Intel SGX Card. Every server is worth its SGX

Let me remind you what the Intel Software Guard Extensions are . As the name suggests, it's safe here. Humanity has come up with many software ways to protect its IT infrastructure from malicious or unauthorized code, but all of these methods have their fundamental limitations. To bypass them, it is necessary that the protection starts in the heart of the computer - its processor and relies on its functionality.

Using this principle, Intel has developed the Intel SGX extensions — a set of CPU instructions that enable applications to create enclaves, protected areas in the address space of applications that ensure confidentiality and integrity even with the presence of malware with privileged rights.
')
This post is about the new Intel SGX hardware base for any server platform - the Intel SGX Card .

The operating principles of the Intel SGX enclaves are:

• Access to the memory of the enclave for reading and writing from outside the enclave is absent regardless of the current level of rights and the operating mode of the CPU.
• The working level enclaves are not available for debugging by both software and hardware debuggers. (You can create an enclave with a debug attribute, in which the Intel SGX debugger can view the contents of the enclave, just like a standard debugger. This is done to improve the convenience of the software development process.)
• It is impossible to enter the environment of the enclave using classical function calls, transitions, manipulations with registers or with a stack. The only way to invoke an enclave function is with a new instruction that performs several defensive checks.
• The enclave memory is protected using standard encryption algorithms with protection against reproduction. If you read the memory or connect the memory modules to another system, you will be able to get only the encrypted data.
• The memory encryption key changes randomly with each change of the power cycle (for example, when loading, when resuming work after sleep and hibernation). The key is stored inside the CPU and unavailable from the outside.
• The data is isolated in enclaves and is available only for the code of this enclave.

Intel SGX significantly reduces software vulnerability

The Intel Software Guard Extensions solution was introduced in 2016. Since then, a number of Intel Xeon server processors have received support, after which, in turn, a number of major cloud providers and software vendors such as Alibaba Cloud, Baidu, IBM and Microsoft have appreciated the benefits technology and began to introduce it into their services and products. However, there was a technical obstacle in the path of the triumphant march of Intel SGX: there are still far more processors that do not support technology than support processors. Intel SGX is particularly lacking in multi-socket configurations, very often used in cloud services and data centers.



The decision came from an unexpected side. Intel has a device called Intel Visual Compute Accelerator (VCA) , we briefly talked about it. This is a specialized accelerator to improve the performance of processing media content, in fact - a full-fledged server in the format of a PCIe x16 card, its characteristics are given in the post at the link above. It was the VCA that was decided to take as a basis, and after some improvements - turning off the graphics core, optimizing security tools, etc. - it turned out Intel SGX Card, a card equipped with three processors with support for Intel Software Guard Extensions, ready to take on interaction with SGX enclosures - this is no longer required from the host system.

On this same card, you can offload resource-demanding load, which requires additional protection. The standard server 2U platform based on Intel Xeon Scalable supports up to 4 PCIe x16 cards; Thus, on a single server, up to 12 processors can work with sensitive data. As shown in the figure above, the configuration of the environment for applications has become more comfortable and flexible, at their disposal both protected and simple memory areas, processor cores with and without SGX support, and so on.

The Intel SGX Card is an option for a variety of digital services providers to prepare their infrastructure for using Intel Software Guard Extensions, without waiting for the release of Intel Xeon Scalable with support for this technology. Perhaps he will be useful to someone.