T3E: A Practical Solution to Trusted Time in Secure Enclaves

Abstract

Time is used in secure systems to validate security properties. Consequently, it is vital to protect the integrity of time information. Intel SGX enables building secure applications inside a Trusted Execution Environment (TEE), called an enclave, isolated from the untrusted OS. However, accessing time information from the enclave remains challenging as the OS controls the system time. Previous versions of the SGX SDK provided the sgx_get_trusted_time function as an alternative to OS time. However, Intel removed the API in 2020, without providing an alternative. This paper examines trusted time challenges in SGX and presents TPM-based Trusted Time Extensions (T3E), a novel solution that builds on readily available hardware. T3E leverages TPM functionality to provide trusted time services in enclaves while protecting against common attacks. It offers better time granularity and lower latency than Intel’s sgx_get_trusted_time implementation. Unlike related work, it does not rely on deprecated features or hardware/firmware modifications.