|
| 1 | +--- |
| 2 | +title: Intel SGX Technology |
| 3 | +description: |
| 4 | + Learn about Intel Software Guard Extensions (SGX) - the first-generation TEE |
| 5 | + technology |
| 6 | +--- |
| 7 | + |
| 8 | +# 🛡️ Intel SGX Technology |
| 9 | + |
| 10 | +**Intel® Software Guard Extensions (Intel® SGX)** is the first-generation TEE |
| 11 | +technology that enables **Trusted Computing** and **Confidential Computing**. On |
| 12 | +the iExec platform, SGX is the **production-ready, widely-supported TEE |
| 13 | +technology** that powers secure, privacy-preserving applications in the |
| 14 | +decentralized cloud. |
| 15 | + |
| 16 | +## Why SGX Matters for iExec |
| 17 | + |
| 18 | +iExec has chosen SGX as its primary TEE technology because it provides the |
| 19 | +perfect balance of **security, stability, and accessibility** for decentralized |
| 20 | +computing: |
| 21 | + |
| 22 | +### 🔒 **Decentralized Security** |
| 23 | + |
| 24 | +- **Hardware-Level Protection**: SGX provides hardware-level security guarantees |
| 25 | + regardless of who owns the worker hardware |
| 26 | +- **Trust in Untrusted Environments**: Users can trust computation results even |
| 27 | + from unknown workers in the network |
| 28 | +- **Proof of Contribution**: SGX enables verifiable proof that computations were |
| 29 | + executed correctly |
| 30 | + |
| 31 | +### 💰 **Data Monetization Platform** |
| 32 | + |
| 33 | +- **Protected Data Processing**: Data owners can safely monetize their data |
| 34 | + without losing control |
| 35 | +- **Secure Computation**: Sensitive data remains encrypted during processing |
| 36 | +- **Access Control**: Fine-grained control over who can access and process data |
| 37 | + |
| 38 | +### 🌐 **Global Computing Network** |
| 39 | + |
| 40 | +- **Wide Worker Support**: SGX is supported by the majority of iExec workers |
| 41 | +- **Reliable Execution**: Production-ready technology with proven stability |
| 42 | +- **Cost-Effective**: Standard pricing due to wide availability |
| 43 | + |
| 44 | +## What is Intel SGX? |
| 45 | + |
| 46 | +[Intel® SGX](https://software.intel.com/en-us/sgx) is a technology that enables |
| 47 | +**Trusted Computing** and **Confidential Computing**. At its core, it relies on |
| 48 | +the creation of a special zone in the memory called an "enclave". This enclave |
| 49 | +can be considered as a vault, to which only the CPU can have access. Neither |
| 50 | +privileged access-levels such as root, nor the operating system itself is |
| 51 | +capable of inspecting the content of this region. The code, as well as the data |
| 52 | +inside the protected zone, is totally unreadable and unalterable from the |
| 53 | +outside. This guarantees non-disclosure of data as well as tamper-proof |
| 54 | +execution of the code. |
| 55 | + |
| 56 | +An application's code can be separated into "trusted" and "untrusted" parts |
| 57 | +where sensitive data is manipulated inside the protected area. |
| 58 | + |
| 59 | +## SGX: The "Application-Level" Security |
| 60 | + |
| 61 | +**Intel SGX** is like having a **small, specialized safe** inside your office |
| 62 | +for specific valuable items. It protects individual applications or parts of |
| 63 | +applications. |
| 64 | + |
| 65 | +### Key Characteristics |
| 66 | + |
| 67 | +- **Scope**: Protects specific parts of your application |
| 68 | +- **Memory**: Limited secure memory (like a small safe) |
| 69 | +- **Code Changes**: Requires significant modifications to your application |
| 70 | +- **Use Case**: Perfect for focused, lightweight applications |
| 71 | + |
| 72 | +**Analogy**: SGX is like installing a small, specialized safe inside your office |
| 73 | +for specific valuable items. |
| 74 | + |
| 75 | +### Visual Representation |
| 76 | + |
| 77 | +```mermaid |
| 78 | +graph TB |
| 79 | + OS[Operating System<br/>Can see everything] |
| 80 | + App[Regular Application<br/>Visible & Vulnerable] |
| 81 | + Enclave[🔒 SGX Enclave<br/>Protected] |
| 82 | + Data[Sensitive Code & Data<br/>Encrypted] |
| 83 | +
|
| 84 | + OS --> App |
| 85 | + App --> Enclave |
| 86 | + Enclave --> Data |
| 87 | +
|
| 88 | + style Enclave fill:#ffffff,stroke:#0000ff,stroke-width:2px,color:#000000 |
| 89 | + style Data fill:#ffffff,stroke:#00ff00,stroke-width:2px,color:#000000 |
| 90 | +``` |
| 91 | + |
| 92 | +## SGX Technology Details |
| 93 | + |
| 94 | +### How SGX Works |
| 95 | + |
| 96 | +1. **Enclave Creation**: SGX creates a secure memory region (enclave) that only |
| 97 | + the CPU can access |
| 98 | +2. **Code Isolation**: Sensitive code runs inside the enclave, isolated from the |
| 99 | + rest of the system |
| 100 | +3. **Memory Encryption**: All data in the enclave is automatically encrypted |
| 101 | +4. **Integrity Protection**: The enclave can prove it's running the correct, |
| 102 | + unmodified code |
| 103 | + |
| 104 | +### SGX Limitations |
| 105 | + |
