27th Time The Charm? Intel SGX Enclaves Support For Linux Revved Again

For four years we have been seeing Intel Secure Guard Extensions (SGX) bring-up for the Linux kernel and that work continues with the Intel SGX Enclaves support now having been sent out for review twenty-seven times as it tries to work its way towards the mainline Linux kernel.

Every few weeks/months we see new rounds of Intel SGX Linux patches and this weekend hit their v27 revision for review. This work on the Secure Guard Extensions subsystem for the Linux kernel is about providing hardware-protected, encrypted memory regions with SGX enclaves. Intel SGX with Memory Encryption Engines have been supported since Skylake CPUs but has taken quite a while to get the Linux support squared away given the areas of the kernel it touches.

Intel Software Guard eXtensions (SGX) is a set of CPU instructions that can be used by applications to set aside private regions of code and data. The code outside the SGX hosted software entity is disallowed to access the memory inside the enclave enforced by the CPU. We call these entities as enclaves.

This commit implements a driver that provides an ioctl API to construct and run enclaves. Enclaves are constructed from pages residing in reserved physical memory areas. The contents of these pages can only be accessed when they are mapped as part of an enclave, by a hardware thread running inside the enclave.

In the recent revisions to the SGX foundations support the changes have been lightening up that give us hope the SGX bits could be mainlined in the near future unless upstream developers uncover any other issues they would like to see addressed with this Intel security feature.

In any case, for those wanting to try it the v27 patches are out there.