Keystone: An Open Framework for Architecting TEEs by Lee, Dayeol et al.
Keystone: An Open Framework for Architecting TEEs
Dayeol Lee
dayeol@berkeley.edu
UC Berkeley
David Kohlbrenner
dkohlbre@berkeley.edu
UC Berkeley
Shweta Shinde
shwetas@berkeley.edu
UC Berkeley
Krste Asanović
krste@berkeley.edu
UC Berkeley
Dawn Song
dawnsong@berkeley.edu
UC Berkeley
Abstract
Trusted execution environments (TEEs) are being used in
all the devices from embedded sensors to cloud servers and
encompass a range of cost, power constraints, and security
threat model choices. On the other hand, each of the current
vendor-specific TEEs makes a fixed set of trade-offs with
little room for customization. We present Keystone—the first
open-source framework for building customized TEEs. Key-
stone uses simple abstractions provided by the hardware
such as memory isolation and a programmable layer under-
neath untrusted components (e.g., OS). We build reusable
TEE core primitives from these abstractions while allow-
ing platform-specific modifications and application features.
We showcase how Keystone-based TEEs run on unmodified
RISC-V hardware and demonstrate the strengths of our de-
sign in terms of security, TCB size, execution of a range of
benchmarks, applications, kernels, and deployment models.
1 Introduction
The last decade has seen the proliferation of trusted execu-
tion environments (TEEs) to protect sensitive code and data.
All major CPU vendors have rolled out their TEEs (e.g., ARM
TrustZone, Intel SGX, and AMD SEV) to create a secure exe-
cution environment, commonly referred to as an enclave [24,
79, 96]. On the consumer end, TEEs are now being used
for secure cloud services [25, 31], databases [115], big data
computations [37, 59, 121], secure banking [91], blockchain
consensus protocols [9, 92, 98], smart contracts [32, 49, 141],
machine learning [106, 133], network middleboxes [67, 68],
and so on. These use-cases have diverse deployment envi-
ronments ranging from cloud servers, client devices, mobile
phones, ISPs, IoT devices, sensors, and hardware tokens.
Unfortunately, each vendor TEE enables only a small por-
tion of the possible design space across threat models, hard-
ware requirements, resource management, porting effort,
and feature compatibility. When a cloud provider or soft-
ware developer chooses a target hardware platform they are
locked into the respective TEE design limitations regardless
of their actual application needs. Constraints breed creativity,
giving rise to significant research effort in working around
these limits. For example, Intel SGXv1 [96] requires statically
Keystone is available at https://keystone-enclave.org/
sized enclaves, lacks secure I/O and syscall support, and is
vulnerable to significant side-channels [53]. Thus, to execute
arbitrary applications, the systems built on SGXv1 have in-
flated the Trusted Computing Base (TCB) and are forced to
implement complex workarounds [25, 31, 43, 115, 124]. As
only Intel can make changes to the inherent design trade-offs
in SGX, users have to wait for changes like dynamic resiz-
ing of enclave virtual memory in the proposed SGXv2 [95].
Unsurprisingly, these and other similar restriction have led
to a proliferation of TEE re-implementations on other ISAs
(e.g., OpenSPARC [42, 89], RISC-V [54, 120]). However, each
such redesign requires considerable effort and only serves
to create another fixed design point.
In this paper, we advocate that the hardware must pro-
vide security primitives and not point-wise solutions. We
can draw an analogy with the move from traditional net-
working solutions to Software Defined Networking (SDN),
where exposing the packet forwarding primitives to the soft-
ware has led to far more use-cases and research innovation.
We believe a similar paradigm shift in TEEs will pave the
way for effortless customization. It will allow features and
the security model to be tuned for each hardware platform
and use-case from a common base. This motivates the need
for customizable TEEs to provide a better interface between
entities that create the hardware, operate it, and develop
applications. Customizable TEEs promise quick prototyping,
a shorter turn-around time for fixes, adaptation to threat
models, and use-case specific deployment.
The first challenge in realizing this vision is the lack of
a programmable trusted layer below the untrusted OS. Hy-
pervisor solutions result in a trusted layer with a mix of
security and virtualization responsibilities, unnecessarily
complicating the most critical component. Firmware and
micro-code are not programmable to a degree that satis-
fies this requirement. Second, previous attempts at re-using
hardware isolation to provide TEE guarantees do not cap-
ture the right notion of customization. Specifically, these
solutions (e.g. Komodo [61], seL4 [84]) rely on the underly-
ing hardware not only for a separation mechanism but also
for pre-made decision about the boundary between what
is trusted and untrusted. They use a verified trusted soft-
ware layer for customization on top of this hardware [61].
To overcome these challenges, our insight is to identify the
ar
X
iv
:1
90
7.
10
11
9v
2 
 [c
s.C
R]
  7
 Se
p 2
01
9
Dayeol Lee, David Kohlbrenner, Shweta Shinde, Krste Asanović, and Dawn Song
appropriate hardware memory isolation primitives and then
build a modular software-programmable layer with the ap-
propriate privileges
To this end, we propose Keystone—the first open-source
framework for building customizable TEEs. We build Key-
stone on unmodified RISC-V using its standard specifica-
tions [22] for physical memory protection (PMP)—a primitive
which allows the programmable machine mode underneath
the OS in RISC-V to specify arbitrary protections on physical
memory regions. We use this machine mode to execute a
trusted security monitor (SM) to provide security boundaries
without needing to perform any resource management. More
importantly, enclave operates in its own isolated physical
memory region and has its own runtime (RT) component
which executes in supervisor mode and manages the vir-
tual memory of the enclave. With this novel design, any
enclave-specific functionality can be implemented cleanly
by its RT while the SM manages hardware-enforced guaran-
tees. This allows the enclaves to specify and include only the
necessary components. The RT implements the functionality,
communicates with the SM, mediates communication with
the host via shared memory, and services enclave user-code
application (eapp).
Our choice of RISC-V and the logical separation between
SM and RT allows hardware manufacturers, cloud providers,
and application developers to configure various design choices
such as TCB, threat models, workloads, and TEE functional-
ity via compile-time plugins. Specifically, Keystone’s SM uses
hardware primitives to provide in-built support for TEE guar-
antees such as secure boot, memory isolation, and attestation.
The RT then provides functionality plugins for system call in-
terfaces, standard libc support, in-enclave virtual memory
management, self-paging, and more inside the enclave. For
strengthening the security, our SM leverages a highly con-
figurable cache controller to transparently enable defenses
against physical adversaries and cache side-channels.
We build Keystone, the SM, and an RT (called Eyrie) which
together allow enclave-bound user applications to selectively
use all the above features. We demonstrate an off-the-shelf
microkernel (seL4 [84]) as an alternative RT. We extensively
benchmark Keystone on 4 suites with varying workloads:
RV8, IOZone, CoreMark, and Beebs. We showcase use-case
studies where Keystone can be used for securemachine learn-
ing (Torch and FANN frameworks) and cryptographic tasks
(sodium library) on embedded devices and cloud servers.
Lastly, we test Keystone on different RISC-V systems: the
SiFive HiFive Freedom Unleashed, 3 in-order cores and 1
out-of-order core via FPGA, and a QEMU emulation—all
without modification. Keystone is open-source and available
online [12].
Contributions. We make the following contributions:
• Need for Customizable TEEs. We define a new para-
digm wherein the hardware manufacturer, hardware
Enclave 1Untrusted
User
(U-mode)
Supervisor
(S-mode)
Machine
(M-mode) Security Monitor (SM)
Runtime (RT) 1Operating System (OS)
Enclave App 1 
(Eapp)App App
Enclave 2 
… …
Eapp 2
RT 2
Root of TrustOptional H/W FeaturesTrustedHardware RISC-V Cores
Hi
gh
er
 P
riv
ile
ge
Figure 1. Keystone overview of the system setup and privilege
levels. Includes components such as untrusted host processes, the
untrusted OS, the security monitor, and multiple enclaves (each
with a runtime and an eapp).
operator, and the enclave programmer can tailor the
TEE design.
• Keystone Framework. We present the first framework
to build and instantiate customizable TEEs. Our princi-
pled way of ensuring modularity in Keystone allows us
to customize the design dimensions of TEE instances
as per the requirements.
• Open-source Implementation.We demonstrate the ad-
vantages of Keystone TEEs which can minimize the
TCB, adapt to threat models, use hardware features,
handle workloads, and provide rich functionality with-
out any micro-architectural changes. Total TCB of
a Keystone enclaved application is between 12-15 K
lines of code (LoC), of which the SM consists of only
1.6 KLoC added by Keystone.
• Benchmarking & Real-world Applications. We evaluate
Keystone on 4 benchmarks: CoreMark, Beebs, and RV8
(< 1% overhead), and IOZone (40%). We demonstrate
real-world machine learning workloads with Torch in
Eyrie (7.35%), FANN (0.36%) with seL4, and a Keystone-
native secure remote computation application. Finally,
we demonstrate enclave defenses for adversaries with
physical access via memory encryption and a cache
side-channel defense.
2 Customizable TEEs
Wemotivate the need for customizable TEEs which can adapt
to various real deployment scenarios, introduce our key ac-
tors, and define our goals.
2.1 Need for a New Paradigm.
Current widely-used TEE systems cater to specific and valu-
able use-cases but occupy only a small part of the wide design
space (see Table 1). Consider the case of heavy server work-
load (databases, ML inference, etc.) running in an untrusted
cloud environment. One option is an SGX-based solution
which has a large software stack [25, 31, 43] to extend the
supported features. On the other hand, a SEV-based solu-
tion requires a complete virtualization stack. If one wants
2
Keystone
additional defenses against side-channels, it adds further
user-space software mechanisms for both cases. If we con-
sider edge-sensors or IoT applications, the available solutions
are TrustZone based. While more flexible than SGX or SEV,
TrustZone supports only a single hardware-enforced iso-
lated domain called the Secure World. Any further isolation
needs multiplexing between applications within one domain
with software-based Secure World OS solutions [7]. Thus,
irrespective of the TEE, developers often compromise their
design requirements (e.g., resort to a large TCB solution, lim-
ited privilege domains) or take on the onus of building their
custom design.
Hardware-software co-design. Keystone builds on simple
yet elegant primitives.We leveragemultiple well-defined and
existing hardware features while allowing the software lay-
ers to manage the complex responsibilities. Previous works
explore the spectrum of tasks the hardware and software
should do. For instance, seL4 [84] uses a single isolation
domain exposed by the hardware and performs almost all
resource management, isolation, and security enforcement
in a verified software layer. Komodo uses the two isolation
domains provided by ARM TrustZone to execute multiple
isolated domains enforced by formally verified software. In
Keystone, we expect arbitrary hardware-isolated domains
whose boundaries can be dynamically configured in the soft-
ware. With this novel choice, Keystone provides guarantees
with minimum trusted software while allowing the isolated
regions to manage themselves.
Customizable TEEs. We define a new paradigm—custom-
izable TEEs—to allow multiple stakeholders to customize a
TEE. The hardware manufacturer only provides basic primi-
tives. Realizing a specific TEE instance involves the platform
provider’s choice of the hardware interface, the trust model,
and the enclave programmer’s feature requirements. The
entities offload their choices to a framework which plugs
in required components and composes them to instantiate
the required TEE. With this, we bridge the existing gaps in
the TEE design space, allow researchers to independently
explore design trade-offs without significant development
effort, and encourage rapid response to vulnerabilities and
new feature requirements.
Trusted Hardware Requirements. Keystone requires no
changes to CPU cores, memory controllers, etc. A secure
hardware platform supporting Keystone has several feature
requirements: a device-specific secret key visible only to the
trusted boot process, a hardware source of randomness, and a
trusted boot process. Key provisioning [20] is an orthogonal
problem. For this paper, we assume a simple manufacturer
provisioned key.
2.2 Entities in TEE Lifecycle
We define six logical entities in customizable TEEs:
Keystone hardware designer designs the hardware; de-
signs or modifies existing SoCs, IP blocks and interactions.
Keystone hardware manufacturer fabricates the hard-
ware; assembles them as per the pre-defined design.
Keystone platformprovider purchasesmanufactured hard-
ware; operates the hardware; makes it available for use to
its customers; configures the SM.
Keystone programmer develops Keystone software com-
ponents including SM, RT, and eapps; we refer to the pro-
grammers who develop these specific components as SM pro-
grammer, RT programmer, eapp programmer respectively.
