Intel SGX, isolated execution System Memory CPU Package Enclave ype》 Access from nci OS/VMM Encryption f Snooping le/data Engine(MEE Application keeps its data/code inside the enclave Smallest attack surface by reducing TCB(App+ processor Protect app's secret from untrusted privilege software(e.g, OS, VMM)Intel SGX, isolated execution • Application keeps its data/code inside the “enclave” • Smallest attack surface by reducing TCB (App + processor) • Protect app’s secret from untrusted privilege software (e.g., OS, VMM) CPU Package System Memory Enclave Memory Encryption Engine (MEE) Snooping Access from Encrypted OS/VMM code/data