asterinas / hyperenclave

HyperEnclave is an open and cross-platform trusted execution environment.
Apache License 2.0
18 stars 3 forks source link

HyperEnclave and AMD SEV、Intel SGX #8

Open Ariel08081214 opened 1 week ago

Ariel08081214 commented 1 week ago

Hai. According to my understanding,HyperEnclave is more similar to AMD SEV,not Intel SGX,right? HyperEnclave include VMM(RustMonitor)和Guest(Occlum and applications in enclave)as AMD SEV does.

I can't figure out the similarities between HyperEnclave and Intel SGX except the fact that they are all process-based TEE.

Can you offer some guidance?

Bonjourz commented 1 week ago

@Ariel08081214 ,

HyperEnclave is more similar to AMD SEV, not Intel SGX,right?

The TEE instance provided by HyperEnclave is similar to Intel SGX(Process-based Enclave).

The TEE instance provided by AMD SEV is a CVM(Confidential Virtual Machine).

It should be mentioned that we are now working on extending HyperEnclave to provide CVM instance for users, and we plan to publish the related source code in the future.

Ariel08081214 commented 1 week ago

@Bonjourz

According to my understanding, HyperEnclave create a unique VM for host OS and the untrusted part of applications, the trusted part of the applications run in enclave as a secure VM created by RustMonitor. If the application runs in encalve with Occlum,then the whole application is in the encalve,right? I think Hyperenclave's enclave is similar to Intel SGX(Process-based Enclave) but the VMM named RustMonitor is similar AMD SEV.

Bonjourz commented 1 week ago

Hi @Ariel08081214

According to my understanding, HyperEnclave create a unique VM for host OS and the untrusted part of applications, the trusted part of the applications run in enclave as a secure VM created by RustMonitor. If the application runs in encalve with Occlum,then the whole application is in the enclave, right?

Yes.

I think Hyperenclave's enclave is similar to Intel SGX(Process-based Enclave)

Yes. The interface to manage enclave on HyperEnclave is similar to SGX.

but the VMM named RustMonitor is similar AMD SEV.

In all the TEE's design, there is a secure monitor who has the most privilege and is able to manage all the security-related resource(memory, CPU status) on the platform. For SGX, the monitor is the microcode in the CPU. For AMD SEV, the monitor is integrated into the AMD Platform Security Processor.

HyperEnclave targets on the common platform, it only relies the common technology like virtualization. So on HyperEnclave, our RustMonitor runs in the VM Root mode(most privilege), and other parts runs in VM-non Root mode.

Ariel08081214 commented 1 week ago

Thank you very much,your reply helps a lot to me

Ariel08081214 commented 7 hours ago

@Bonjourz Hai.Here is another question. The trusted part of a application run in enclave,which is inside a secure VM. So, is there only one secure VM or is one-to-one with application?