![Page 1: Simon Johnson, Snr Principal Engineer SGX Program Architect€¦ · Develop enterprise-grade building blocks (e.g., specifications and open source licensed projects) with the latest](https://reader030.vdocuments.net/reader030/viewer/2022040410/5ec9c0a52fc2c300f6253064/html5/thumbnails/1.jpg)
Simon Johnson, Snr Principal EngineerSGX Program Architect
![Page 2: Simon Johnson, Snr Principal Engineer SGX Program Architect€¦ · Develop enterprise-grade building blocks (e.g., specifications and open source licensed projects) with the latest](https://reader030.vdocuments.net/reader030/viewer/2022040410/5ec9c0a52fc2c300f6253064/html5/thumbnails/2.jpg)
Legal Disclaimer
Intel provides these materials as-is, with no express or implied warranties.
All products, dates, and figures specified are preliminary, based on current expectations, and are subject to change without notice.
Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.
Intel technologies' features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.
Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.
Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.
*Other names and brands may be claimed as the property of others.
© Intel Corporation
2
![Page 3: Simon Johnson, Snr Principal Engineer SGX Program Architect€¦ · Develop enterprise-grade building blocks (e.g., specifications and open source licensed projects) with the latest](https://reader030.vdocuments.net/reader030/viewer/2022040410/5ec9c0a52fc2c300f6253064/html5/thumbnails/3.jpg)
Legal Disclaimer
This presentation contains the general insights and opinions of Intel Corporation (“Intel”). The information in this presentation is provided for information only and is not to be relied upon for any other purpose than educational. Use at your own risk! Intel accepts no duty to update this presentation based on more current information. Intel is not liable for any damages, direct or indirect, consequential or otherwise, that may arise, directly or indirectly, from the use or misuse of the information in this presentation.
No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document.
3
![Page 4: Simon Johnson, Snr Principal Engineer SGX Program Architect€¦ · Develop enterprise-grade building blocks (e.g., specifications and open source licensed projects) with the latest](https://reader030.vdocuments.net/reader030/viewer/2022040410/5ec9c0a52fc2c300f6253064/html5/thumbnails/4.jpg)
Agenda
Confidential Compute Eco-system
Confidential Compute HW needs
Attestation
Future Challenges
4
![Page 5: Simon Johnson, Snr Principal Engineer SGX Program Architect€¦ · Develop enterprise-grade building blocks (e.g., specifications and open source licensed projects) with the latest](https://reader030.vdocuments.net/reader030/viewer/2022040410/5ec9c0a52fc2c300f6253064/html5/thumbnails/5.jpg)
How SW Ecosystems Develop
5
Developer Reach
Ab
stra
ctio
n
HW & Low-level experts
300 level domain experts
100-300 level domain experts
Domain Abstraction experts
New Paradigms
VectorISA
Shader Kernel/ Assembly
OpenGL / Direct X
CUDA / OpenCL
OpenVino / TensorFlor / PyTorch
Well established
In development
In planning
Maximizing Developer Community delivers best Return on
Investment
![Page 6: Simon Johnson, Snr Principal Engineer SGX Program Architect€¦ · Develop enterprise-grade building blocks (e.g., specifications and open source licensed projects) with the latest](https://reader030.vdocuments.net/reader030/viewer/2022040410/5ec9c0a52fc2c300f6253064/html5/thumbnails/6.jpg)
6
SGX Ecosystem: Publicly Announced SDKs
Intel SGX SDK 1.0Windows
2014
Google AsyloMay 2018
Microsoft Open EnclaveSept 2018
Enclave Development PlatformMarch 2019
Graphene-SGXJuly 2017
Baidu RustMay 2018
Intel SGX SDK 1.0 for Linux
2016
Cryptsoft KMIP SDK LinuxNov 2017
Graphene-SGXStable
2H 2019
Mesa TEEmid 2018
![Page 7: Simon Johnson, Snr Principal Engineer SGX Program Architect€¦ · Develop enterprise-grade building blocks (e.g., specifications and open source licensed projects) with the latest](https://reader030.vdocuments.net/reader030/viewer/2022040410/5ec9c0a52fc2c300f6253064/html5/thumbnails/7.jpg)
How the SGX Ecosystem is developing
7
Developer Reach
Ab
stra
ctio
n
HW & Low-level experts
300 level domain experts
100-300 level domain experts
Domain Abstraction experts
New Paradigms
SGXISA
SGX SDK
Fortanix EKMS, Baidu RUST SDK
Sawtooth, POET, R3 (Blockchain)Fortanix ERS, Graphene,
Scone, SGX-LKL
Well established
In development
Confidential Computing
![Page 8: Simon Johnson, Snr Principal Engineer SGX Program Architect€¦ · Develop enterprise-grade building blocks (e.g., specifications and open source licensed projects) with the latest](https://reader030.vdocuments.net/reader030/viewer/2022040410/5ec9c0a52fc2c300f6253064/html5/thumbnails/8.jpg)
NOW…. NEXT…. FUTURE!
