Is it possible to create and run Intel SGX enclaves within a virtualised environment such as Virtualbox or Docker?
Intel SGX in virtualized environment
2.9k views Asked by wasp256 At
2
There are 2 answers
0
On
It is possible to run and start enclaves from virtual machines. However, the virtualization software must be able to support the SGX instruction set. VirtualBox and Docker still don't support SGX, but KVM and Xen both have patches available to support SGX.
For more details see here: https://01.org/intel-software-guard-extensions/sgx-virtualization
Surely SGX applications can run in virtualised environment, because running Intel SGX just require Ring 3 privilege. But your motherboard needs to be changed to enable it, and there should be some modifications need to be made in the Hypervisor or OS. Currently, it seems Intel SGX is still not yet supported in traditional virtualised environments like XEN/KVM in the mainstream, but there are some preliminary SGX virtualization patches from Intel.
In addition, there are some research papers talking about SGX applications running on virtualised environments:
SCONE is a docker-compatible secure container. You may check their website. There is a OSDI'16 paper describing SCONE.
Haven provides shielded execution , that protects the confidentiality and integrity of programs/data from the platform on which it runs. It is based on Windows HyperV and Libos. There is an OSDI'14 paper describing Haven.