Keystone user chooses a Keystone configuration of RT and
an eapp. They instantiate a TEE which can execute on their
choice of hardware provisioned by the Keystone platform
provider.
eapp user interacts with the eapp executing in an enclave
on the TEE instantiated using Keystone.
We define these fine-granularity roles for customization op-
tions in Keystone. In real-world deployments, a single entity
can perform multiple roles. For example, consider the sce-
nario where Acme Corp. hosts their website on an Apache
webserver executing on Bar Corp. manufactured hardware
in a Keystone-based enclave hosted on Cloud Corp. cloud
service. In this scenario, Bar will be the Keystone hardware
designer and Keystone hardware manufacturer; Cloud will
be a Keystone platform provider and can be an RT program-
mer and SM programmer; Apache developers will be eapp
programmer; Acme Corp. will be Keystone user, and; the
person who uses the website will be the eapp user.
3 Keystone Overview
We use RISC-V to design and build Keystone. RISC-V is
an open ISA with multiple open-source core implementa-
tions [26, 41]. It currently supports up to three privilege
modes: U-mode (user) for normal user-space processes, S-
mode (supervisor) for the kernel, and M-mode (machine)
which can directly access physical resources (e.g., interrupts,
memory, devices).
3.1 Design Principles
We design customizable TEEs with maximum degrees of
freedom and minimum effort using the following principles.
Leverage programmable layer and isolation primitives
below the untrusted code. We design a security monitor
(SM) to enforce TEE guarantees on the platform using three
properties of M-mode: (a) it is programmable by platform
providers and meets our needs for a minimal highest privi-
lege mode. (b) It controls hardware delegation of the inter-
rupts and exceptions in the system. All the lower privilege
modes can receive exceptions or use CPU cycles only when
the M-mode allows it. (c) Physical memory protection (PMP),
3
Dayeol Lee, David Kohlbrenner, Shweta Shinde, Krste Asanović, and Dawn Song
System
Software
Adversary
Protection
Physical
Adversary
Protection
Side Ch
Adversary
Protection
Control Ch
Adversary
Protection
Low
SW
TCB
No
HW
Mods
Flexible
Resource
Mgmt
Range
of Apps
Supported
Supports
High
Expr
Low
Porting
Effort
SGX [96]
Haven [31]
Graphene-SGX [43]
Scone [25]
Intel
Varys [107]
TrustZone [24]
Komodo [61]
OP-TEE [7]
A
RM
Sanctuary [36]
SEV [79]
A
M
D SEV-ES [78]
Sanctum [54]
TIMBER-V [120]
MultiZone [5]
RISC-V
Keystone (This paper)
Table 1. Trade-offs in existing TEEs and extensions. C1-2: Category and specific systems. , , represent best to least adherence to the
property in the column respectively.C3-6: resilience against software adversary, hardware adversary, side-channel adversary, control-channel
adversary respectively; the symbols indicates complete protection, only confidentiality protection, and no protection respectively. C7: zero,
thousands of LoC, millions of LoC of TCB. C8: zero or non-zero hardware / micro-architectural modifications. C9: allows the enclave to do
self resource management with complete, partial, or no flexibility. C10: the range of applications supported are maximum; specific class;
only written from scratch. C11: expressiveness includes forking, multi-threading, syscalls, shared memory; partial; none of these. C12:
developer effort for porting is zero (unmodified binaries); partial (compiling and / or configuration files); substantial (significant re-writing).
a feature of the RISC-V Privileged ISA [22], enables the M-
mode to enforce simple access policies to physical memory,
allowing isolation of memory regions at runtime or disabling
access to memory-mapped control features.
Decouple the resourcemanagement and security checks.
The SM enforces security policies with minimal code at the
highest privilege. It has few non-security responsibilities.
This lowers its TCB and allows it to present clean abstrac-
tions. Our S-mode runtime (RT) and U-mode enclave appli-
cation (eapp) are mutually trusting, reside in enclave address
space, and are isolated from the untrusted OS or other user
applications. The RT manages the lifecycle of the user code
executing in the enclave, manages memory, services syscalls,
etc. For communication with the SM, the RT uses a limited
set of API functions via the RISC-V supervisor binary inter-
face (SBI) to exit or pause the enclave (Table 2) as well as
request SM operations on behalf of the eapp (e.g., attesta-
tion). Each enclave instance may choose its own RT which
is never shared with any other enclave.
Design modular layers. Keystone uses modularity (SM,
RT, eapp) to support a variety of workloads. It frees Key-
stone platform providers and Keystone programmers from
retrofitting their requirements and legacy applications into
an existing TEE design. Each layer is independent, provides
a security-aware abstraction to the layers above it, enforces
guarantees which can be easily checked by the lower layers,
and is compatible with existing notions of privilege.
Allow to selectively include TCB only when required.
Keystone can instantiate TEEs with minimal TCB for each of
the specific expected use-cases. The enclave programmer can
further optimize the TCB via RT choice and eapp libraries
using existing user/kernel privilege separation. For example,
if the eapp does not need libc support or dynamic memory
management, Keystone will not include them in the enclave.
3.2 Threat Model
The Keystone framework trusts the PMP specification as
well as the PMP and RISC-V hardware implementation to
be bug-free. The Keystone user trusts the SM only after
verifying if the SMmeasurement is correct, signed by trusted
hardware, and has the expected version. The SM only trusts
the hardware, the RT trusts the SM, the eapp trusts the SM
and the RT.
Adaptive Threat Model. Keystone can operate under di-
verse threat models, each requiring different defense mecha-
nisms. For this reason, we outline all the relevant attackers
for Keystone. We allow the selection of a sub-set of these
attackers based on the scenario. For example, if the user is
deploying TEEs in their own private data centers or home
appliances, a physical attacker may not be a realistic threat
and Keystone can be configured to operate without physical
adversary protections.
Attacker Models. Keystone protects the confidentiality and
integrity of all the enclave code and data at all points during
4
Keystone
execution. We define four classes of attackers who aim to
compromise our security guarantees:
A physical attacker APhy can intercept, modify, or replay
signals that leave the chip package. We assume that the phys-
ical attacker does not affect the components inside the chip
package. APhyC is for confidentiality, APhyI is for integrity.
A software attacker ASW can control host applications, the
untrusted OS, network communications, launch adversarial
enclaves, arbitrarily modify any memory not protected by
the TEE, and add/drop/replay enclave messages.
A side-channel attacker ASC can glean information by pas-
sively observing interactions between the trusted and the un-
trusted components via the cache side-channel (ACache ), the
timing side-channel (AT ime ) or the control channel (ACntr l ).
A denial-of-service attacker ADoS can take down the en-
clave or the host OS. Keystone allows these attacks against
enclaves as the OS can refuse services to user applications
at any time.
Scope. Keystone currently has no meaningful mechanisms
to protect against speculative execution attacks [39, 69, 85,
99, 122, 134]. We recommend Keystone users to avoid de-
ployments on out-of-order cores. Existing and future de-
fenses against this class of attacks can be retrofitted into
Keystone [35, 138]. Keystone does not natively protect the
enclave or the SM against timing side-channel attacks. SM,
RT, and eapp programmers should use existing software
solutions to mask timing channels [66] and Keystone hard-
ware manufacturers can supply timing side-channel resistant
hardware [83]. The SM exposes a limited API to the host OS
and the enclave. We do not provide non-interference guar-
antees for this API [61, 126]. Similarly, the RT can optionally
perform untrusted system calls into the host OS. We assume
that the RT and the eapp have sufficient checks in place to
detect Iago attacks via this untrusted interface [43, 109, 125],
and the SM, RT, and eapp are bug-free.
4 Keystone Internals
We discuss the Keystone design details and the enclave life-
cycle. Our enclave consists of a kernel-like component in
the S-mode (the runtime—RT), and an application in the U-
mode (the enclave application—eapp). The RT and the host
OS share a dedicated buffer that is accessible only to specific
RT functions and the host.
4.1 Keystone Memory Isolation Primitives
Keystone has significantly better modularity and customiz-
ability because of our conscious design choices. First, we ex-
pect the hardware to provide only simple security primitives
and interfaces. Second, we assign minimum responsibilities
of the trusted software components executing at the highest
privilege (e.g., bootloader, SM). Finally, we push bulk of the
resource management logic either to the untrusted software
or the enclave.
Caller SM API Description
OS
create Validate, and measure the enclave
run Start enclave and boot RT
resume Resume enclave execution
destroy Release enclave memory
RT
stop Pause enclave execution
exit Terminate the enclave
attest Get a signed attestation report
random Get secure random values
OS & RT plugin* Call SM plugins (e.g., dynamic resizing)
Table 2. The SBI API functions (SBI) provided by the Keystone SM.
* indicates that the SBI is provided by an optional SM plugin.
Background: RISC-V Physical Memory Protection. Key-
stone uses physical memory protection (PMP) feature pro-
vided by RISC-V. PMP restricts the physical memory access
of S-mode and U-mode to certain regions defined via PMP
entries (See Figure 2).2 Each PMP entry controls the U-mode
and S-mode permissions to a customizable region of physi-
cal memory.3 The PMP address registers encode the address
of a contiguous physical region, configuration bits specify
the r-w-x permissions for U/S-mode, and two addressing
mode bits. PMP has three addressing modes to support var-
ious sizes of regions (arbitrary regions and power-of-two
aligned regions). PMP entries are statically prioritized with
the lower-numbered PMP entries taking priority over the
higher-numbered entries. If any mode attempts to access
a physical address and it does not match any PMP address
range, the hardware does not grant any access permissions.
Enforcing Memory Isolation via SM. PMP makes Key-
stone memory isolation enforcement flexible for three rea-
sons: (a) multiple discontiguous enclave memory regions can
coexist instead of reserving one large memory region shared
by all enclaves; (b) PMP entries can cover a regions between
sizes 4 bytes or maximum DRAM size so Keystone enclaves
utilize page-aligned memory with an arbitrary size; (c) PMP
entries can be dynamically reconfigured during execution
such that Keystone can dynamically create a new region or
release a region to the OS.
During the SM boot, Keystone configures the first PMP
entry (highest priority) to cover its own memory region
(code, stack, data such as enclave metadata and keys). The
SM disallows all access to its memory from U-mode and S-
mode using this first entry and configures the last PMP entry
(lowest priority) to cover all memory and with all permis-
sions enabled. The OS thus has default full permissions to
all memory regions not otherwise covered by a PMP entry.
When a host application requests the OS to create an
enclave, the OS finds an appropriate contiguous physical
2pmpaddr and pmpcfg CSRs are used to specify PMP entries
3Currently processors have up to 16 M-mode configurable PMP entries.
5
Dayeol Lee, David Kohlbrenner, Shweta Shinde, Krste Asanović, and Dawn Song
pmpcfg perm. 
Enclave (E1) Context
SM E1 U1
pmpaddr 
PMP registers
Untrusted Context
P
rio
rit
y
SM E1
pmpcfg rwx=000
rwx=111
E2 E2PhysicalMemory
…
Figure 2. Keystone’s use of RISC-V PMP for the flexible, dynamic
memory isolation. The SM uses a few PMP entries to guard its own
memory (SM), enclave memory regions (E1, E2), and the untrusted
buffer (U1). On enclave entry, the SM will reconfigure the PMP
such that the enclave can only access its own memory (E1) and the
enclave’s untrusted buffer (U1).
region. On receiving a valid enclave creation request, the SM
protects the enclave memory by adding a PMP entry with all
permissions disabled. Since the enclave’s PMP entry has a
higher priority than the OS PMP entry (the last in Figure 2),
the OS and other user processes cannot access the enclave
region. A valid request requires that enclave regions not
overlap with each other or with the SM region.
At a CPU control-transfer to an enclave, the SM (for the
current core only): (a) enables PMP permission bits of the
relevant enclave memory region; and (b) removes all OS PMP
entry permissions to protect all other memory from the en-
clave. This allows the enclave to access its own memory and
no other regions. At a CPU context-switch to non-enclave,
the SM disables all permissions for the enclave region and
re-enables the OS PMP entry to allow default access from the
OS. Enclave PMP entries are freed on enclave destruction.
PMP Enforcement Across Cores. Each core has its own
complete set of PMP entries. During enclave creation, Key-
stone adds a PMP entry to disallow everyone from accessing
the enclave. These changes during the creation must be prop-
agated to all the cores via inter-processor interrupts (IPIs).
