⚙️
Morphisms: Confidential Serverless Containers
  • Introduction
  • Preliminaries
    • What is Confidential Computing?
      • Threat Model
      • Intel SGX
        • Threat Model
        • Memory Layout
        • Memory encryption
        • Enclave Lifecycle
        • Entering and Exiting an Enclave
        • Measurement
        • Certificate
        • Key Derivation
        • Attestation
        • Gramine
        • SGX2
        • Secret Key Provisioning
      • AMD SEV-SNP
        • Encrypted CPU Registers
        • Memory encryption
        • Secure Nested Paging
        • Virtual Machine Privilege Levels (VMPL's)
        • Cryptographic Keys
        • Secret Key Provisioning
        • Guest Deployment
    • Serverless (FaaS)
      • Knative
  • Confidential Serverless Containers
    • Introduction
    • Intel SGX
      • Threat Model
      • Remote attestation verification
      • Secure Storage
        • HashiCorp's Vault
      • Architecture
        • Confidential Knative
        • Certificates
        • Session Management
      • Confidential Container Configuration
    • AMD SEV-SNP
      • Threat Model
      • Architecture
        • Network communication
        • KMS
        • Updates
        • Key rotation
      • Design Decision
  • Benchmarks
    • Hardware
    • Results
    • Architecture Comparison
  • Getting Started
    • FAQ
    • Intel SGX
    • AMD SEV-SNP
  • Glossary
    • SGX Glossary
    • AMD SEV-SNP Glossary
Powered by GitBook
On this page
  1. Preliminaries
  2. What is Confidential Computing?
  3. Intel SGX

Memory encryption

SGX1 uses the legacy Memory Encryption Engine (MEE) and SGX2 uses Multi-Key Total Memory Encryption (MKTME). SGX2 is used in the main part of the thesis, so only MKTME is explained here.

MKTME extends Total Memory Encryption (TME) by adding support for multiple keys. It is included in Intel's system-on-chip (SoC) solution. All keys for MKTME are generated by a hardware random number generator and are read-protected from software and external SoC interfaces. Software-provided keys are also supported, but are not relevant for this thesis. The used encryption engines use AES in XTS mode for data encryption. AES XTS is a NIST standardized mode specifically designed for data-at-rest encryption. By being in the direct path from the SoC to each external memory bus, it is able to encrypt all memory quickly and efficiently, ensuring that no unencrypted memory leaves the SoC.

Each key has an identifier called the Host Key ID (HKID). HKID's and the corresponding private keys are stored in a Key Encryption Table (KET) managed by the specific encryption engine. MKTME allows pages to be encrypted using different keys. To make this work, the first bits of each physical address are used to indicate the encryption key to the encryption engines.

Currently there are no details available on the integration of SGX2 with MKTME, but every enclave must have it's own HKID associated with it, which can't be used by other enclaves.

PreviousMemory LayoutNextEnclave Lifecycle

Last updated 1 year ago