8
Legacy app
module module
module
module module
AppSGX
enclave
SDK
SGX
App
Fully Containerized apps based on LibOS concepts and Unikernel concepts
?Container
LibOS/UniKernel
Today you can build you own apps using the SDK… best TCB requires some expertise
Isolated containerization of apps is fast gaining traction
Let’s talk about this a little later…
![Page 9: Simon Johnson, Snr Principal Engineer SGX Program Architect€¦ · Develop enterprise-grade building blocks (e.g., specifications and open source licensed projects) with the latest](https://reader030.vdocuments.net/reader030/viewer/2022040410/5ec9c0a52fc2c300f6253064/html5/thumbnails/9.jpg)
A community focused on projects securing
data in use and accelerating the
adoption of confidential computing
through open collaboration.
confidentialcomputing.io
![Page 10: Simon Johnson, Snr Principal Engineer SGX Program Architect€¦ · Develop enterprise-grade building blocks (e.g., specifications and open source licensed projects) with the latest](https://reader030.vdocuments.net/reader030/viewer/2022040410/5ec9c0a52fc2c300f6253064/html5/thumbnails/10.jpg)
CCC: Mission and Goals
Confidential computing enables new public cloud scenarios (e.g., migrating extremely sensitive
data to the cloud, and enabling multi-party sharing scenarios that have been difficult to build due to
privacy, security, and regulatory requirements).
The Confidential Computing Consortium is the platform through which partners will invest across
the value chain to allow customers to realize this vision. The Consortium will:
1. Define confidential computing and accelerate acceptance and adoption in the market.
2. Develop enterprise-grade building blocks (e.g., specifications and open source licensed
projects) with the latest technologies to enable easy development and management of
enterprise-grade confidential compute applications
3. Define foundational services and frameworks that are confidential-aware and minimize the
need for trust.
![Page 11: Simon Johnson, Snr Principal Engineer SGX Program Architect€¦ · Develop enterprise-grade building blocks (e.g., specifications and open source licensed projects) with the latest](https://reader030.vdocuments.net/reader030/viewer/2022040410/5ec9c0a52fc2c300f6253064/html5/thumbnails/11.jpg)
Potential Confidential Compute Use cases
11
Secure Native Application Hosting
Trusted Multi-party Compute
Federated Learning
Cloud Infrastructure
Secure Database
Crypto Key Management
Secure Networking
Accelerated Secure Compute
orchestrator
![Page 12: Simon Johnson, Snr Principal Engineer SGX Program Architect€¦ · Develop enterprise-grade building blocks (e.g., specifications and open source licensed projects) with the latest](https://reader030.vdocuments.net/reader030/viewer/2022040410/5ec9c0a52fc2c300f6253064/html5/thumbnails/12.jpg)
HW Needs to Deliver Scale
SGX saw its introduction on 6th Generation Intel® Core™ (skylake), feedback since then includes:
▪ enable 3rd party attestation services
▪ provide flexible approach to control which applications can run
▪ provide more memory with protection features
▪ provide additional key separation mechanisms
▪ multi-socket CPU support
12
![Page 13: Simon Johnson, Snr Principal Engineer SGX Program Architect€¦ · Develop enterprise-grade building blocks (e.g., specifications and open source licensed projects) with the latest](https://reader030.vdocuments.net/reader030/viewer/2022040410/5ec9c0a52fc2c300f6253064/html5/thumbnails/13.jpg)
HW Needs to Deliver Scale
SGX saw its introduction on 6th Generation Intel® Core™ (skylake), feedback since then includes:
▪ enable 3rd party attestation services
– DCAP
▪ provide flexible approach to control which applications can run
– Flex Launch Control
▪ provide more memory with protection features
– Increasing memory sizes
▪ provide additional key separation mechanisms
– New Key Separation and Sharing capability
▪ multi-socket CPU support
13
![Page 14: Simon Johnson, Snr Principal Engineer SGX Program Architect€¦ · Develop enterprise-grade building blocks (e.g., specifications and open source licensed projects) with the latest](https://reader030.vdocuments.net/reader030/viewer/2022040410/5ec9c0a52fc2c300f6253064/html5/thumbnails/14.jpg)
Attest Key Cert(PCK Signed)
Platform
Overview of Intel® SGX DCAP
Manufacturing puts unique HW keys into each device and issues certificates for signing keys derived from those HW keys.