| 106 | +With native Intel® SGX technology, the OS is not a part of the Trusted |
| 107 | +Computing Base (TCB), hence system calls and kernel services are not available |
| 108 | +from an Intel® SGX enclave. This can be limiting as the application will not be |
| 109 | +able to use File System and sockets directly from the code running inside the |
| 110 | +enclave. |
| 111 | + |
| 112 | +## SGX with iExec and Scone |
| 113 | + |
| 114 | +iExec has built a comprehensive SGX infrastructure that makes it easy for |
| 115 | +developers to create secure, privacy-preserving applications without deep SGX |
| 116 | +expertise. |
| 117 | + |
| 118 | +### iExec's SGX Infrastructure |
| 119 | + |
| 120 | +iExec provides a complete SGX ecosystem that includes: |
| 121 | + |
| 122 | +- **🔐 Secret Management Service (SMS)**: Secure storage for encryption keys and |
| 123 | + secrets |
| 124 | +- **🛡️ SGX Workers**: Computing nodes with SGX hardware support |
| 125 | +- **📋 Task Verification**: Proof of contribution system that verifies SGX |
| 126 | + execution |
| 127 | +- **🔗 Blockchain Integration**: Decentralized coordination and payment |
| 128 | +- **📦 Scone Framework**: High-level development framework for SGX applications |
| 129 | + |
| 130 | +### Why iExec Uses Scone |
| 131 | + |
| 132 | +To build Confidential Computing (TEE) applications with SGX, iExec uses the |
| 133 | +high-level **Scone framework** instead of requiring developers to manipulate the |
| 134 | +Intel® SGX SDK directly. |
| 135 | + |
| 136 | +#### Scone Framework Benefits |
| 137 | + |
| 138 | +At a high-level, Scone protects the confidentiality and integrity of the data |
| 139 | +and the code without needing to modify or recompile the application. The |
| 140 | +[Scone](https://scontain.com/) framework resolves the limitations of native SGX |
| 141 | +and reduces the burden of porting the application to Intel® SGX. |
| 142 | + |
| 143 | +#### How Scone Works |
| 144 | + |
| 145 | +More precisely, Scone provides a C standard library interface to container |
| 146 | +processes. System calls are executed outside of the enclave, but they are |
| 147 | +shielded by transparently encrypting/decrypting application data. Files stored |
| 148 | +outside of the enclave are therefore encrypted, and network communication is |
| 149 | +protected by Transport Layer Security (TLS). |
| 150 | + |
| 151 | +For a deeper understanding, you can have a look to the official |
| 152 | +[Scone documentation](https://sconedocs.github.io/). |
| 153 | + |
| 154 | +### iExec SGX Workflow |
| 155 | + |
| 156 | +```mermaid |
| 157 | +graph TD |
| 158 | + Dev[Developer] |
| 159 | + Build[Build with Scone] |
| 160 | + Deploy[Deploy to iExec] |
| 161 | + Worker[SGX Worker Selected] |
| 162 | + Enclave[SGX Enclave Created] |
| 163 | + Execute[Secure Execution] |
| 164 | + Proof[Proof of Contribution] |
| 165 | + Result[Results] |
| 166 | +
|
| 167 | + Dev --> Build |
| 168 | + Build --> Deploy |
| 169 | + Deploy --> Worker |
| 170 | + Worker --> Enclave |
| 171 | + Enclave --> Execute |
| 172 | + Execute --> Proof |
| 173 | + Proof --> Result |
| 174 | +
|
| 175 | + style Enclave fill:#ffffff,stroke:#0000ff,stroke-width:2px,color:#000000 |
| 176 | + style Execute fill:#ffffff,stroke:#0000ff,stroke-width:2px,color:#000000 |
| 177 | +``` |
| 178 | + |
| 179 | +## SGX Use Cases on iExec |
| 180 | + |
| 181 | +### Best For |
| 182 | + |
| 183 | +- ✅ **Production Applications**: SGX is production-ready and stable on iExec |
| 184 | +- ✅ **Lightweight Applications**: Perfect for focused, high-assurance modules |
| 185 | +- ✅ **Crypto Operations**: Wallets, cryptographic key operations |
| 186 | +- ✅ **Small AI Models**: Lightweight machine learning applications |
| 187 | +- ✅ **Maximum Compatibility**: Widely supported by iExec workers |
| 188 | + |
| 189 | +## When to Use SGX |
| 190 | + |
| 191 | +**SGX is ideal for**: |
| 192 | + |
| 193 | +- ✅ Building production applications |
| 194 | +- ✅ Need proven, stable technology |
| 195 | +- ✅ Working with lightweight applications |
| 196 | +- ✅ Require maximum worker availability |
| 197 | +- ✅ Need focused security for specific application parts |
| 198 | + |
| 199 | +## What's Next? |
| 200 | + |
| 201 | +**Learn about the next generation**: |
| 202 | + |
| 203 | +- **[Intel TDX Technology](/get-started/protocol/tee/intel-tdx)** - |
| 204 | + Next-generation VM-level TEE technology |
| 205 | +- **[SGX vs TDX Comparison](/get-started/protocol/tee/sgx-vs-tdx)** - Detailed |
| 206 | + comparison of both technologies |
| 207 | + |
| 208 | +**Ready to build with SGX?** Check out the practical guides: |
| 209 | + |
| 210 | +- **[Build & Deploy](/guides/build-iapp/build-&-deploy)** - Create your first |
| 211 | + SGX application |
| 212 | +- **[Advanced SGX Development](/guides/build-iapp/advanced/create-your-first-sgx-app)** - |
| 213 | + Deep dive into SGX development |
0 commit comments