The SM executing on each of the cores handles these IPIs by
removing the access of other cores to the enclave. During the
enclave execution, changes to the PMP entries (e.g., context
switches between the enclave and the host) are local to the
core executing it and need not be propagated to the other
cores. When Keystone destroys or creates an enclave, all the
other cores are notified to update their PMP entries. There
are no other times when the PMPs need to be synchronized
via IPIs.
4.2 Enclave Lifecycle
We summarize the end-to-end life cycle of a Keystone en-
clave. Figure 3 shows the key steps in the enclave lifetime
and the corresponding PMP changes.
Unused Memory
RTPT Eapp FreeMem*
RTPT Eapp FreeMem*
RTPT Eapp FreeMem*
Enclave Memory
Enclave Memory
Enclave Memory
0000 …. 0000
Unused Memory
Cr
ea
te
Ex
ec
ut
e
De
st
ro
y
Memory Status Core PMP Status
This / Others
Allocate Memory
Load Binaries
Create Enclave 
Verify and Measure
Run/Resume Enclave
Stop/Exit Enclave
Dynamic Resizing*
Destroy Enclave
Deallocate Memory
Operations
…
…
…
…
…
…
…
…
…
Figure 3. Lifecycle of an enclave. The enclave memory and the
corresponding PMP entry status (accessible or not) are shown per
each operation. For PMP status, This means the PMP status of the
core performing the operation and Others is PMP of other cores.
OS
App Enclave
(a) Intel SGX
MonitorOS
App Enclave
SecureNormal
(b) Komodo
VMM
D
O
M
0
Guest 
OS
App
(d) Xen
D
O
M
U
OS
App
RT
Security Monitor
Enclave
(c) Keystone
Figure 4. Memory Management Designs (the shaded area is un-
trusted). (a) Intel SGX: the untrusted OS manages the memory and
translates virtual-to-physical address. (b) Komodo: the page-tables
are inside the enclave but the monitor creates the mappings. (c) Key-
stone: delegates page management to enclave with its own page
table. (d) XEN: the hypervisor performs the page management,
there are two page tables in this setup.
Enclave Creation. At creation, Keystone measures the en-
clave memory to ensure that the OS has loaded the enclave
binaries correctly to the physical memory. Keystone uses
the initial virtual memory layout for the measurement be-
cause the physical layout can legitimately vary (within limits)
across different executions. For this, the SM expects the OS to
initialize the enclave page tables and allocate physical mem-
ory for the enclave. The SM walks the OS-provided page
table and checks if there are invalid mappings and ensures
a unique virtual-to-physical mapping. Then the SM hashes
the page contents along with the virtual addresses and the
configuration data.
Enclave Execution. The SM sets the PMP entries and trans-
fers the control to the enclave entry point.
Enclave Destruction.On an OS initiated tear-down, the SM
clears the enclave memory region before returning the mem-
ory to the OS. SM cleans and frees all the enclave resources,
PMP entries, and enclave metadata.
4.3 Post-creation In-enclave Page Management
Keystone has a different memory management design from
the existing TEEs (see Figure 4). It uses the OS generated
6
Keystone
AttestationProvisioning
DeploymentDevelopment
Remote Verifier
Untrusted Machine
Eapp 
Sources
Host 
Sources
Keystone Framework 
(User)
RT Bin.
Enclave
Configs
Eapp Bin.
Untrusted
Host Bin.
Keystone SM
Trusted Platform
Untrusted
OSR
T
R
T
R
T
E
ap
p
E
ap
p
E
ap
p
H
os
t
U
se
r P
ro
c.
U
se
r P
ro
c.
Enclave Hash
(Eapp+RT)
Keystone Libraries
Keystone Framework 
(Platform Provider)
Platform
Configs
SM Bin.
RT Sources
(seL4, Eyrie, …)
SM Sources
Keystone Tools
SM Plugins
(e.g., Cache Isolation)
RT Plugins
Platform 
PubKey
SM Hash
Platform 
Spec.
Platform 
PubKey
Platform 
Spec.
C
ha
lle
ng
e
R
es
po
ns
e
Ve
rif
y
❶
❷
❸
❹ ❺
❻
❼
❽
Figure 5. End-to-end Overview of Keystone Framework. ❶ The
platform provider configures the SM. ❷ Keystone compiles and
generates the SM boot image. ❸ The platform provider deploys the
SM. ❹ The developer writes an eapp and configures the enclave. ❺
Keystone builds the binaries and computes their measurements. ❻
The untrusted host binary is deployed to the machine. ❼ The host
deploys the RT and the eapp and initiates the enclave creation.❽ A
remote verifier can perform the attestation based on a known plat-
form specifications, the keys, and the SM/enclave measurements.
page-tables for the initialization and then delegates the virtual-
to-physical memory mapping entirely to the enclave during
the execution. Since RISC-V provides per-hardware-thread
views of the physical memory via the machine-mode and
the PMP registers, it allows Keystone to have multiple con-
current and potentially multi-threaded enclaves to access
the disjoint physical memory partitions. With an isolated
S-mode inside the enclave, Keystone can execute its own vir-
tual memory management which manipulates the enclave-
specific page-tables. Page tables are always inside the isolated
enclave memory space. By leaving the memory management
to the enclave we: (a) support several plugins for memory
management which are not possible in any of the existing
TEEs (see Section 5.1); (b) remove controlled side-channel
attacks as the host OS cannot modify or observe the enclave
virtual-to-physical mapping.
5 Keystone Framework
Figure 5 details the steps from Keystone provisioning to eapp
deployment. Independently, the eapp and the RT developers
use Keystone tools and libraries to write eapps and plugins.
They can specify the plugins they want to use at the enclave
compile time. SM plugins that expose additional hardware
or security functionality are determined at compile and pro-
visioning time. We now demonstrate our various Keystone
plugins.
5.1 Enclave Memory Management Plugins
Each enclave can run both S-mode and U-mode code. Thus,
it has the privileges to manage the enclave memory with-
out crossing the isolation boundaries. By default, Keystone
enclaves may occupy a fixed contiguous physical memory
allocated by the OS, with a statically-mapped virtual address
space at load time. Although this is suitable for some em-
bedded applications, it limits the memory usage of most
legacy applications. To this end, we describe several optional
plugins which enable flexible memory management of the
enclave.
Free-memory. We built a plugin that allows the Eyrie RT to
perform page table changes. It also lets the enclave reserve
physical memory without mapping it at creation time. This
unmapped (hence, free) memory region is not included in
the enclave measurement and is zeroed before beginning
the eapp execution. The free-memory plugin is required for
other more complex memory plugins.
DynamicResizing. Statically pre-definedmaximum enclave
size and subsequent static physical / virtual memory pre-
allocations prevent the enclave from scaling dynamically
based on workload. It also complicates the process of porting
existing applications to eapps. To this end, Keystone allows
the Eyrie RT to request dynamic changes to the physical
memory boundaries of the enclave. The Eyrie RT may re-
quest that the OS make an extend SBI call to add contiguous
physical pages to the enclave memory region. If the OS suc-
ceeds in such an allocation, the SM increases the size of the
enclave and notifies the Eyrie RT who then uses the free
memory plugin to manage the new physical pages.
In-Enclave Self Paging. We implemented a generic in-enclave
page swapping plugin for the Eyrie RT. It handles the enclave
page-faults and uses a generic page backing-store that man-
ages the evicted page storage and retrieval. Our plugin uses
a simple random eapp-only page eviction policy. It works in
conjunction with the free memory plugin for virtual memory
management in the Eyrie RT. Put together, they help to alle-
viate the tight memory restrictions an enclave may have due
to the limited DRAM or the on-chip memory size [107–109].
Protecting the Page Content Leaving the Enclave. When
the enclave handles its own page fault, it may attempt to
evict the pages out of the secure physical memory (either
an on-chip memory or the protected portion of the DRAM).
When these pages have to be copied out, their content needs
to be protected. Thus, as part of the in-enclave page manage-
ment, we implement a backing-store layer that can include
page encryption and integrity protection to allow for the se-
cure content to be paged out to the insecure storage (DRAM
regions or disk). The protection can be done either in the
software as a part of the Keystone RT (Figure 6(d)) or by a
dedicated trusted hardware unit—a memory encryption en-
gine (MEE) [72]—with an SM plugin (Figure 6e). Admittedly,
this incurs significant design challenges in efficiently stor-
ing the metadata and performance optimizations. Keystone
design is agnostic to the specific integrity schemes and can
reuse the existing mechanisms [97, 118].
7
Dayeol Lee, David Kohlbrenner, Shweta Shinde, Krste Asanović, and Dawn Song
   Untrusted     SM      Enclave      Enclave (Encrypted)
MEE
LLC
DRAM
(a) ∅ (b) C (c) O (d) O,P,E (e) O,P,EHW
Figure 6. Keystone memory Model for the combination of various
plugins. ∅: no plugin, C: cache partitioning, O: on-chip scratch-
pad, P: enclave self-paging, E: software memory encryption EHW :
hardware memory encryption.
5.2 SM Plugins
Keystone can easily integrate with optional hardware to pro-
vide stronger security guarantees at the cost of various trade-
offs. We demonstrate several SM plugins that can defend the
enclave against a physical attacker or cache side-channel
attacks using the FU540-C000 L2 memory controller.
Secure On-chip Memory. To protect the enclaves against a
physical attacker who has access to the DRAM, we imple-
mented an on-chip memory plugin (Figure 6(c)). It allows
the enclave to execute without the code or the data leav-
ing the chip package. On the FU540-C000, we dynamically
instantiate a scratchpad memory of up to 2MB via the L2
memory controller to generate a usable on-chip memory
region. An enclave requesting to run in the on-chip memory
loads nearly identically to the standard procedure with the
following changes: (a) the host loads the enclave to the OS
allocated memory region with modified initial page-tables
referencing the final scratchpad address; and (b) the SM
plugin copies the standard enclave memory region into the
new scratchpad region before the measurement. Any con-
text switch to the enclave now results in an execution in the
scratchpad memory. This plugin uses only our basic enclave
life-cycle hooks for the platform-specific plugins and does
not require further modification of the SM. The only other
change required was a modification of the untrusted enclave
loading process to make it aware of the physical address
region that the scratchpad occupies. No modifications to the
Eyrie RT or the eapps are required.
Cache Partitioning. Enclaves are vulnerable to cache side-
channel attacks from the untrusted OS and the applications
on the other cores via a shared cache. To this end, we build
a cache partitioning plugin using two hardware capabilities:
(a) the L2 cache controller’s waymasking primitive similar
to Intel’s CAT [104]; (b) PMP to way-partition the L2 cache
transparently to the OS and the enclaves. Our plugin enforces
effective non-interference between the partitioned domains,
see Figure 6(b). Upon a context switch to the enclave, the
cache lines in the partition are flushed. During the enclave
execution, only the cache lines from the enclave physical
memory are in the partition and are thus protected by PMP.
The adversary cannot insert cache lines in this partition
during the enclave execution due to the line replacement
way-masking mechanism. The net effect is that the adver-
sary (ACache ) gains no information about the evictions, the
resident lines, or the residency size of the enclave’s cache.
Ways are partitioned at runtime and are available to the host
whenever the enclave is not executing even if paused.
5.3 Functionality Plugins
EdgeCall Interface. The eapp cannot access the non-enclave
memory in Keystone. If it needs to read/write the data outside
the enclave, the Eyrie RT performs edge calls on its behalf.
Our edge call, which is functionally similar to RPC, consists
of an index to a function implemented in the untrusted host
application and the parameters to be passed to the function.
Eyrie tunnels such a call safely to the untrusted host, copies
the return values of the function back to the enclave, and
sends them to the eapp. The copying mechanism requires
Eyrie to have access to a buffer shared with the host. To
enable this: (a) the OS allocates a shared buffer in the host
memory space and passes the address to the SM at enclave
creation; (b) the SM passes the address to the enclave so
the RT may access this memory; (c) the SM uses a separate
PMP entry to enable OS access to this shared buffer. All the
edge calls have to pass through the Eyrie RT as the eapp
does not have access to the shared memory virtual map-
pings. This plugin can be used to add support for syscalls,
IPC, enclave-enclave communication, and so on.