New Provisioning Certification Enclave (PCE) uses the signing keys to issue “certificates” for attestation keys generated by Quoting Enclaves.
New Quoting Enclave generates attestation key locally and retrieves a “certificate” from PCE.
Quotes are signed by attestation key and include attestation key’s certificate.
Attestation Verifier inspects certificate chain rooted in device/platform certs and TCB Info.
Intel® Key Generation and Manufacturing
Root Keys in HW Device/Platform Certificates
App ApplicationEnclave
Quote(Attest Key
Signed)
Prov Certification Enclave
Provisioning Cert Key
Quoting Enclave
Attestation KeyPCK signed cert
Attestation Verifier
PCK Certificates, CRLs, and TCB
Info
1) PCK Cert & TCB Info Distribution
3) Quote & TCB Verification
2) Quote Generation
![Page 15: Simon Johnson, Snr Principal Engineer SGX Program Architect€¦ · Develop enterprise-grade building blocks (e.g., specifications and open source licensed projects) with the latest](https://reader030.vdocuments.net/reader030/viewer/2022040410/5ec9c0a52fc2c300f6253064/html5/thumbnails/15.jpg)
Inter
net
Loca
l Ne
twor
kPl
atfo
rm
Platform Certification Key (PCK) Certificate Retrieval
PCK, CRLs, TCB Info,
QE Identity
PCK Certification IDs
Intel® SGX Provisioning
Certification Service
Intel® SGX Capable platform
PCK Certificate ID Retrieval Tool
Platform Deployment Pipeline Production Pipeline
Cached PCK, CRLs, TCB Info,
QE IdentityDatacenter
Caching Service
Intel® DCap Collateral
Datacenter / CSP
platform tenant
Component Owner
Proxy - GateWay
![Page 16: Simon Johnson, Snr Principal Engineer SGX Program Architect€¦ · Develop enterprise-grade building blocks (e.g., specifications and open source licensed projects) with the latest](https://reader030.vdocuments.net/reader030/viewer/2022040410/5ec9c0a52fc2c300f6253064/html5/thumbnails/16.jpg)
Inter
net
Loca
l Ne
twor
kPl
atfo
rm
Quote Generation
PCK, CRLs, TCB Info,
QE Identity
PCK Certification IDs
Intel® SGX Provisioning
Certification Service
Intel® SGX Capable Platform
PCK Certificate ID Retrieval Tool
Proxy - GateWay
Platform Deployment Pipeline Production Pipeline
Cached PCK, CRLs, TCB Info,
QE IdentityDataCenter
CaChInG ServICe
Quote
Intel® DCAP Collateral
Datacenter / CSP
Platform Tenant
Component Owner
Intel® SGX Capable platform or vm
Intel® SGX Driver
ECDSA Quote Gen Lib
ECDSA Quote Prov. LibApp Enclave
Attestation Key
![Page 17: Simon Johnson, Snr Principal Engineer SGX Program Architect€¦ · Develop enterprise-grade building blocks (e.g., specifications and open source licensed projects) with the latest](https://reader030.vdocuments.net/reader030/viewer/2022040410/5ec9c0a52fc2c300f6253064/html5/thumbnails/17.jpg)
Inter
net
Loca
l Ne
twor
kpl
atfo
rm
Quote & TCB Verification
PCK, CRLs, TCB Info,
QE Identity
PCK Certification IDs
Intel® SGX Provisioning
Certification Service
Intel® SGX Capable Platform
PCK Certificate ID Retrieval Tool
Proxy - GateWay
Intel® SGX Capable platform or vm
Intel® SGX Driver
ECDSA Quote Gen Lib
ECDSA Quote Prov. LibApp Enclave
Attestation Key
Platform Deployment Pipeline Production Pipeline
