Intel SGX Explained

The juicy bit:<p>&quot;That being said, perhaps the most troubling finding in our security analysis is that Intel included a licensing mechanism in SGX that prevents software developers who cannot or will not enter a (yet unspecified) busi- ness agreement with Intel from authoring software that takes advantage of SGX’s protections. All the official documentation carefully sidesteps this issue, and has a minimal amount of hints that lead to the Intel’s patents on SGX. Only these patents disclose the existence of licensing plans.&quot;

For the scary applications (regarding user freedom) of Intel SGX, see Joanna Rutkowska&#x27;s two blog posts about Software Guard Extensions.<p>Part 1: <a href="http:&#x2F;&#x2F;blog.invisiblethings.org&#x2F;2013&#x2F;08&#x2F;30&#x2F;thoughts-on-intels-upcoming-software.html" rel="nofollow">http:&#x2F;&#x2F;blog.invisiblethings.org&#x2F;2013&#x2F;08&#x2F;30&#x2F;thoughts-on-intel...</a><p>Part 2: <a href="http:&#x2F;&#x2F;theinvisiblethings.blogspot.com&#x2F;2013&#x2F;09&#x2F;thoughts-on-intels-upcoming-software.html" rel="nofollow">http:&#x2F;&#x2F;theinvisiblethings.blogspot.com&#x2F;2013&#x2F;09&#x2F;thoughts-on-i...</a><p>Intel SGX also had some useful applications alongside those that are harmful to users, like search engines that provably don&#x27;t log queries, mail servers that provably don&#x27;t keep your mail, provably safe Bitcoin mixers and so on. But if using Intel SGX requires a business agreement with Intel, I worry we will only see the bad things and not the useful ones.<p>It is possible I am wrong and cloud providers will give people who aren&#x27;t Hollywood access to Intel SGX. But all the applications require trusting Intel and the NSA. Hollywood surely does not mind trusting them, do we?<p><i>Intel x86 considered harmful</i>[1] talks about all the scary stuff with Intel&#x27;s processors.<p>[1]: <a href="http:&#x2F;&#x2F;blog.invisiblethings.org&#x2F;papers&#x2F;2015&#x2F;x86_harmful.pdf" rel="nofollow">http:&#x2F;&#x2F;blog.invisiblethings.org&#x2F;papers&#x2F;2015&#x2F;x86_harmful.pdf</a>

Alex Ionescu wrote a paper [1] on Win10 and SGX.<p><pre><code> &gt; It’s important to realize that for now, only Intel has &gt; the required key to allow an enclave to be launched &gt; without knowing the required CPU-specific enclave key, &gt; and no other (even signed) enclaves can be launched &gt; without it. Once Intel releases a permissive loader, or &gt; if Intel ME vulnerabilities are found to extract the key, &gt; then the real abuse will begin. &gt; &gt; Indeed, one area of further research is the Intel SGX &gt; Driver that was released for recent Intel SGX-enabled &gt; Dell Laptops, which contains a le.signed.dll file that is &gt; the Intel Launch Enclave. Additionally, it contains &gt; Intel’s EINITTOKEN that can be used to launch such &gt; enclaves, as well as a service and set of APIs which &gt; appear to make it possible to launch additional enclaves. &gt; Windows 10, on its own, does not seem to ship or support &gt; its own Intel-signed Launch Enclave. </code></pre> [1] <a href="http:&#x2F;&#x2F;www.alex-ionescu.com&#x2F;Enclave%20Support%20In%20Windows%2010%20Fall%20Update.pdf" rel="nofollow">http:&#x2F;&#x2F;www.alex-ionescu.com&#x2F;Enclave%20Support%20In%20Windows...</a>

The initial batch of Skylake CPUs do not implement SGX: <a href="http:&#x2F;&#x2F;www.anandtech.com&#x2F;show&#x2F;9687&#x2F;software-guard-extensions-on-specific-skylake-cpus-only" rel="nofollow">http:&#x2F;&#x2F;www.anandtech.com&#x2F;show&#x2F;9687&#x2F;software-guard-extensions...</a><p>Any word on whether there will be a BIOS update (for example, microcode and ME updates) that will enable SGX for the first batch of Skylakes, or are they just forevermore broken?

