Intel SGX, runtime example ① Application 1. App is built with trusted and untrusted parts Untrusted Part Trusted Part of App of App Call Gate 2. App create enclave, enclave is a memory ared protected by CPU, and OS is blind for it, privileged Process software cannot access it 2 Create Enclave 3. App call trusted part, and run in protected security environment CallTrusted0 Return (5 4. Data in enclave is plaintext, cannot be accessed from outside, and will be encrypted once move out enclave Privileged system Code 5. App finished task in enclave and return OS, VMM, BIOS, SMM App runs in common environmentIntel SGX, runtime example 1. App is built with trusted and untrusted parts 2. App create enclave, enclave is a memory area protected by CPU, and OS is blind for it, privileged software cannot access it. 3. App call trusted part, and run in protected security environment 4. Data in enclave is plaintext, cannot be accessed from outside, and will be encrypted once move out enclave 5. App finished task in enclave and return 6. App runs in common environment