SGX, which stands for Software Guard Extension, is a new feature in Intel recent Skylake CPUs.

As its name suggests, this feature come in to protect the data shared by software by the CPU itself!

If software and hardware could be ‘sealed’, to prevent an attacker from directly accessing data in memory (RAM), then even with administrator level privileges , the confidentiality and integrity of data in would be protected, as well as the algorithms and design of the applications could also be hidden. 

Don’t mind if you didn’t fully catch the previous paragraph!

Look at this top design! 


How can you do that?!

The answer is rather simple :

        SGX Enclave!

It is an encrypted region in the memory (RAM) which could be decrypted only inside the processor.

Inside an  enclave there is the software’s code, data, and stack which are protected by hardware that prevent attacks against the enclave’s content.


  1. Create an App!  could be your everyday ‘Hello World!‘ code or a laser rocket propeller controller Object-Oriented type stuff!!
  2. A certificate for your App: this is vital to communicate with SGX Enclave.
  3. Upload your App to a loader.
  4. Create an Enclave –
         more technical details are to follow, with ** source code! ** 
  5. Allocate Enclave pages – let the CPU take care of that for you 🙂
  6. Make sure your App was loaded correctly!
  7. Validate certificate
  8. Generate a ‘K’ key!

This post is to get you warmed-up for the next technical hands-on post on Actually creating an Enclave with code demonstration!

Stay tuned!


  • Figures used in the post:
    A.-R. Sadeghi ©TU Darmstadt, 2007-2014 Slide Nr. 22, Lecture Embedded System Security, SS 2014
  • featured picture was made by Legato895 (DeviantArt)