The SGX launch has been one of the worst launches of a major CPU feature I&#x27;ve ever seen coming from Intel; it would be really interesting to learn what went wrong and why.<p>It&#x27;s <i>years</i> later than people anticipated (and won&#x27;t be in the E5 xeons for a couple more cycles, so 2017&#x2F;2018&#x2F;2019).<p>Not quite NetBurst level, but pretty horrible from a generally execution-excellent company.

I have to admit, the technical aspects of this are way beyond me. Would this technology allow (in theory) secure distributed computation via RDMA?<p>I&#x27;ve long suspected that Intel understands the implications of mass adoption of cheap, RDMA capable network adapters (iWarp, ROCE and Infiniband): it will cannibalise future CPU sales revenue. Imagine a standard corporate working environment with 1000 workstations on a LAN. At any given time, average CPU utilisation is probably 5-10 per cent tops. It&#x27;s a similar story with storage and I&#x2F;O capacity. If you add RDMA (and ultra-low latency networking) to the equation, there is now no need to buy additional computational power for the next 5 years, as there are a tonne of idle resources that can now be efficiently utilised (even for non-parallelisable computation).<p>From what I can surmise from recent Intel actions, they&#x27;ve opted to not take the &#x27;Microsoft&#x27; approach (i.e. hold back the tide), and have instead decided that if CPU markets are going to be cannibalised, they may as well be the ones doing the cannibalising.<p>Well, that&#x27;s my theory anyway. Am I crazy?

This paper contains a remarkable amount of irrelevant background.<p>If you actually want to read this thing, read the very beginning and then skip to at least page 57.<p>There are some interesting bits that are relevant to OS authors. For example:<p>At first glance, it may seem elegant to have EENTER restore the contents of the XCR0, FS, and GS registers in the current SSA, and have EXIT restore them from the current SSA. However, this approach would break the Intel architecture’s guarantees that only system soft-ware can modify XCR0, and application software can only load segment registers using selectors that index into the GDT or LDT set up by system software (2.7). Specifically, a malicious application could modify these privileged registers by creating an enclave that writes the desired values to the current SSA locations backing up the registers, and then executes EEXIT.<p>If that&#x27;s correct (I haven&#x27;t double-checked thoroughly, but it seems like it&#x27;s wrong), then it&#x27;s a problem. But I think the paper is just wrong.<p>I&#x27;d be more worried about RFLAGS in the SSA. Its exact usage is poorly documented, but some bits of RFLAGS are privileged (IF and IOPL).

Some (mostly not that relevant) details missing from the article:<p>1. CPU microcode update packages from Intel (&quot;MCU&quot;) are unified &quot;processor package&quot; update containers. They update more areas of the chip other than just the MSROM. This is more obvious in the SoC parts, but it is also true on the discrete parts.<p>2. MCU can be downgraded, although this is clearly going into &quot;not validated at all&quot; area, so it might not result in a very stable system ;-) It is likely that Intel can set a flag inside the MCU data that forbids this (the MCU loader <i>inside</i> the processor is more than complex enough to support this kind of thing!), but at least up to Westmere downgrades were still working.<p>2b. and you can always downgrade either just the microcode inside the firmware by modify-and-reflash, or the firmware itself, even if the CPU started to ignore downgrade attempts at runtime.<p>3. When the MCU update process is done in a trusted environment (microcode update data in the FIT), the reported microcode version <i>CHANGES</i> (the processor reports it as one less than the real version of the microcode). This is relevant for attestation, and it is really something that needs to be added to the IA32 manuals. We only know about it outside of the NDA&#x27;ed world because coreboot required a fix for the next issue:<p>4. As long as you find a way to always feed them the latest microcode (or at least the same revision that you have in the firmware), Linux, VMWare and the BSDs [currently] will always override FIT-provided microcode, thus changing the reported microcode revision (it will not be reported as secured anymore). Since the revision changed, it will break any attestation that depended on it. This looks like a good thing at first glance, given how utterly broken at launch the recent Intel processors have been: anything that would get in the way of an user being able to fix these by updating the MCU is a damn bad idea and NEEDS TO DIE.<p>5. The microcode update process nicely wastes several <i>million</i> cycles (and it can easily get to a billion cycles in larger systems, as the update cost increases linearly per core) at every operating system boot and resume from ACPI S3&#x2F;S4&#x2F;S5 ;-) Try to ensure that your firmware has the latest one if you want to have a smaller carbon footprint, because if the OS decides to update it, the box will be doing this expensive procedure twice at every boot&#x2F;resume...