Proxied SystemCalls. Weallow the proxying of some syscalls
from the eapp to the host application by re-using the edge
call interface. The user host application then invokes the
syscall on an untrusted OS on behalf of the eapp, collects
the return values, and forwards them to the eapp. Keystone
can utilize existing defenses to prevent Iago attacks [44] via
this interface [43, 109, 125].
In-enclave SystemCalls. For appropriate syscalls (e.g., mmap,
brk, getrandom), Keystone invokes an SM interface or exe-
cutes them in Eyrie to return the results to the eapp.
Multi-threading. We run multi-threaded eapps by sched-
uling all the threads on the same core. We do not support
parallel multi-core enclave execution yet.
5.4 Other Keystone Primitives
Keystone supports following other standard TEE primitives.
Secure Boot. AKeystone root-of-trust can be either a tamper-
proof software (e.g., a zeroth-order bootloader) or hardware
(e.g., crypto engine). At each CPU reset, the root-of-trust
(a) measures the SM image, (b) generates a fresh attestation
key from a secure source of randomness, (c) stores it to the
SM private memory, and (d) signs the measurement and the
public key with a hardware-visible secret. These are standard
operations, can be implemented in numerous ways [82, 87].
Keystone does not rely on a specific implementation. For
8
Keystone
completeness, currently, Keystone simulates secure boot via
a modified first-stage bootloader to performs all the above
steps.
Secure Source of Randomness. Keystone provides a secure
SM SBI call, random, which returns a 64-bit random value.
Keystone uses a hardware source of randomness if available
or can use other well-known options [100] if applicable.
Trusted Timer. Keystone allows the enclaves to access the
read-only hardware-maintained timer registers via the rdcycle
instruction. The SM supports standard timer SBI calls.
Remote Attestation. Keystone SM performs the measure-
ment and the attestation based on the provisioned key. En-
claves may request a signed attestation from the SM during
runtime. Keystone uses a standard scheme to bind the attesta-
tion with a secure channel construction [61, 87] by including
limited arbitrary data (e.g., Diffie-Hellman key parameters)
in the signed attestation report. Key distribution [20], revo-
cation [75], attestation services [77], and anonymous attes-
tation [38] are orthogonal challenges.
Secure Delegation. Keystone delegates the traps (i.e., inter-
rupts and exceptions) raised during the enclave execution to
the RT via the interrupt delegation registers. The RT invokes
the appropriate handlers inside the enclave for user-defined
exceptions and may forward other traps to the untrusted OS
via the SM.
Monotonic Counters& Sealed Storage. Enclavesmay need
monotonic counters for protection against rollback attacks
and versioning [53]. Keystone can support monotonic coun-
ters by keeping a limited counter state in the SM memory.
Keystone can support sealed storage [20] in the future.
6 Security Analysis
We argue the security of the enclave, the OS, and the SM
based on the threat model outlined in Section 3.2.
6.1 Protection of the Enclave
Keystone attestation ensures that any modification of the
SM, RT, and the eapp is visible while creating the enclave.
During the enclave execution, any direct attempt by an ASW
to access the enclave memory (cached or uncached) is de-
feated by PMP. All the enclave data structures can only be
updated in the enclave or the SM, both of them are isolated
from direct access. Subtle attacks such as controlled side
channels (ACntr l ) are not possible in Keystone because en-
claves have dedicated page management and in-enclave page
tables. This ensures that any enclave executing with any Key-
stone instantiated TEE is always protected against the above
attacks.
Mapping Attacks. The RT is trusted, does not intentionally
create malicious virtual to physical address mappings [74]
and ensures that the mappings are valid. The RT initializes
the page tables either during the enclave creation or loads
the pre-allocated (and SM validated) static mappings. Dur-
ing the enclave execution, the RT ensures that the layout is
not corrupted while updating the mappings (e.g., via mmap).
When the enclave gets new empty pages, say via the dy-
namic memory plugin, the RT checks if they are safe to use
before mapping them to the enclave. Similarly, if the enclave
is removing any pages, the RT scrubs their content before
returning them to the OS.
Syscall Tampering Attacks. If the eapp and the RT invoke
untrusted functions implemented in the host process and/or
execute the OS syscalls, they are susceptible to Iago attacks
and system call tampering attacks [44, 114]. Keystone can
re-use the existing shielding systems [25, 43, 125] as plugins
to defend the enclave against these attacks.
Side-channelAttacks. Keystone thwarts cache side-channel
attacks (Section 5.2). Enclaves do not share any state with
the host OS or the user application and hence are not ex-
posed to controlled channel attacks. The SM performs a clean
context switch and flushes the enclave state (e.g., TLB). The
enclave can defend itself against explicit or implicit infor-
mation leakage via the SM or the edge call API with known
defenses [127, 128]. Only the SM can see other enclave events
(e.g., interrupts, faults), these are not visible to the host OS.
Timing attacks against the eapp are out of scope.
6.2 Protecting the Host OS
Keystone RTs execute at the same privilege level as the host
OS, so an ASW is our case is stronger than in SGX. We ensure
that the host OS is not susceptible to new attacks from the
enclave because the enclave cannot: (a) reference any mem-
ory outside its allocated region due to the SM PMP-enforced
isolation; (b) modify page tables belonging to the host user-
level application or the host OS; (c) pollute the host state
because the SM performs a complete context switch (TLB,
registers, L1-cache, etc.) when switching between an enclave
and the OS; (d) DoS a core as the SM watchdog timer assures
that the enclave returns control to the OS.
6.3 Protection of the SM
The SM naturally distrusts all the lower-privilege software
components (eapps, RTs, host OS, etc.). It is protected from
an ASW because all the SM memory is isolated using PMP
and is inaccessible to any enclave or the host OS. The SM SBI
is another potential avenue of attack. Keystone’s SM presents
a narrow, well-defined SBI to the S-mode code. It does not
do complex resource management and is small enough to
be formally verified [61, 102]. The SM is only a reference
monitor, it does not require scheduled execution time, so an
ADoS is not a concern. The SM can defend against an ACache
and an AT ime with known techniques [66, 83].
9
Dayeol Lee, David Kohlbrenner, Shweta Shinde, Krste Asanović, and Dawn Song
6.4 Protection Against Physical Attackers
Keystone can protect against a physical adversary by a com-
bination of plugins and a proposed modification to the boot-
loader. Similar to [47], we use a scratchpad to store the de-
crypted code and data, while the supervisormode component
(Eyrie plugins) handles the page-in and page-out.
The enclave itself is protected by the on-chip memory
plugin (in SM) and the paging plugins (in Eyrie), with en-
cryption and integrity protection on the pages leaving the
on-chip memory. The page backing-store is a standard PMP
protected physical memory region now containing only the
encrypted pages, similar in concept to the SGX EPC. This
fully guarantees the confidentiality and integrity of the en-
clave code and data from an attacker with complete DRAM
control.
The SM should be executed entirely from the on-chip
memory. The SM is statically sized and has a relatively
small in-memory footprint (< 150Kb). On the FU540-C000,
this would involve repurposing a portion of the L2 loosely-
integrated memory (LIM) via a modified trusted bootloader.
With all of these plugins and techniques in place, the
only content present outside of the chip package is either
untrusted (host, OS, etc.) or is encrypted and integrity pro-
tected (e.g., swapped enclave pages). Keystone accomplishes
this with no hardware modifications.
7 Implementation
We implemented our SM on top of the Berkeley Boot Loader
(bbl) [10]. It supports M-mode trap handling, boot, and other
features. We simulated the primitives that require hardware
support (randomness, root-of-trust, etc.) and provided well-
defined interfaces. All the plugins in Section 5 are available
as compile-time options. Memory encryption is implemented
using software AES-128 [1] and integrity protection is par-
tially implemented. We implemented the Eyrie RT from
scratch in C. We ported the seL4 microkernel [84] to Key-
stone with 290 LoC modifications to seL4 for boot, memory
initialization, and interrupt handling. There are no inherent
restrictions to these two RTs, and we expect future develop-
ment to add further options. Our user-land interface for in-
teractions with the enclaves is provided via a Linux kernel
module that creates a device endpoint (/dev/Keystone).
We provide several libraries (edge-calls, host-side syscall
endpoints, attestation, etc.) in C and C++ for the host, the
eapp, and interaction with the driver-provided Linux de-
vice. Our provided tools generate the enclave measurements
(hashes) without requiring RISC-V hardware, customize the
Eyrie RT, and package the host application, eapps, RT into a
single binary. We have a complete top-level build solution
to generate a bootable Linux image (based on the tooling
for the SiFive HiFive Freedom Unleashed) for QEMU, FPGA
softcores, and the HiFive containing our SM, the driver, and
Platform Core
Cache Size Latency # of TLB
(KB) (cycles) Entries
# Type L1-I/D L2 L1 L2 L1 L2
Rocket-S 1 in-order 8/8 512 2 24 8 128
Rocket 1 in-order 16/16 512 2 24 32 1024
BOOM 1 OoO 32/32 2048 4 24 32 1024
FU540 4 in-order 32/32 2048 2 12-15* 32 128
Table 3.Hardware specification for each platform. L2 cache latency
in FU540 (*) is based on estimation.
the enclave binaries. Keystone is open-source and available
at https://github.com/keystone-enclave/.
Writing eapps. The eapp developers can choose to port
their legacy applications along with one of the default RTs
provided by Keystone. This requires near-zero developer
efforts. Alternatively, the developers can use our SDK to
write eapp specifically for Keystone. Lastly, Keystone sup-
ports manually partitioning the applications such that the
security-sensitive parts of the logic execute inside the en-
clave, while the rest of the code can execute in the untrusted
host. Thus, Keystone framework gives the developers ample
flexibility in designing and implementing eapps.
8 Evaluation
We aim to answer the following questions in our evaluation:
(RQ1) Modularity. Is the Keystone framework viable in
different configurations for real applications?
(RQ2) TCB.What is the TCB of Keystone-instantiated TEE
in various deployment modes?
(RQ3) Performance. How much overhead does Keystone
add to eapp execution time?
(RQ4) Real-world Applications. Does Keystone provide
expressiveness with minimal developer efforts for
eapps?
Experimental Setup. We used four different setups for our
experiments; the SiFive HiFive FreedomUnleashed [3] with a
closed-source FU540-C000 (at 1GHz), and three open-source
RISC-V processors: small Rocket (Rocket-S), default Rocket [26],
and Berkeley Out-of-order Machine (BOOM) [41]. See Ta-
ble 3 for details. We instantiated the open-source processors
on FPGAs using FireSim [80] which is responsible for emulat-
ing the cores at 1GHz. The host OS is buildroot Linux (kernel
4.15). All evaluation was performed on the HiFive and the
data is averaged over 10 runs unless otherwise specified.
8.1 Modularity & Support
We outline the qualitative measurement of Keystone flex-
ibility in extending features, reducing TCB, and using the
platform features. Table 4 shows the TCB breakdown of vari-
ous components (required and optional) for the SM and Eyrie
RT.
10
Keystone
Component Runtime SM
Base 1800 1100
Memory Isolation — 500
Free Memory 300 —
Dynamic Memory 100 70
Edge-call Handling 300 30
Syscalls 450 —
libc Environment 50 —
IO Syscall Proxying 300 —
Cache Partitioning — 300
In-enclave Paging 300 —
On-chip Memory — 50
Table 4. TCB Breakdowns (in LoC) for Eyrie RT and SM features.
Extending RTs. Most of the modifications (e.g., additional
edge-call features) require no changes to the SM, and the
eapp programmer may enable them as needed. Future addi-
tions (e.g., ports of interface shields) may be implemented
exclusively in the RT. We also add support for a new RT by
porting seL4 to Keystone and use it to execute various eapps
(See Section 8.3). Keystone passes all the tests in seL4 suite
and incurs less than 1% overhead on average over all test
cases.
Extending the SM. The advantage of an easily modifiable
SM layer is noticeable when the features require interaction
with the core TEE primitives like memory isolation. The SM
features were able to take advantage of the L2 cache con-
troller on the FU540 to offer additional security protections
(cache-partitioning and on-chip isolation) without changes
to the RT or eapp.
TCB Breakdown. Keystone comprises of the M-mode com-
ponents (bbl and SM), the RT, the untrusted host application,
the eapp, and the helper libraries, of which only a fraction is
in the TCB. The M-mode component is 10.7 KLoC with a
cryptographic library (4 KLoC), pre-existing trap handling,
boot, and utilities (4.7 KLoC), the SM (1.6 KLoC), and SM
plugins (400 LoC). A minimum Eyrie RT is 1.8 KLoC, with
plugins adding further code as shown in Table 4 up to a maxi-
mum Eyrie RT TCB of 3.6 KLoC. The current maximum TCB
for an eapp running on our SM and Eyrie RT is thus a total
of 15 KLoC. TCB calculations were made using cloc [2] and
unifdef [17].
