So long as we can insert a [Xen] Hypservisor between the OS and the processor, I'm confident someone will find a way to make it do what someone else doesn't want it to.
Hypervisors aren't just for virtualizing servers, you can use them for all sorts of things, like intercepting system calls.
The cited SGX analysis was written by a Qubes/Xen developer:
"Intel SGX is essentially a new mode of execution on the CPU, a new memory protection semantic, plus a couple of new instructions to manage this all. So, you create an enclave by filling its protected pages with desired code, then you lock it down, measure the code there, and if everything's fine, you ask the processor to start executing the code inside the enclave. Since now on, no entity, including the kernel (ring 0) or hypervisor (ring “-1”), or SMM (ring “-2”) or AMT (ring “-3”), has no right to read nor write the memory pages belonging to the enclave."
How often is the enclave validated? Could modified DRAM be used that would return one set of data to the enclave validation, and another the rest of the time? What would have to be done to the CPU cache?
".. the processor automatically encrypts the content of SGX-protected memory pages whenever it leaves the processor caches and is stored in DRAM. In other words the code and data used by SGX enclaves never leave the processor in plaintext."
"..once the key is obtained, it is available only within the SGX enclave. It cannot be found in DRAM or on the memory bus, even if the user had access to expensive DRAM emulators or bus sniffers. And the key cannot also be mishandled by the code that runs in the SGX enclave, because remote attestation also proved that the loader code has not been modified.."
Hypervisors aren't just for virtualizing servers, you can use them for all sorts of things, like intercepting system calls.