Intel SGX2 / Enclave Dynamic Memory Management Patches Posted For Linux

While Intel's Software Guard Extensions (SGX) functionality has been present in CPUs going back to Skylake, it took until last year with Linux 5.11 for SGX support to finally be mainlined and required more than 40 rounds of review/revisions. Finally today Intel posted patches for bringing up SGX2 as the next iteration of Software Guard Extensions and already found in shipping processors.

Intel SGX is about defining private memory regions "enclaves" that are encrypted and cannot be read/used by any other processes or the host. SGX can be used for some interesting secure computing scenarios but the belated kernel support as well as various possible security vulnerabilities / attacks have rather limited its scope so far. Earlier this year building off the prior SGX support in Linux 5.11, SGX was brought for KVM guest support in v5.13.

Posted today were patches for bringing up SGX2 support in the Linux kernel. Software Guard Extensions 2 was introduced with Gemini Lake processors but apparently also supported by Ice Lake, both client and Xeon Scalable parts, and should also mean Tiger Lake and other new processors too. Intel hasn't had a convenient list of SGX1 vs. SGX2 SKUs and even the GitHub cited in today's patch series only makes mention of Gemini Lake. Meanwhile even this Intel.com page just notes Ice Lake and Gemini Lake while stating "there is no single list of processors or systems that support SGX2." Further complicating the situation is SGX support being needed to be supported from the BIOS / system vendor side as well.

With SGX2 there is the ability to modify permissions of regular enclave pages belonging to an enclave, support for the dynamic addition of regular enclave pages to an enclave, support for removing pages from an enclave, and expanding an enclave to allow for more threads. All of these are useful additions for Software Guard Extensions. With the features primarily around expanded page handling for enclaves, SGX2 is also referred to as Enclave Dynamic Memory Management (EDMM).

These 25 patches mailed out today altering 2.6k lines of kernel code get the SGX2 support in place. The patch message does note that no further changes are needed for handling SGX2 in a virtualized environment beyond the initial SGX enablement.

Here's to hoping it won't take nearly as many rounds of review for upstreaming SGX2 support as it did for SGX(1), which it shouldn't now that the base enclave support is in place, so hopefully will reach a mainline kernel in the not too distant future.