The October 2014 manual from Intel on SGX is vague on many points. The good news is that Intel is disseminating information about their plans. The bad news, I think, is that the plans are not technically feasible.

The particular point that I want to criticize is the replay protection feature. Here is what I think it is for; the manual is vague. The plan is for a protection domain (enclave) on the Intel chip which includes cache but not RAM. Data in RAM would be encrypted by a symmetric key in the enclave. To include RAM in the domain would make the domain span multi vendors. It would expose protected IP to attacks by those who would impose their hardware between the Intel chip and the DIMM (RAM). Such an attack would respond to cache line reads by the Intel chip, by presenting not the most recent version of the cache line but an older version, in hopes of confusing the application running in the enclave. This is a hard crypto problem which I think requires the hardware within the enclave to keep a serial number for each cached line value in the encrypted RAM. The serial number would be included in the integrity check to detect replay attacks. The size of the serial number is a severe trade-off problem between hardware cost and probability of detecting a substitution.

There may be better plans than what I ascribe to Intel but I don’t know any.

Perhaps there is an argument that the code in the enclave can be designed not to loose control upon finding stale info on the stack, etc. Perhaps you can argue that a confused movie player will not disclose the IP.

Other SGX notes on this site

Negative ring numbers
My notes on Intel’s description

MIT’s notes

x86 in general