TIO - Secure Input/Output for Intel SGX Enclaves

The new trusted execution environments (TEE) integrated within CPUs (e.g., Intel Software Guard Extensions) enable isolation of security-critical applications from the rest of the software running on the system. However, they lack support for trusted I/O such as keyboard or display, making those technologies unreliable in the case of user-centric applications. In this paper we introduce TIO, a practical hardware module that creates a secure channel between any USB HID device (e.g., keyboard/mouse) and a TEE (e.g., Intel SGX) using only local authentication and attestation. We describe the architecture and implementation of our solution, as well as practical considerations for deploying it in a real scenario and different USB devices. We evaluate the benefits of using our hardware module and show that there is no lag or noticeable impact on the input while it enhances the security of several applications. Moreover, TIO can be extended to any other input/output devices.