8.2 Benchmarks
We use 4 standard benchmark suites with a mix of CPU,
memory, and file I/O for system-wide analysis: Beebs, Core-
Mark, RV8, and IOZone. We report the overheads of the
cache partitioning plugin and physical attacker protection
with RV8 as an example of Keystone trade-offs. In all the
graphs, ‘other’ refers to the lifecycle costs for enclave cre-
ation, destruction, etc.
Ro
cke
t-S
Ro
cke
t
BO
OM
FU
54
0
0
2000
4000
6000
8000
kc
yc
le
s/
pa
ge
(a)
Ro
cke
t-S
Ro
cke
t
BO
OM
FU
54
0
0
20
40
60
kc
yc
le
s
(b)
SM create
RT boot
SM destroy
SM context
Figure 7. Breakdown of the operations during the enclave life-cycle.
(a) shows the enclave validation and the hashing duration, and (b)
shows the breakdown of other operations. (b) does not include the
duration of size-dependent operations such as the measurement
in create (Shown in (a)) and the memory cleaning in destroy
(4K-11K cycles/page).
100K
200K
300K
400K
500K
Th
ro
ug
hp
ut
(K
B/
s)
Writer
Baseline_r8
Keystone_r8
Baseline_r128
Keystone_r128
Baseline_r512
Keystone_r512
64 12
8
25
6
51
2 1K 2K 4K 8K 16
K
32
K
64
K
12
8K
25
6K
51
2K
File Size (KB)
100K
200K
300K
400K
500K
Th
ro
ug
hp
ut
(K
B/
s)
Reader
Figure 8. IOZone file operation throughput in Keystone for various
file and record sizes (e.g., r8 represents 8KB record). We only show
write and read results due to limited space.
Common Operations. Figure 7 shows the breakdown of
various enclave operations. Initial validation and measure-
ment dominate the startup with 2M and 7M cycles/page for
FU540 and Rocket-S due to an unoptimized software imple-
mentation of SHA-3 [15]. The remaining enclave creation
time totals 20k-30k cycles. Similarly, the attestation is domi-
nated by the ed25519 [8] signing software implementation
with 0.7M-1.6M cycles. These are both one-time costs per-
enclave and can be substantially optimized in software or
hardware. Themost common SMoperation, context switches,
currently take between 1.8K(FU540)-2.6K(Rocket-S) cycles
depending on the platform. Notably, creation and destruc-
tion of enclaves take longer on the FU540 (4-core), which
can be attributed to the multi-core PMP synchronization.
Standard Benchmarks Used as Unmodified eapp Bina-
ries. Beebs, CoreMark, andRV8.As expected, Keystone in-
curs no meaningful overheads (±0.7%, excluding enclave cre-
ation/destruction) for pure CPU and memory benchmarks.
11
Dayeol Lee, David Kohlbrenner, Shweta Shinde, Krste Asanović, and Dawn Song
prim
es min
iz aes bigi
nt qso
rt
sha
512 norx
dhry
ston
e0
10
20
30
La
te
nc
y 
(s
) base (other)base (user)
kystn (other)
kystn (eapp)
kystn-cache (other)
kystn-cache (eapp)
Figure 9. Total execution time comparison for the RV8 bench-
marks. Each bar consists of the duration of the application (user
or eapp), and the other overheads (other). Keystone (Keystone)
and Keystone with cache partitioning plugin (Keystone-cache)
are compared with the native execution in Linux (base).
Overhead (%) # of Page
Plugins ∅ C O, P O, P, E Faults
Adversary ASW ,Cntr l ASW ,SC ASW ,SC ASW ,SC,PhyC (O, P)
primes -0.9 40.5 65475.5 * 66 × 106
miniz 0.1 128.5 80.2 615.5 18341
aes -1.1 66.3 1471.0 4552.7 59716
bigint -0.1 1.6 0.4 12.0 168
qsort -2.8 -1.3 12446.3 26832.3 285147
sha512 -0.1 0.3 -0.1 -0.2 0
norx 0.1 0.9 2590.1 7966.4 58834
dhrystone -0.2 0.3 -0.2 0.2 0
Table 5. Overhead of various plugins on RV8 benchmarks over
native execution. ∅: no plugin, C: cache partitioning, O: on-chip
scratch pad execution (1MB), P: enclave self-paging, E: software-
based memory encryption. *: does not complete in ~10 hrs.
IOZone. All the target files are located on the untrusted
host and we tunnel the I/O system calls to the host applica-
tion. Figure 8 shows the throughput plots of common file-
content access patterns. Keystone experiences expected high
throughput loss for both write (avg. 36.2%) and read (avg.
40.9.%). There are three factors contributing to the overhead:
(a) all the data crossing the privilege boundary is copied an
additional time via the untrusted buffer, (b) each call requires
the RT to go through the edge call interface, incurring a con-
stant overhead, and (c) the untrusted buffer contends in the
cache with the file buffers, incurring an additional through-
put loss on re-write (avg. 38.0%), re-read (avg. 41.3%), and
record re-write (avg. 55.1%) operations. Since (b) is a fixed
cost per system call, it increases the overhead for the smaller
record sizes.
Cache Partitioning. Themix of pure-CPU and largeworking-
set benchmarks in RV8 are ideal to demonstrate cache parti-
tioning impact. For this experiment, we grant 8 of the 16ways
in the FU540 L2 cache to the enclave during execution (see
Figure 9). Small working-set tests show low overheads from
cache flush on context switches, whereas large working-set
tests (primes, miniz, and aes) show up to 128.19% overhead
due to a smaller effective cache. The enclave initialization
latency is unaffected.
Physical Attacker Protections. We ran theRV8 suite with
our on-chip execution plugins, enclave self-paging, page
encryption, and a DRAM backing page store (Table 5). A
few eapps (sha512, dhrystone), which fit in the 1MB on-
chip memory, incurs no overhead and are protected even
from APhy . For the larger working-set-size eapps, the pag-
ing overhead increases depending on the memory access
pattern. For example, primes incurs the largest amount of
page faults because it allocates and randomly accesses a
4MB buffer causing a page fault for almost every memory
access. Software-based memory encryption adds 2−4×more
overhead to page faults. These overheads can be alleviated
by the Keystone framework if a larger on-chip memory or
dedicated hardware memory encryption engine is available
as we discussed in Section 5.
8.3 Case Studies
We demonstrate how Keystone can be adapted for a var-
ied set of devices, workloads, and application complexities
with three case-studies: (a) machine learning workloads for
the client and server-side usage, (b) a cryptographic library
porting effort for varied RTs, (c) a small secure computation
application written natively for Keystone. The evaluation
for these case-studies was performed on the HiFive board.
Porting Efforts & Setup. We used the unmodified applica-
tion code logic, hard-coded all the configurations and argu-
ments for simplicity, and statically linked the binaries against
glibc or musl libc supported in the Eyrie RT. We ported
the widely used cryptographic library libsodium to both
Eyrie and seL4 RT trivially.
Case-study 1: SecureML Inference with Torch and Eyrie.
We ran nine Torch-based models of increasing sizes with
Eyrie on the Imagenet dataset [58] (see Table 6). They com-
prise 15.7 and 15.4KLoC of TH [13] and THNN [16] libraries
from Torch compiled with musl libc. Each model has an ad-
ditional 230 to 13.4KLoC ofmodel-specific inference code [133].
We performed two sets of experiments: (a) execute the model
inference code with static maximum enclave size; (b) turn
on the dynamic resizing plugin so that the enclave extends
its size on-demand when it executes. Figure 10 shows the
performance overheads for these two configurations and
non-enclaved execution baseline.
Initialization Overhead. is noticeably high for both static
size and dynamic resizing. It is proportional to the eapp bi-
nary size due to enclave page hashing. Dynamic resizing
reduces the initialization latency by 2.9% on average as the
RT does not map free memory during enclave creation.
eapp Execution Overhead.We report an overhead between
−3.12%(LeNet) to 7.35%(Densenet) for all the models with
both static enclave size and dynamic resizing. The cause for
this is: (a) Keystone loads the entire binary in physical mem-
ory before it beings eapp execution, precluding any page
faults for zero-fill-on-demand or similar behavior, so smaller
12
Keystone
Model # ofLayers
# of
Param
App
LOC
Binary
Size
Memory
Usage
Wideresnet 93 36.5M 1625 140MB 384MB
Resnext29 102 34.5M 1910 123MB 394MB
Inceptionv3 313 27.2M 5359 92MB 475MB
Resnet50 176 25.6M 3094 98MB 424MB
Densenet 910 8.1M 13399 32MB 570MB
VGG19 55 20.0M 1088 77MB 165MB
Resnet110 552 1.7M 9528 7MB 87MB
Squeezenet 65 1.2M 914 5MB 52MB
LeNet 12 62K 230 0.4MB 2MB
Table 6. Summary of the Torch Models. The model specification,
workload characteristics, binary object size, and the total enclave
memory usage.
wid
eres
net
resn
ext2
9
ince
ptio
nv3
resn
et50
den
sen
et
vgg
19
resn
et11
0
squ
eez
ene
t
lene
t0
200
400
600
La
te
nc
y 
(s
) base (other)base (user)
kystn (other)
kystn (eapp)
kystn-dyn (other)
kystn-dyn (eapp)
Figure 10. Comparison of inferencing duration for various Torch
models with and without dynamic resizing. Each bar consists of the
duration of the application (user or eapp), and the other overheads
(other). Keystone (Keystone) and Keystone with the dynamic resiz-
ing plugin (Keystone-dyn) are compared with the native execution
in Linux (base).
sized networks like LeNet execute faster in Keystone; (b) the
overhead is primarily proportional to the number of layers
in the network, as more layers results in more memory al-
locations and increase the number of mmap and brk syscalls.
We used a small hand-coded test to verify that Eyrie RT’s
custom mmap is slower than the baseline kernel and incurs
overheads. So Densenet, which has the maximum number of
layers (910), suffers from larger performance degradation. In
summary, for long-running eapps, Keystone incurs a fixed
one-time startup cost and the dynamic resizing plugin is
indeed useful for larger eapps.
Case-study 2: Secure ML with FANN and seL4. Keystone
can be used for small devices such as IoT sensors and cameras
to train models locally as well as flag events with model
inference. We ran FANN, a minimal (8KLoC C/C++) eapp
for embedded devices with the seL4 RT to train and test a
simple XOR network. The end-to-end execution overhead is
0.36% over running in seL4 without Keystone.
Case-study 3: Secure Remote Computation. We designed
and implemented a secure server eapp (and remote client) to
count the number of words in a given message. We executed
it with Eyrie and no plugins. It performs attestation, uses
libsodium to bind a secure channel to the attestation report,
then polls the host application for encrypted messages using
edge-calls, processes them inside the enclave, and returns an
encrypted reply to be sent to the client. The eapp consists of
the secure channel code using libsodium (60 LoC), the edge-
wrapping interface (45 LoC), and other logic (60 LoC). The
host is 270 LoC and the remote client is 280 LoC. Keystone
takes 45K cycles for a round-trip with an empty message,
secure channel, and message passing overheads. It takes 47K
cycles between the host getting a message and the enclave
notifying the host to reply.
9 Related Work
Keystone is the first framework for customizing TEEs. Here,
we survey existing TEEs and alternative approaches.
TEE Architectures & Extensions. We summarize the de-
sign choices of the most recent TEEs and their extensions
in Table 1. Of these, three major TEEs are closely related to
Keystone: (a) Intel Software Guard Extension (SGX) executes
user-level code in an isolated virtual address space backed by
encrypted RAM pages [96]; (b) ARM TrustZone divides the
memory into two worlds (i.e., normal vs. secure) to run appli-
cations in protected memory [24]; and (c) Sanctum uses the
memory management unit (MMU) and cache partitioning to
isolate memory and prevent cache side-channel attacks [54].
Several other TEEs explore design layers such as hypervi-
sors [30, 45, 48, 52, 63, 74, 81, 89, 93, 131, 140, 142], physical
memory [35, 42, 86, 88, 94, 110, 119], virtual memory [36, 50,
55, 60, 120], and process isolation [56, 64, 113, 117, 130, 132].
