CCX: Enabling Unmodified Intel SGX Applications on Arm CCA

TL;DR

CCX is a framework that allows existing Intel SGX applications to run unmodified on Arm CCA hardware, ensuring compatibility, security, and performance benefits.

Contribution

It introduces a novel approach to adapt SGX functionalities to Arm CCA, enabling seamless application portability without source code changes.

Findings

CCX successfully runs SGX applications on Arm CCA hardware.

Performance improvements observed with CCX in evaluated settings.

Security guarantees comparable to Intel SGX achieved by CCX.

Abstract

Novel confidential computing technologies such as Intel TDX, AMD SEV, and Arm CCA have recently emerged. In practice, due to its minimal trust boundaries, Intel SGX still remains widely used for enclave-based applications in cloud environments, including confidential cloud services, privacy-preserving communication, secure payment processing, and privacy-focused advertising. With the growing adoption of Arm CPUs in cloud systems, however, existing SGX applications face a significant portability challenge: they are tightly coupled to SGX-specific APIs and execution semantics. In this paper, we present the design and implementation of CCX, a framework that enables existing SGX applications to run on Arm CCA without source code modification. To this end, CCX redesigns SGX functionality within Arm CCA firmware, adapting SGX abstractions to CCA's architecture design while preserving full compatibility with existing applications originally developed for SGX. We implemented a prototype of CCX on both the QEMU emulator and a Nitrogen8M development board. Our evaluation shows that CCX is capable of executing existing SGX applications without requiring source code changes, while providing security guarantees comparable to Intel SGX and achieving performance improvements in our evaluated settings.