Cached PCK, CRLs, TCB Info,
QE IdentityDatacenter
Attestation ServiceDataCenter
CaChInG ServICe
Quote
Quote Verification Library
Intel® DCAP Collateral
Datacenter / CSP
Platform Tenant
Component Owner
![Page 18: Simon Johnson, Snr Principal Engineer SGX Program Architect€¦ · Develop enterprise-grade building blocks (e.g., specifications and open source licensed projects) with the latest](https://reader030.vdocuments.net/reader030/viewer/2022040410/5ec9c0a52fc2c300f6253064/html5/thumbnails/18.jpg)
Inter
net
loCa
l ne
twor
kPl
atfo
rm
Quote & TCB Verification
PCK, CRLs, TCB Info,
QE Identity
PCK Certification IDs
Intel® SGX Provisioning
Certification Service
Intel® SGX Capable platform
PCK Certificate ID Retrieval Tool
proXy - Gateway
Intel® SGX Capable Platform or VM
Intel® SGX Driver
ECDSA Quote Gen Lib
ECDSA Quote Prov. LibApp Enclave
Attestation Key
Platform Deployment Pipeline Production Pipeline
Cached PCK, CRLs, TCB Info,
QE IdentityDatacenter
Attestation ServiceDatacenter
Caching Service
Quote
Quote Verification Enclave
Intel® DCap Collateral
Datacenter / CSP
platform tenant
Component Owner
New
![Page 19: Simon Johnson, Snr Principal Engineer SGX Program Architect€¦ · Develop enterprise-grade building blocks (e.g., specifications and open source licensed projects) with the latest](https://reader030.vdocuments.net/reader030/viewer/2022040410/5ec9c0a52fc2c300f6253064/html5/thumbnails/19.jpg)
DCAP 1.3 Enhancements
Intel SGX Provisioning Certificate Service (PCS) v2
– Identifies which CVEs are addressed by each new TCB
Intel SGX ECDSA DCAP Quote Verification Library - New
– Supports new v2 verification
– API supports enclave based verification and untrusted verification
– API support applying a 3rd party quote verification policy
– Intel signed Quote Verification Enclave (QVE)
– Incorporates new Quote Verification Library
– Keeps 3rd party verifiers out of the SGX Attestation TCB
– Released with existing DCAP packages.
19
New
![Page 20: Simon Johnson, Snr Principal Engineer SGX Program Architect€¦ · Develop enterprise-grade building blocks (e.g., specifications and open source licensed projects) with the latest](https://reader030.vdocuments.net/reader030/viewer/2022040410/5ec9c0a52fc2c300f6253064/html5/thumbnails/20.jpg)
Application Isolation through changes in memory architecture & SGX ISA
▪ Launch Control
▪ Enhanced Key Separation
▪ Enclave Dynamic Memory Management
Lots of Protected Memory
Multiple devices Single Keying Hierarchy
▪ Seal Keys
▪ Attestation Keys & 3rd Party Service
Encryption between packages
20
Multi-Package SGX
Coherent
System
Memory
Encrypted
MemoryCPU A
Device Keys
Platform Keys
UPI
Sealed User Data
CPU B
Device Keys
Platform Keys
UPI
![Page 21: Simon Johnson, Snr Principal Engineer SGX Program Architect€¦ · Develop enterprise-grade building blocks (e.g., specifications and open source licensed projects) with the latest](https://reader030.vdocuments.net/reader030/viewer/2022040410/5ec9c0a52fc2c300f6253064/html5/thumbnails/21.jpg)
21
Key Separation and Sharing
Enclaves that load additional logic have keys based only on the loader code.
