[reggie14]

How? The lack of trusted I/O in SGX seems like it would make secure disk encryption rather hard. You still need to use something like a password for access control. While it can be mixed with a key in SGX, you have to get that password into SGX from untrusted space. At least in the TPM architecture there's some effort to establish a trusted pre-boot environment where you can enter a password/PIN.

Then, sure, you could keep the data encryption keys within SGX, but the decrypted data is going to come out of it. So, once you have the password, you can ask SGX to decrypt the drive for you.

I don't see how SGX is well-suited for drive encryption use cases. It's mostly for trusted execution.

[amluto]

You make a little enclave that (proxied through the host) gets the TPM to attest online to the relevant PCRs. Then the enclave gives the host the VMK.

Sure, one could then run this enclave under malicious control, but the attacker now has to do that live while the TPM thinks the system is okay. This requires active attack instead of passive attack. (Or it requires a DMA attack.) So the bar is a bit higher.