⚙️
Morphisms: Confidential Serverless Containers
  • Introduction
  • Preliminaries
    • What is Confidential Computing?
      • Threat Model
      • Intel SGX
        • Threat Model
        • Memory Layout
        • Memory encryption
        • Enclave Lifecycle
        • Entering and Exiting an Enclave
        • Measurement
        • Certificate
        • Key Derivation
        • Attestation
        • Gramine
        • SGX2
        • Secret Key Provisioning
      • AMD SEV-SNP
        • Encrypted CPU Registers
        • Memory encryption
        • Secure Nested Paging
        • Virtual Machine Privilege Levels (VMPL's)
        • Cryptographic Keys
        • Secret Key Provisioning
        • Guest Deployment
    • Serverless (FaaS)
      • Knative
  • Confidential Serverless Containers
    • Introduction
    • Intel SGX
      • Threat Model
      • Remote attestation verification
      • Secure Storage
        • HashiCorp's Vault
      • Architecture
        • Confidential Knative
        • Certificates
        • Session Management
      • Confidential Container Configuration
    • AMD SEV-SNP
      • Threat Model
      • Architecture
        • Network communication
        • KMS
        • Updates
        • Key rotation
      • Design Decision
  • Benchmarks
    • Hardware
    • Results
    • Architecture Comparison
  • Getting Started
    • FAQ
    • Intel SGX
    • AMD SEV-SNP
  • Glossary
    • SGX Glossary
    • AMD SEV-SNP Glossary
Powered by GitBook
On this page
  1. Glossary

SGX Glossary

Intel Software Guard Extensions (SGX)

are Intel's solution to create process-based TEE's.

Root Provisioning Key (RPK)

are randomly generated in a Hardware Security Module in a secure offline facility from Intel and integrated into the processor's fuses. It is stored in a secure database at Intel to recognize an SGX capable CPU.

Root Sealing Key (RSK)

are generated inside the CPU's by a hardware random number generator and not known to Intel.

Processor Reserved Memmory (PRM)

Only accessible by enclaves and only when accessing their own memory. Accesses are verified by the CPU.

Enclave Page Cache (EPC)

4KB page inside the PRM belonging to a single enclave.

Enclave Page Cache Map (EPCM)

Has an entry for each EPC and stores a valid bit, a page type and the owner of the page.

SGX Enclave Control Structure (SECS)

Contains the measurements and attributes of an enclave

Enclave Linear Address Range (ELRANGE)

A virtual address range in the adress space of the host process, where the enclaves code and data is stored in

Thread Control Structure (TCS)

Allows concurrent thread execution of the same code within an enclave. Contains an instruction pointer

State Save Area (SSA)

stores the thread's execution context

MRENCLAVE

is the enclave's measurement stored in the SECS

MRSIGNER

SHA2-256 hash of the enclave's author's public key used to verify certificates

Platform Provisioning ID (PPID)

A unique platform identifier

Data Center Attestation Primitives (DCAP)

Intel's solution for a remote attestation architecture in a cloud environment

Inventory Management Service (IMS)

is used for DCAP in SGX. It stores all used attestation identities (PPID) in encrypted form of a cloud, keep strack of all attestation platforms in the cloud, and request PCK certificates from Intel.

Quoting Enclave (QE)

is a CA signed by the PCK and sings remote attestation reports of enclaves

Provisioning Certification Key (PCK)

is a 256-bit ECDSA key on the NIST-standardized p-256 curve used by the PCE

Provisioning Certification Enclave (PCE)

is a local CA of a SGX capable CPU, that uses a Provisioning Certification Key (PCK) to issue certificates for Quoting Enclaves.

Security Version Number (SVN)

is incremented when a security update is released for a software

PreviousGlossaryNextAMD SEV-SNP Glossary

Last updated 1 year ago