▪ Example: Java, JS, C#, Python enclaves
ConfigID allows Enclave Creator to specify an immutable value which can be bound to the additional content
Allows different keys to be created for enclave instances
Runtime Enclave
Applet 1
Runtime Enclave
Applet 2
Same Seal Key
Runtime Enclave
Applet 1
Runtime Enclave
Applet 2
Different Seal Keys
Key Separation With ConfigID
Without ConfigID
![Page 22: Simon Johnson, Snr Principal Engineer SGX Program Architect€¦ · Develop enterprise-grade building blocks (e.g., specifications and open source licensed projects) with the latest](https://reader030.vdocuments.net/reader030/viewer/2022040410/5ec9c0a52fc2c300f6253064/html5/thumbnails/22.jpg)
Extending Attestation to Multi-Socket Servers
To extend the architectural model from single to multiple sockets:
▪ Provide software with consistent user keys across on all socket (ex. Seal keys).
▪ Establish attestation keys that represent the entire platform.
Intel® SGX Multi-socket extensions result in standard DCAP PCK certificates, enabling DCAP software and infrastructure reuse.
Attest Key Cert(PCK Signed)
Platform
SGX MP PCK Service Enhancements
App ApplicationEnclave
Quote(Attest Key
Signed)
Prov Certification Enclave
Provisioning Cert Key
Quoting Enclave
Attestation KeyPCK signed cert
DCAP Attestation Verifier
PCK Certificates, CRLs, and TCB
Info
SGX MP Enhancements
![Page 23: Simon Johnson, Snr Principal Engineer SGX Program Architect€¦ · Develop enterprise-grade building blocks (e.g., specifications and open source licensed projects) with the latest](https://reader030.vdocuments.net/reader030/viewer/2022040410/5ec9c0a52fc2c300f6253064/html5/thumbnails/23.jpg)
NOW…. NEXT…. FUTURE!
23
Legacy app
module module
module
module module
AppSGX
enclave
SDK
SGX
App
Fully Containerized apps based on LibOS concepts and Unikernel concepts
?Container
LibOS/UniKernel
Today you can build you own apps using the SDK… best TCB requires some expertise
Isolated containerization of apps is fast gaining traction
Let’s talk about this a little later…
![Page 24: Simon Johnson, Snr Principal Engineer SGX Program Architect€¦ · Develop enterprise-grade building blocks (e.g., specifications and open source licensed projects) with the latest](https://reader030.vdocuments.net/reader030/viewer/2022040410/5ec9c0a52fc2c300f6253064/html5/thumbnails/24.jpg)
NOW…. NEXT…. FUTURE!
24
Legacy app
module module
module
module module
AppSGX
enclave
SDK
SGX
App
Fully Containerized apps based on LibOS concepts and Unikernel concepts
Business Logic
Layer
App
MatrixVectorSpatial
Scalar
Container
LibOS/UniKernel
Today you can build you own apps using the SDK… best TCB requires some expertise
Isolated containerization of apps is fast gaining traction
Frameworks that allow the programmer to concentrate on the business logic and automates more protection of their code no matter where it runs
![Page 25: Simon Johnson, Snr Principal Engineer SGX Program Architect€¦ · Develop enterprise-grade building blocks (e.g., specifications and open source licensed projects) with the latest](https://reader030.vdocuments.net/reader030/viewer/2022040410/5ec9c0a52fc2c300f6253064/html5/thumbnails/25.jpg)
Future Generation Challenges
Frameworks building out trust when CSP compiles and distributes code
▪ How do you convey trust?
▪ How do you compose multiple TEEs?
▪ Can you attest these types of environments?
Dealing with Attestation at Scale
▪ Multiple TCBs in the cloud/across clouds
▪ Multi-TEE environments w/ differing properties
25
![Page 26: Simon Johnson, Snr Principal Engineer SGX Program Architect€¦ · Develop enterprise-grade building blocks (e.g., specifications and open source licensed projects) with the latest](https://reader030.vdocuments.net/reader030/viewer/2022040410/5ec9c0a52fc2c300f6253064/html5/thumbnails/26.jpg)
Summary
Confidential Compute Eco-system
▪ Creation of Confidential Compute Consortia
Confidential Compute HW needs
▪ Expansion from single socket to multi-socket systems
Attestation
▪ DCAP for 3rd party services
Future Challenges
▪ Composability of TEEs
▪ Attestation at Scale
26
![Page 27: Simon Johnson, Snr Principal Engineer SGX Program Architect€¦ · Develop enterprise-grade building blocks (e.g., specifications and open source licensed projects) with the latest](https://reader030.vdocuments.net/reader030/viewer/2022040410/5ec9c0a52fc2c300f6253064/html5/thumbnails/27.jpg)
27