Re-purposing Existing TEEs for Modularity. One way to
meet Keystone design goals is to reuse the TEE solutions
available on commodity CPUs. For each of these TEEs, it
is possible to enable a subset of programming constructs
(e.g., threading, dynamic loading of binaries) by including a
software management component inside the enclave [7, 11,
14, 31, 43]. On the other hand, all of the existing TEEs are
hardware extensions which are designed and implemented
by the CPU manufacturer. Thus, they do not allow users to
access the programmable interface at a layer underneath the
untrusted OS. One way to simulate the programmable layer
is by adding a trusted hypervisor layer which then executes
an untrusted OS, but this approach inflates the TCB. Lastly,
none of these potential designs allow for adapting to threat
models and workloads.
Differences from Trusted Hypervisor Keystone executes
the enclave logic in the supervisor mode (RT) and the user
mode (eapp), while the machine mode code (SM) merely
checks and enforces isolation boundaries. Although Key-
stone may seem similar to a trusted hypervisor, it does not
implement or perform any resource management, virtual-
ization, or scheduling in the SM. It merely checks if the
untrusted OS and the enclave (RT, eapp) are managing the
13
Dayeol Lee, David Kohlbrenner, Shweta Shinde, Krste Asanović, and Dawn Song
shared resources correctly. Thus, Keystone SM is more anal-
ogous to a reference monitor [21, 70].
TEE Support. Several existing works enhance existing TEE
platforms. At the SM layer they optimize program-critical
tasks [29, 54, 120], at RT they target portability, function-
ality, security [4, 6, 7, 14, 25, 31, 43, 65, 101, 105, 124, 135],
and at eapp layer they reduce the developer efforts [27, 28].
Although these systems are a fixed configuration in the TEE
design space, they provide valuable lessons for Keystone
feature design and future optimization.
Enhancing the Security of TEEs. Better and secure TEE
design has been a long-standing goal, with advocacy for
security-by-design [76, 112]. We point out that Keystone is
not vulnerable to a large class of side-channel attacks [40, 123,
137] by design, while speculative execution attacks [39, 85]
are limited to out-of-order RISC-V cores (e.g., BOOM) and
do not affect most SOC implementations (e.g., Rocket). Key-
stone can re-use known cache side-channel defenses [35, 83]
as we demonstrated in Section 5.2. Lastly, Keystone can ben-
efit from various RISC-V proposals underway to secure IO
operations with PMP [111]. Thus, Keystone either eliminates
classes of attacks or allows integration with existing tech-
niques.
Formally Verified Hardware & Software. TEE-like guar-
antees can be achieved orthogonally by a hardware and soft-
ware stack which is formally verified as resistant against all
classes of attacks that TEEs prevent. A careful and ground-up
design with verified components [18, 19, 23, 33, 34, 46, 51,
57, 62, 71, 73, 84, 90, 103, 116, 136, 139] may provide stronger
guarantees, and Keystone can help to explore designs which
combine these with hardware protection [61, 129].
10 Conclusion
We present Keystone, the first framework for customizable
TEEs. With our modular design, we showcase the use of
Keystone for several standard benchmarks and applications
on illustrative RTs and various deployments platforms. Key-
stone can serve as a framework for research and prototyping
better TEE designs.
Acknowledgments
We thank Srini Devdas and Ilia Lebedev for sharing the Sanc-
tum codebase and initial discussions. We thank Alexander
Thomas and Stephan Kaminsky for their help in building
Keystone and Jerry Zhao for help in running Keystone on
BOOM. Thanks to the members of UCB BAR for their help
with the SiFive HiFive Freedom Unleashed and FireSim setup.
We thank Paul Kocher and Howard Wu for their feedback
on the early versions of this draft. Thanks to the Privado
team at Microsoft Research for sharing the torch code for
our case-study. This material is in part based upon work sup-
ported by the National Science Foundation under Grant No.
TWC-1518899 and DARPA N66001-15-C-4066. Any opinions,
findings, and conclusions or recommendations expressed in
this material are those of the author(s) and do not neces-
sarily reflect the views of the National Science Foundation.
Research partially funded by RISE Lab sponsor Amazon Web
Services, ADEPT Lab industrial sponsors and affiliates Intel,
HP, Huawei, NVIDIA, and SK Hynix. Any opinions, findings,
conclusions, or recommendations in this paper are solely
those of the authors and do not necessarily reflect the posi-
tion or the policy of the sponsors.
References
[1] Basic implementations of standard cryptography algorithms. https:
//github.com/B-Con/crypto-algorithms.
[2] cloc - count lines of code. https://github.com/AlDanial/cloc.
[3] HiFive Unleashed - SiFive. https://www.sifive.com/boards/hifive-
unleashed.
[4] MesaTEE: A Trustworthy Memory-safe Distributed Computing
Tramework. https://mesatee.org/.
[5] MultiZone Hex Five Security âĂŞ The 1st Trusted Execution Envi-
ronment for RISC-V. https://hex-five.com/.
[6] Open enclave sdk. https://openenclave.io/sdk/.
[7] Open Portable Trusted Execution Environment - OP-TEE. https:
//www.op-tee.org/.
[8] Portable C Implementation of Ed25519, A high-speed high-security
public-key signature system. https://github.com/mit-sanctum/
ed25519.
[9] Proof of elapsed time (poet) 1.0 specification âĂŤ sawtooth v1.0.5 doc-
umentation. https://sawtooth.hyperledger.org/docs/core/releases/
1.0/architecture/poet.html.
[10] RISC-V Proxy Kernel and Boot Loader. https://github.com/riscv/riscv-
pk.
[11] SierraTEE Virtualization for ARM TrustZone and MIPS. https://
www.sierraware.com/open-source-ARM-TrustZone.html.
[12] Keystone Source Code Release. https://keystone-enclave.org/.
[13] Standalone C TH library. C/CPU implementation of Tensors. https:
//github.com/torch/TH.
[14] T6 - Secure OS and TEE. https://www.trustkernel.com/en/products/.
[15] Tiny SHA3. https://github.com/mjosaarinen/tinysha3/.
[16] Torch/nn gathers nn’s c implementations of neural network modules.
https://github.com/torch/nn/tree/master/lib/THNN.
[17] unifdef. http://dotat.at/prog/unifdef/.
[18] Sidney Amani, Alex Hixon, Zilin Chen, Christine Rizkallah, Peter
Chubb, Liam O’Connor, Joel Beeren, Yutaka Nagashima, Japheth
Lim, Thomas Sewell, Joseph Tuong, Gabriele Keller, Toby Murray,
Gerwin Klein, and Gernot Heiser. Cogent: Verifying high-assurance
file system implementations. ISCA’16.
[19] Abhishek Anand, Andrew Appel, Greg Morrisett, Zoe
Paraskevopoulou, Randy Pollack, Olivier Savary Belanger,
Matthieu Sozeau, and MatthewWeaver. Certicoq: A verified compiler
for coq. CoqPL’17.
[20] Ittai Anati, Shay Gueron, Simon P Johnson, and Vincent R Scarlata.
Innovative Technology for CPU Based Attestation and Sealing. In
HASP, 2013.
[21] James P Anderson. Computer security technology planning study.
Technical report, Anderson (James P) and Co Fort Washington PA,
1972.
[22] Krste Asanović Andrew Waterman. The RISC-V Instruction Set
Manual Volume II: Privileged Architecture. https://content.riscv.org/
wp-content/uploads/2017/05/riscv-privileged-v1.10.pdf, May 2017.
14
Keystone
[23] Andrew W. Appel, Lennart Beringer, Adam Chlipala, Benjamin C.
Pierce, Zhong Shao, Stephanie Weirich, and Steve Zdancewic. Po-
sition paper: the science of deep specification. Philosophical Trans-
actions of the Royal Society of London A: Mathematical, Physical and
Engineering Sciences, 375(2104), 2017.
[24] ARM. ARM Security Technology - Building a Secure System using
TrustZone Technology. ARM Technical White Paper. 2013.
[25] Sergei Arnautov, Bohdan Trach, Franz Gregor, Thomas Knauth, Andre
Martin, Christian Priebe, Joshua Lind, Divya Muthukumaran, Daniel
O’Keeffe, Mark L Stillwell, David Goltzsche, Dave Eyers, Rüdiger
Kapitza, Peter Pietzuch, and Christof Fetzer. SCONE: Secure Linux
Containers with Intel SGX. In OSDI, 2016.
[26] Krste Asanović, Rimas Avizienis, Jonathan Bachrach, Scott Beamer,
David Biancolin, Christopher Celio, Henry Cook, Daniel Dabbelt,
John Hauser, Adam Izraelevitz, Sagar Karandikar, Ben Keller, Dong-
gyu Kim, John Koenig, Yunsup Lee, Eric Love, Martin Maas, Albert
Magyar, Howard Mao, Miquel Moreto, Albert Ou, David A. Patterson,
Brian Richards, Colin Schmidt, Stephen Twigg, Huy Vo, and Andrew
Waterman. The rocket chip generator. (UCB/EECS-2016-17), Apr
2016.
[27] Pierre-Louis Aublin, Florian Kelbert, Dan O’Keeffe, Divya Muthuku-
maran, Christian Priebe, Joshua Lind, Robert Krahn, Christof Fetzer,
David Eyers, and Peter Pietzuch. Libseal: Revealing service integrity
violations using trusted execution. In EuroSys, 2018.
[28] Pierre-Louis Aublin, Florian Kelbert, Dan O’Keeffe, Divya Muthuku-
maran, Christian Priebe, Joshua Lind, Robert Krahn, Christof Fetzer,
David M. Eyers, and Peter R. Pietzuch. Talos : Secure and transparent
tls termination inside sgx enclaves. 2017.
[29] Ahmed M. Azab, Peng Ning, Jitesh Shah, Quan Chen, Rohan Bhutkar,
Guruprasad Ganesh, Jia Ma, and Wenbo Shen. Hypervision across
worlds: Real-time kernel protection from the arm trustzone secure
world. In CCS, 2014.
[30] Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang, Xiaolan Zhang,
and Nathan C. Skalsky. Hypersentry: Enabling stealthy in-context
measurement of hypervisor integrity. In CCS, 2010.
[31] Andrew Baumann, Marcus Peinado, and Galen Hunt. Shielding
Applications from an Untrusted Cloud with Haven. In OSDI, 2014.
[32] Iddo Bentov, Yan Ji, Fan Zhang, Yunqi Li, Xueyuan Zhao, Lorenz
Breidenbach, Philip Daian, and Ari Juels. Tesseract: Real-time cryp-
tocurrency exchange using trusted hardware. ePrint Archive, Report
2017/1153, 2017.
[33] Karthikeyan Bhargavan, Barry Bond, Antoine Delignat-Lavaud, CÃľ-
dric Fournet, Chris Hawblitzel, Catalin Hritcu, Samin Ishtiaq, Markulf
Kohlweiss, Rustan Leino, Jay Lorch, Kenji Maillard, Jinyang Pang,
Bryan Parno, Jonathan Protzenko, Tahina Ramananandro, Ashay
Rane, Aseem Rastogi, Nikhil Swamy, Laure Thompson, Peng Wang,
Santiago Zanella-Beguelin, and Jean-Karim ZinzindohouÃľ. Everest:
Towards a verified, drop-in replacement of HTTPS. In Summit on
Advances in Programming Languages (SNAPL), 2017.
[34] Barry Bond, Chris Hawblitzel, Manos Kapritsos, K. Rustan M. Leino,
Jacob R. Lorch, Bryan Parno, Ashay Rane, Srinath Setty, and Laure
Thompson. Vale: Verifying high-performance cryptographic assem-
bly code. In USENIX Security, August 2017.
[35] Thomas Bourgeat, Ilia A. Lebedev, Andrew Wright, Sizhuo Zhang,
Arvind, and Srinivas Devadas. MI6: secure enclaves in a speculative
out-of-order processor. 2018.
[36] Ferdinand Brasser, David Gens, Patrick Jauernig, Ahmad-Reza
Sadeghi, and Emmanuel Stapf. Sanctuary: Arming trustzone with
user-space enclaves. In NDSS, 2019.
[37] Stefan Brenner, Colin Wulf, David Goltzsche, Nico Weichbrodt,
Matthias Lorenz, Christof Fetzer, Peter Pietzuch, and Rüdiger Kapitza.
