SGX: when 20 patch versions aren't enough

If we talk about DRM or the like, virtually any kernel is "hostile", and they might still wanna load the binary, because it is the gateway to stuff you bought/rented. It is enough for the code/data in the enclave to be encrypted - via remote attestation of the initial image and then dynamic load of further load/data via a remote site (might be encrypted), the "hostile" kernel can not influence or even know what is done in the enclave.