SPEAR-V: Secure and Practical Enclave Architecture for RISC-V

Abstract

Trusted Execution Environments (TEEs) and enclaves have become increasingly popular and are used from embedded devices to cloud servers. Today, many enclave architectures exist for different ISAs. However, some suffer from performance issues and controlled-channel attacks, while others only support constrained use cases for embedded devices or impose unrealistic constraints on the software. Modern cloud applications require a more flexible architecture that is both secure against such attacks and not constrained by, e.g., a limited number of physical memory ranges. In this paper, we present SPEAR-V, a RISC-V-based enclave that provides a fast and flexible architecture for trusted computing that is compatible with current and future use cases while also aiming at mitigating controlled-channel attacks. With a single hardware primitive, our novel architecture enables two-way sandboxing. Enclaves are protected from hosts and vice versa. Furthermore, we show how shared memory and arbitrary nesting can be achieved without additional performance overheads. Our evaluation shows that, with minimal hardware changes, a flexible, performant, and secure enclave architecture can be constructed, imposing zero overhead on unprotected applications and an average overhead of 1% for protected applications.