Securekeeper: Confidential zookeeper using intel sgx. In Middleware,
2016.
[38] Ernie Brickell, Jan Camenisch, and Liqun Chen. Direct anonymous
attestation. In CCS, 2004.
[39] Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris
Kasikci, Frank Piessens, Mark Silberstein, Thomas F. Wenisch, Yuval
Yarom, and Raoul Strackx. Foreshadow: Extracting the keys to the
intel SGX kingdom with transient out-of-order execution. In USENIX
Security, 2018.
[40] Jo Van Bulck, Nico Weichbrodt, Rüdiger Kapitza, Frank Piessens, and
Raoul Strackx. Telling your secrets without page faults: Stealthy page
table-based attacks on enclaved execution. In USENIX, 2017.
[41] Christopher Celio, David A. Patterson, and Krste Asanović. The berke-
ley out-of-order machine (boom): An industry-competitive, synthe-
sizable, parameterized risc-v processor. Technical Report UCB/EECS-
2015-167, Jun 2015.
[42] D. Champagne and R. B. Lee. Scalable architectural support for
trusted software. In HPCA, 2010.
[43] Chia che Tsai, Donald E. Porter, and Mona Vij. Graphene-sgx: A
practical library OS for unmodified applications on SGX. In USENIX
ATC, 2017.
[44] Stephen Checkoway and Hovav Shacham. Iago attacks: Why the
System Call API is a Bad Untrusted RPC Interface. In ASPLOS, 2013.
[45] Haibo Chen, Fengzhe Zhang, Cheng Chen, Ziye Yang, Rong Chen,
Binyu Zang, and Wenbo Mao. Tamper-Resistant Execution in an
Untrusted Operating System Using A Virtual Machine Monitor, 2007.
[46] Hao Chen, Xiongnan (Newman) Wu, Zhong Shao, Joshua Lockerman,
and Ronghui Gu. Toward compositional verification of interruptible
os kernels and device drivers. PLDI ’16.
[47] Xi Chen, Robert P Dick, and Alok Choudhary. Operating system con-
trolled processor-memory bus encryption. In 2008 Design, Automation
and Test in Europe, pages 1154–1159. IEEE, 2008.
[48] Xiaoxin Chen, Tal Garfinkel, E. Christopher Lewis, Pratap Subrah-
manyam, Carl A. Waldspurger, Dan Boneh, Jeffrey Dwoskin, and
Dan R.K. Ports. Overshadow: A Virtualization-Based Approach to
Retrofitting Protection in Commodity Operating Systems. In ASPLOS,
2008.
[49] R. Cheng, F. Zhang, J. Kos, W. He, N. Hynes, N. Johnson, A. Juels,
A. Miller, and D. Song. Ekiden: A Platform for Confidentiality-
Preserving, Trustworthy, and Performant Smart Contract Execution.
ArXiv e-prints, 2018.
[50] Siddhartha Chhabra, Brian Rogers, Yan Solihin, and Milos Prvulovic.
SecureME: A Hardware-software Approach to Full System Security.
In ICS, 2011.
[51] Joonwon Choi, Muralidaran Vijayaraghavan, Benjamin Sherman,
Adam Chlipala, and Arvind. Kami: A platform for high-level paramet-
ric hardware specification and its modular verification. Proc. ACM
Program. Lang., 1(ICFP), 2017.
[52] Patrick Colp, Mihir Nanavati, Jun Zhu, William Aiello, George Coker,
Tim Deegan, Peter Loscocco, and Andrew Warfield. Breaking up is
hard to do: Security and functionality in a commodity hypervisor. In
SOSP, 2011.
[53] Victor Costan and Srinivas Devadas. Intel sgx explained. Cryptology
ePrint Archive, Report 2016/086, 2016. http://eprint.iacr.org/2016/
086.
[54] Victor Costan, Ilia Lebedev, and Srinivas Devadas. Sanctum: Minimal
hardware extensions for strong software isolation. InUSENIX Security,
2016.
[55] John Criswell, Nathan Dautenhahn, and Vikram Adve. Virtual ghost:
Protecting applications from hostile operating systems. In ASPLOS,
2014.
[56] Mark Horowitz David Lie, Chandramohan A. Thekkath. Implement-
ing an Untrusted Operating System on Trusted Hardware. In SOSP,
2003.
[57] Brooks Davis, Robert N. M. Watson, Alexander Richardson, Peter G.
Neumann, Simon W. Moore, John Baldwin, David Chisnall, James
Clarke, Nathaniel Wesley Filardo, Khilan Gudka, Alexandre Joannou,
15
Dayeol Lee, David Kohlbrenner, Shweta Shinde, Krste Asanović, and Dawn Song
Ben Laurie, A. Theodore Markettos, J. Edward Maste, Alfredo Mazz-
inghi, Edward Tomasz Napierala, Robert M. Norton, Michael Roe,
Peter Sewell, Stacey Son, and JonathanWoodruff. Cheriabi: Enforcing
valid pointer provenance and minimizing pointer privilege in the
posix c run-time environment. In ASPLOS, 2019.
[58] J. Deng, W. Dong, R. Socher, L.-J. Li, K. Li, and L. Fei-Fei. ImageNet:
A Large-Scale Hierarchical Image Database. In CVPR09, 2009.
[59] Tien Tuan Anh Dinh, Prateek Saxena, Ee-Chien Chang, Beng Chin
Ooi, and Chunwang Zhang. M2R: Enabling Stronger Privacy in
MapReduce Computation. In USENIX Security, 2015.
[60] D. Evtyushkin, J. Elwell, M. Ozsoy, D. Ponomarev, N. A. Ghazaleh,
and R. Riley. Iso-x: A flexible architecture for hardware-managed
isolated execution. In MICRO, 2014.
[61] Andrew Ferraiuolo, Andrew Baumann, Chris Hawblitzel, and Bryan
Parno. Komodo: Using verification to disentangle secure-enclave
hardware from software. In SOSP, 2017.
[62] Aymeric Fromherz, Nick Giannarakis, Chris Hawblitzel, Bryan Parno,
Aseem Rastogi, and Nikhil Swamy. A verified, efficient embedding
of a verifiable assembly language. In POPL, 2019.
[63] Tal Garfinkel, Ben Pfaff, Jim Chow, Mendel Rosenblum, and Dan
Boneh. Terra: A Virtual Machine-based Platform for Trusted Com-
puting. In SOSP, 2003.
[64] Tal Garfinkel, Ben Pfaff, and Mendel Rosenblum. Ostia: A Delegating
Architecture for Secure System Call Interposition. In NDSS, 2003.
[65] Tal Garfinkel, Mendel Rosenblum, and Dan Boneh. Flexible os support
and applications for trusted computing. In HOTOS, 2003.
[66] Qian Ge, Yuval Yarom, David Cock, and Gernot Heiser. A survey of
microarchitectural timing attacks and countermeasures on contem-
porary hardware. Journal of Cryptographic Engineering, 2018.
[67] David Goltzsche, Signe Rüsch, Manuel Nieke, Sébastien Vaucher,
NicoWeichbrodt, Valerio Schiavoni, Pierre-Louis Aublin, Paolo Costa,
Christof Fetzer, Pascal Felber, Peter R. Pietzuch, and Rüdiger Kapitza.
Endbox: Scalable middlebox functions using client-side trusted exe-
cution. In DSN, 2018.
[68] Deli Gong, Muoi Tran, Shweta Shinde, Hao Jin, Vyas Sekar, Prateek
Saxena, and Min Suk Kang. Practical Verifiable In-network Filtering
for DDoS defense. In ICDCS, 2019.
[69] Abraham Gonzalez, Ben Korpan, Jerry Zhao, Ed Younis, and Krste
AsanoviÄĞ. Replicating and Mitigating Spectre Attacks on a Open
Source RISC-V Microarchitecture. In Third Workshop on Computer
Architecture Research with RISC-V (CARRV), 2019.
[70] G. Scott Graham and Peter J. Denning. Protection: Principles and
practice. In Spring Joint Computer Conference, AFIPS, 1972.
[71] Ronghui Gu, Zhong Shao, Hao Chen, Xiongnan Wu, Jieung Kim,
Vilhelm Sjöberg, and David Costanzo. Certikos: An extensible archi-
tecture for building certified concurrent os kernels. OSDI’16.
[72] Shay Gueron. A memory encryption engine suitable for general
purpose processors. Cryptology ePrint Archive, Report 2016/204,
2016.
[73] Chris Hawblitzel, Jon Howell, Jacob R. Lorch, Arjun Narayan, Bryan
Parno, Danfeng Zhang, and Brian Zill. Ironclad apps: End-to-end
security via automated full-system verification. In USENIX OSDI,
2014.
[74] Owen S. Hofmann, Sangman Kim, Alan M. Dunn, Michael Z. Lee,
and Emmett Witchel. InkTag: Secure Applications on an Untrusted
Operating System. In ASPLOS, 2013.
[75] R. Housley, W. Polk, W. Ford, and D. Solo. Internet x.509 public key
infrastructure certificate and certificate revocation list (crl) profile,
2002.
[76] Galen Hunt, George Letey, and Ed Nightingale. The seven properties
of highly secure devices. Technical report, March 2017.
[77] Simon Johnson, Vinnie Scarlata, Carlos Rozas, Ernie Brickell, and
Frank Mckeen. Intel software guard extensions: Epid provisioning
and attestation services, 2016.
[78] David Kaplan. Protecting VM Register State with SEV-
ES. http://support.amd.com/TechDocs/Protecting%20VM%
20Register%20State%20with%20SEV-ES.pdf, 2017.
[79] David Kaplan, Jeremy Powell, and TomWoller. AMDMemory Encryp-
tion. http://amd-dev.wpengine.netdna-cdn.com/wordpress/media/
2013/12/AMDMemoryEncryptionWhitepaperv7-Public.pdf, 2016.
[80] Sagar Karandikar, Howard Mao, Donggyu Kim, David Biancolin,
Alon Amid, Dayeol Lee, Nathan Pemberton, Emmanuel Amaro, Colin
Schmidt, Aditya Chopra, Qijing Huang, Kyle Kovacs, Borivoje Nikolic,
Randy Katz, Jonathan Bachrach, and Krste Asanović. Firesim: Fpga-
accelerated cycle-exact scale-out system simulation in the public
cloud. In ISCA, 2018.
[81] Eric Keller, Jakub Szefer, Jennifer Rexford, and Ruby B. Lee. No-
Hype: Virtualized Cloud Infrastructure without the Virtualization.
In Proceedings of International Symposium on Computer Architecture,
2010.
[82] Pierre Selwan Ken Irving. Revolutionizing the comput-
ing landscape and beyond. https://content.riscv.org/wp-
content/uploads/2018/12/RISC-V-MultiCore-Secure-Boot-Ken-
Irvining-and-Pierre-Selwan.pdf, December 2018.
[83] Vladimir Kiriansky, Ilia Lebedev, Saman Amarasinghe, Srinivas De-
vadas, and Joel Emer. Dawg: A defense against cache timing attacks
in speculative execution processors. In MICRO, 2018.
[84] Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick,
David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt,
Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and
Simon Winwood. sel4: Formal verification of an os kernel. In SOSP,
2009.
[85] Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas, Mike
Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael
Schwarz, and Yuval Yarom. Spectre attacks: Exploiting speculative
execution. 2018.
[86] Patrick Koeberl, Steffen Schulz, Ahmad-Reza Sadeghi, and Vijay
Varadharajan. Trustlite: A security architecture for tiny embedded
devices. In EuroSys, 2014.
[87] Ilia Lebedev, Kyle Hogan, and Srinivas Devadas. Secure Boot and
Remote Attestation in the Sanctum Processor. In CSF, 2018.
[88] Ilia A. Lebedev, Kyle Hogan, Jules Drean, David Kohlbrenner, Dayeol
Lee, Krste Asanovic, Dawn Song, and Srinivas Devadas. Sanctorum:
A lightweight security monitor for secure enclaves. IACR Cryptology
ePrint Archive, 2019.
[89] Ruby B. Lee, Peter C. S. Kwan, John P. McGregor, Jeffrey Dwoskin,
and Zhenghong Wang. Architecture for Protecting Critical Secrets
in Microprocessors. SIGARCH Comput. Archit. News, 2005.
[90] Xavier Leroy. Formal verification of a realistic compiler.
