Intel: Let's talk about SGX, baby. Let's talk about 2U and me. Let's talk about all the good things, and the bad... Intel is touting a PCIe card packed with SGX tech to plug into servers in time for next week's RSA conference in San Francisco. Chipzilla's chunky add-on is aimed at cloud and data-center machines missing SGX (Software Guard Extensions) so that applications running on the boxes can use the technology. SGX allows program to run …
Can someone explain the point of SGX? I’m sure there is probably some cloudy explanation for it, but from where I’m sitting, the only people looking to run code in ways invisible to the rest of system are malware authors. Maybe DRM too, but as far as I’m concerned that pretty much falls under the definition of malware, as code that is serving no conceivable benefit to the user who is (normally unwittingly) running it.
On client machines, DRM and cryptography. For servers, allowing you to upload code to run in an enclave in the cloud using remote attestation to prove the software hasn't been meddled with in transit or prior to execution.
That % SGX working as expected and intended.
C.
(See the 'read more' article in the piece on how SGX can be abused.)
The idea is to put your decryption code in the enclave and then then send encrypted text and a description of the operation you want to perform to the enclave.
The unencrypted data never leaves the enclave, not even the hypervisor sees the unencrypted data.
E.g. to search encrypted data in sql server
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-enclaves?view=sqlallproducts-allversions
What I do not get is how you get the decryption keys into the enclave securely!
"The client driver sends the column encryption keys required for the operations to the secure enclave (over a secure channel)."
What secure channel which the hypervisor cannot see? Hmmm..
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
