SGX already works with the PVAP doesn't it? I can't imagine Netflix would be using SGX-based DRM for 4K content unless it actually provided a real benefit, especially considering without trusted I/O it's much more obvious where to grab decrypted data by looking for SGX-related instructions.
I looked into sgx recently and have a question related to your comment. It seems an enclave doesn't make system calls. I was wondering how any io gets done? You mention untrusted ... is that the only way??? Trust zone seems to do it better then?
An enclave does not make any system calls directly like the rest of the process would, but a system call can definitely be made through the use of a shim layer. In SGX parlance, calls to the outside of the enclave are known as OCALLs. The danger with relying on values returned by a syscall is that the OS could be lying. As an exercise, you could implement a simple "hello, world" filesystem driver that hides the presence of certain files. So, as long as the enclave has no trusted path to I/O, it must rely on the operating system, which is assumed compromised. If the enclave decrypts protected content for the sake of having those be written to the display by the OS, then you can see that the contents are not secure. SGX support for PAVP means that the chipset is involved in shuttling the data into and out of the enclave, with no one being able to interject. Not sure TrustZone solves this.