[91] X. Li, H. Hu, G. Bai, Y. Jia, Z. Liang, and P. Saxena. Droidvault: A
trusted data vault for android devices. In ICECCS, 2014.
[92] Joshua Lind, Ittay Eyal, Florian Kelbert, Oded Naor, Peter R. Pietzuch,
and Emin Gün Sirer. Teechain: Scalable Blockchain Payments using
Trusted Execution Environments. CoRR, abs/1707.05454, 2017.
[93] Jonathan M. McCune, Yanlin Li, Ning Qu, Zongwei Zhou, Anupam
Datta, Virgil Gligor, and Adrian Perrig. TrustVisor: Efficient TCB
Reduction and Attestation. In IEEE S&P, 2010.
[94] JonathanM.McCune, Bryan J. Parno, Adrian Perrig, Michael K. Reiter,
and Hiroshi Isozaki. Flicker: An Execution Infrastructure for TCB
Minimization. SIGOPS Oper. Syst. Rev., 2008.
[95] Frank McKeen, Ilya Alexandrovich, Ittai Anati, Dror Caspi, Simon
Johnson, Rebekah Leslie-Hurd, and Carlos Rozas. Intel software
guard extensions support for dynamic memory management inside
an enclave. In HASP, 2016.
[96] Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos V. Rozas,
Hisham Shafi, Vedvyas Shanbhogue, and Uday R. Savagaonkar. In-
novative Instructions and Software Model for Isolated Execution. In
HASP, 2013.
16
Keystone
[97] Ralph C Merkle. A digital signature based on a conventional en-
cryption function. In Conference on the theory and application of
cryptographic techniques, pages 369–378. Springer, 1987.
[98] Mitar Milutinovic, Warren He, Howard Wu, and Maxinder Kanwal.
Proof of luck: an efficient blockchain consensus protocol. CoRR,
abs/1703.05435, 2017.
[99] Marina Minkin, Daniel Moghimi, Moritz Lipp, Michael Schwarz,
Jo Van Bulck, Daniel Genkin, Daniel Gruss, Berk Sunar, Frank
Piessens, and Yuval Yarom. Fallout: Reading kernel writes from
user space. 2019.
[100] Keaton Mowery, Michael Wei, David Kohlbrenner, Hovav Shacham,
and Steven Swanson. Welcome to the entropics: Boot-time entropy
in embedded devices. In IEEE S&P, 2013.
[101] Jason Garms Nelly Porter. Advancing confidential com-
puting with asylo and the confidential computing chal-
lenge. https://cloud.google.com/blog/products/identity-
security/advancing-confidential-computing-with-asylo-and-
the-confidential-computing-challenge, feb 2019.
[102] Luke Nelson, James Bornholt, Ronghui Gu, Andrew Baumann, Em-
ina Torlak, and Xi Wang. Serval: Scaling Symbolic Evaluation for
Automated Verification of Systems Code. In SOSP, 2019.
[103] Luke Nelson, Helgi Sigurbjarnarson, Kaiyuan Zhang, Dylan Johnson,
James Bornholt, Emina Torlak, and Xi Wang. Hyperkernel: Push-
button verification of an os kernel. SOSP ’17.
[104] Khang T Nguyen. Introduction to Cache Allocation Tech-
nology in the IntelÂő XeonÂő Processor E5 v4 Family.
https://software.intel.com/en-us/articles/introduction-to-cache-
allocation-technology, Feb 2016.
[105] Job Noorman, Pieter Agten, Wilfried Daniels, Raoul Strackx, An-
thony Van Herrewege, Christophe Huygens, Bart Preneel, Ingrid
Verbauwhede, and Frank Piessens. Sancus: Low-cost trustworthy
extensible networked devices with a zero-software trusted computing
base. In USENIX Security, 2013.
[106] Olga Ohrimenko, Felix Schuster, Cedric Fournet, Aastha Mehta, Se-
bastian Nowozin, Kapil Vaswani, and Manuel Costa. Oblivious multi-
party machine learning on trusted processors. In USENIX Security,
2016.
[107] Oleksii Oleksenko, Bohdan Trach, Robert Krahn, Mark Silberstein,
and Christof Fetzer. Varys: Protecting SGX enclaves from practical
side-channel attacks. In USENIX ATC, 2018.
[108] Meni Orenbach, Pavel Lifshits, Marina Minkin, and Mark Silberstein.
Eleos: Exitless os services for sgx enclaves. EuroSys, 2017.
[109] Meni Orenbach, Yan Michalevsky, Christof Fetzer, and Mark Silber-
stein. Cosmix: A compiler-based system for secure memory instru-
mentation and execution in enclaves. In USENIX ATC, 2019.
[110] Emmanuel Owusu, Jorge Guajardo, Jonathan McCune, Jim Newsome,
Adrian Perrig, and Amit Vasudevan. Oasis: On achieving a sanctuary
for integrity and secrecy on untrusted platforms. In CCS, 2013.
[111] Nate Graff Palmer Dabbelt. SiFive’s Trusted Execution Reference Plat-
form. https://content.riscv.org/wp-content/uploads/2018/12/SiFives-
Trusted-Execution-Reference-Platform-Palmer-Dabbelt-1-1.pdf,
December 2018.
[112] Bryan Parno, Jonathan M. McCune, and Adrian Perrig. Bootstrapping
trust in commodity computers. In IEEE S&P, 2010.
[113] Donald E. Porter, Silas Boyd-Wickizer, Jon Howell, Reuben Olinsky,
and Galen C. Hunt. Rethinking the Library OS from the Top Down.
In ASPLOS, 2011.
[114] Dan R. K. Ports and Tal Garfinkel. Towards Application Security on
Untrusted Operating Systems. In HOTSEC, 2008.
[115] Christian Priebe, Kapil Vaswani, and Manuel Costa. Enclavedb - a
secure database using sgx. In IEE S&P, 2018.
[116] Jonathan Protzenko, Bryan Parno, Aymeric Fromherz, Chris Haw-
blitzel, Marina Polubelova, Karthikeyan Bhargavan, Benjamin Beur-
douche, Joonwon Choi, Antoine Delignat-Lavaud, Cedric Fournet,
Tahina Ramananandro, Aseem Rastogi, Nikhil Swamy, Christoph
Wintersteiger, and Santiago Zanella-Beguelin. Evercrypt: A fast,
verified, cross-platform cryptographic provider. Technical Report
2019/757, ePrint, July 2019.
[117] Rick Boivie. SecureBlue++: CPU Support for Secure Execution. 2012.
[118] B. Rogers, S. Chhabra, M. Prvulovic, and Y. Solihin. Using address
independent seed encryption and bonsai merkle trees to make secure
processors os- and performance-friendly. In MICRO 2007, 2007.
[119] Brian Rogers, Siddhartha Chhabra, Milos Prvulovic, and Yan Solihin.
Using Address Independent Seed Encryption and Bonsai Merkle Trees
to Make Secure Processors OS- and Performance-Friendly. InMICRO,
2007.
[120] Samuel Weiser and Mario Werner and Ferdinand Brasser and Maja
Malenko and Stefan Mangard and Ahmad-Reza Sadeghi. TIMBER-V:
Tag-Isolated Memory Bringing Fine-grained Enclaves to RISC-V. In
NDSS, 2019.
[121] Felix Schuster, Manuel Costa, Cedric Fournet, Christos Gkantsidis,
Marcus Peinado, Gloria Mainar-Ruiz, and Mark Russinovich. VC3:
Trustworthy Data Analytics in the Cloud. In IEEE S&P, 2015.
[122] Michael Schwarz, Moritz Lipp, Daniel Moghimi, Jo Van Bulck, Julian
Stecklina, Thomas Prescher, and Daniel Gruss. ZombieLoad: Cross-
privilege-boundary data sampling. arXiv:1905.05726, 2019.
[123] Shweta Shinde, Zheng Leong Chua, Viswesh Narayanan, and Prateek
Saxena. Preventing page faults from telling your secrets. ASIACCS’16.
[124] Shweta Shinde, Dat Le Tien, Shruti Tople, and Prateek Saxena.
Panoply: Low-TCB Linux Applications With SGX Enclaves. In NDSS,
2017.
[125] Shweta Shinde, Shengi Wang, Pinghai Yuan, Aquinas Hobor, Abhik
Roychoudhury, and Prateek Saxena. BesFS: Mechanized Proof of an
Iago-Safe Filesystem for Enclaves. ArXiv e-prints, July 2018.
[126] Helgi Sigurbjarnarson, Luke Nelson, Bruno Castro-Karney, James
Bornholt, Emina Torlak, and Xi Wang. Nickel: A framework for
design and verification of information flow control systems. In OSDI,
2018.
[127] Rohit Sinha, Manuel Costa, Akash Lal, Nuno Lopes, Sanjit Seshia,
Sriram Rajamani, and Kapil Vaswani. A design and verification
methodology for secure isolated regions. In PLDI ’16.
[128] Rohit Sinha, Sriram Rajamani, Sanjit Seshia, and Kapil Vaswani. Moat:
Verifying confidentiality of enclave programs. CCS ’15.
[129] Pramod Subramanyan, Rohit Sinha, Ilia Lebedev, Srinivas Devadas,
and Sanjit A. Seshia. A formal foundation for secure remote execution
of enclaves. CCS ’17.
[130] G. Edward Suh, Charles W. O’Donnell, Ishan Sachdev, and Srinivas
Devadas. Design and Implementation of the AEGIS Single-Chip Se-
cure Processor Using Physical Random Functions. SIGARCH Comput.
Archit. News, 2005.
[131] Jakub Szefer and Ruby B. Lee. Architectural Support for Hypervisor-
secure Virtualization. In ASPLOS, 2012.
[132] David Lie Chandramohan Thekkath, Mark Mitchell, Patrick Lincoln,
Dan Boneh, JohnMitchell, andMark Horowitz. Architectural Support
for Copy and Tamper Resistant Software. In ASPLOS, 2000.
[133] Shruti Tople, Karan Grover, Shweta Shinde, Ranjita Bhagwan, and
Ramachandran Ramjee. Privado: Practical and Secure DNN Inference.
ArXiv, 2018.
[134] Stephan van Schaik, Alyssa Milburn, Sebastian ÃŰsterlund, Pietro
Frigo, Giorgi Maisuradze, Kaveh Razavi, Herbert Bos, and Cristiano
Giuffrida. RIDL: Rogue in-flight data load. In S&P, 2019.
[135] Amit Vasudevan, Sagar Chaki, Limin Jia, Jonathan McCune, James
Newsome, and Anupam Datta. Design, Implementation and Verifica-
tion of an eXtensible and Modular Hypervisor Framework. In IEEE
S&P, 2013.
[136] R. N. M. Watson, J. Woodruff, P. G. Neumann, S. W. Moore, J. Ander-
son, D. Chisnall, N. Dave, B. Davis, K. Gudka, B. Laurie, S. J. Murdoch,
R. Norton, M. Roe, S. Son, and M. Vadera. Cheri: A hybrid capability-
system architecture for scalable software compartmentalization. In
17
Dayeol Lee, David Kohlbrenner, Shweta Shinde, Krste Asanović, and Dawn Song
IEEE Symposium on Security and Privacy, 2015.
[137] Yuanzhong Xu, Weidong Cui, and Marcus Peinado. Controlled-
Channel Attacks: Deterministic Side Channels for Untrusted Op-
erating Systems. In IEEE S&P, 2015.
[138] M. Yan, J. Choi, D. Skarlatos, A. Morrison, C. Fletcher, and J. Torrel-
las. Invisispec: Making speculative execution invisible in the cache
hierarchy. In MICRO, 2018.
[139] Jean Yang and Chris Hawblitzel. Safe to the last instruction: Auto-
mated verification of a type-safe operating system. In PLDI, 2010.
[140] Jisoo Yang and Kang G. Shin. Using Hypervisor to Provide Data
Secrecy for User Applications on a Per-page Basis. In VEE, 2008.
[141] Fan Zhang, Ethan Cecchetti, Kyle Croman, Ari Juels, and Elaine Shi.
Town crier: An authenticated data feed for smart contracts. In CCS,
2016.
[142] Fengzhe Zhang, Jin Chen, Haibo Chen, and Binyu Zang. CloudVisor:
Retrofitting Protection of Virtual Machines in Multi-Tenant Cloud
with Nested Virtualization. In SOSP, 2011.
18
