(SECINFO)TheSECINFOdatastructureholdsmeta-dataaboutanenclavepageRead/Write/ExecutePagetype(SECS,TCS,normalpageorVA)SGXDataStructuresDetailsSYSTEMSECURITYLABSlideNr.9,LectureEmbeddedSystemSecurity,SS2014A.-R.Sadeghi©TUDarmstadt,2007-2014TrustedExecutionEnvironments/IntelSGXPagingCryptoMetaData(PCMD)ThePCMDstructureisusedtokeeptrackofcryptometa-dataassociatedwithapaged-outpage.CombinedwithPAGEINFO,itprovidesenoughinformationfortheprocessortoverify,decrypt,andreloadapaged-outEPCpage.EWBwritesout(thereservedfieldand)MACvalues.ELDB/UreadsthefieldsandcheckstheMAC.ContainsEnclaveID,SECINFOandMACSGXDataStructuresDetailsMAC:MessageAuthenticationCodeSYSTEMSECURITYLABSlideNr.10,LectureEmbeddedSystemSecurity,SS2014A.-R.Sadeghi©TUDarmstadt,2007-2014TrustedExecutionEnvironments/IntelSGXVersionArray(VA)InordertosecurelystoretheversionsofevictedEPCpages,SGXdefinesaspecialEPCpagetypecalledaVersionArray(VA).EachVApagecontains512slots,eachofwhichcancontainan8-byteversionnumberforapageevictedfromtheEPC.WhenanEPCpageisevicted,softwarechoosesanemptyslotinaVApage;thisslotreceivestheuniqueversionnumberofthepagebeingevicted.WhentheEPCpageisreloaded,aVAslotmustholdtheversionofthepage.Ifthepageissuccessfullyreloaded,the