[QUESTION] What's the key point of Hyperenclave as TEE ?

[Ariel08081214]

Your Question

Hai. @yilingxu @Bonjourz
MMU is responsible for memory isolation，SME or TME is responsible for memory encryption，TPM can be used to do the remote attestation，then what does the HyperEnclave do for TEE's construction？What's the unique key point of Hyperenclave as a TEE?

[Bonjourz]

@Ariel08081214

then what does the HyperEnclave do for TEE's construction?

HyperEnclave uses the primitives provided hardware to provided TEE environment for applications.

What's the unique key point of Hyperenclave as a TEE?

Same as other TEE SOTAs, HyperEnclave provides a secure area(Trusted Execution Environment) for applications.

Software outside the TEE can not read/write its confidential data. And user is able to authenticates whether an application is in TEE.

[Ariel08081214]

Thank u @Bonjourz
The paper has a statement as follows: HyperEnclavemay leverage hardware memory encryption (such as AMD SME [44] and Intel MKTME [42]) to encrypt partial physical memory at the page granularity.

Software outside the TEE can not read/write its confidential data.

As I know, AMD SME is used to encryt the total memory, How to encrypt partial physical memory？
Do applications need to be adapted for the memory encryption feature if I only want to encrypt hyperenclave's enclave's memory?

[Bonjourz]

Hi @Ariel08081214 ,

AMD SME is used to encrypt the total memory, How to encrypt partial physical memory？

That is not correct. Whether CPU performs decryption/encryption when read/write a memory is controlled by c-bit in page table entry, you can refer to the AMD64 Architecture Programmer’s Manual Volume 2

Do applications need to be adapted for the memory encryption feature if I only want to encrypt hyperenclave's enclave's memory?

Memory encryption is transparent to application itself. They require no additional adaptation work.