Intel Secure Guard Extensions Published For The Linux Kernel (SGX)
Intel is finally offering up a kernel driver it's seeking to mainline for providing support for Secure Guard Extensions (SGX).
SGX is found on select sixth generation Core CPUs (Skylake) and is a new security feature that many were excited about at first but has since been less promoted and some not liking the final design. SGX aims to fend against software attacks from any privilege level and against various hardware-based attack vectors. Intel OTC's Jarkko Sakkinen who has been working on the Linux SGX driver describes it as, " Intel SGX is a set of CPU instructions that can be used by applications to set aside private regions of code and data. The code outside the enclave is disallowed to access the memory inside the enclave by the CPU access control. The firmware uses PRMRR registers to reserve an area of physical memory called Enclave Page Cache (EPC). There is a hardware unit in the processor called Memory Encryption Engine. The MEE encrypts and decrypts the EPC pages as they enter and leave the processor package."
If this is your first time hearing about Secure Guard Extensions, you can find out more via Intel.com or a quick overview via Wikipedia. You can find out if your CPU supports SGX via the sgx identifier in /proc/cpuinfo.
The Secure Guard Extensions support for the Linux kernel can be found via the Linux kernel mailing list where it's implemented across six patches with the new intel_sgx driver being proposed for the kernel's staging area and tacks on just over three thousand lines of new code.