To keep data and logic protected, Confidential Computing relies on Trusted Execution Environments (TEEs) capable of providing the following guarantees:
- Data integrity
- Data confidentiality
- Code integrity
- Code confidentiality
The TEE will ensure the logic and data being computed on can't normally be accessed by anyone nor be tampered with.
Data going in and out of the TEE is end-to-end encrypted, from the data owner's system to the library responsible for computing it. The logic loaded onto the TEE can't be tampered with, meaning that the data will only be used according the algorithms in the library.
The library loaded onto the TEE is often referred to as an enclave. On hardware-based TEEs, as is the case of Intel SGX CPUs, enclaves are loaded into Processor Reserved Memory (PRM) that is encrypted using a key only known to the hardware. A secure channel can be established between remote clients and the enclave, so data and computation results can be exchanged. The operating system, high privileged users or even system administrators with physical access to the hardware can't normally see the data nor tamper with the logic.
Fig. 1 - Diagram of end-to-end communication between a data owner and an enclave.
TEEs provide proof of which library has been loaded onto it and clients communicating with it can follow the attestation process to verify such proof. The attestation process also provides evidence that the logic is indeed loaded onto a genuine TEE and whether the platform is up-to-date and contains mitigations for known vulnerabilities.
When vulnerabilities are discovered and mitigated, systems relying on TEEs need to be updated. The mitigations may require firmware upgrades, enclave libraries to be updated or changes to configuration options. This process is often referred to as Trusted Computing Base Recovery (TCB recovery).
During the manufacturing process of Intel SGX devices, two keys are fused to the hardware: a Root Provisioning Key (RPK) and a Root Sealing Key (RSK).
This is a randomly generated key meant to identify each Intel SGX device. Intel is responsible for the safe keeping of all generated keys as they will be part of the attestation process to prove the genuineness of each SGX CPU.
Similar to the RPK, this is a randomly generated key unique per SGX device, but, unlike the RPK, the Root Sealing Key is only known to the CPU. Intel is responsible for erasing any traces of the generation of this key.
Root keys are only accessible to platform enclaves which can derive keys from them to sign data structures involved in the attestation process. They are also used for Sealing and other key derivations accessible by enclaves.
An enclave is a statically linked library containing the logic to process data. It's dynamically linked to a regular user space process running on unencrypted memory managed by the operating system. The process is responsible for creating the enclave by communicating with the hardware, via runtime libraries and drivers, requesting the CPU to load the enclave onto its protected memory.
An enclave identity is composed of several properties:
- Product ID
- Security version number
- Security options and attributes.
MRENCLAVE, or enclave measurement, is a hash measurement of the logic, initial heap and initial stack. It identifies the enclave's contents but does not reflect all attributes and security options.
MRSIGNER is a hash measurement which identifies the key used to sign of the enclave.
Product ID is a value which can be used to identify a software vendor's product and can also be used in the derivation of some keys.
Security Version Number is a value which can be used to identify new versions of a product due to security updates and can be used in key derivation.
Security options and attributes identify features and protections, such as whether the enclave has been loaded in debug mode.
No computer system can be absolutely secure.