Re: [PATCH v36 23/24] docs: x86/sgx: Document SGX micro architecture and kernel internals

From: Dr. Greg
Date: Thu Aug 06 2020 - 06:58:45 EST

On Tue, Jul 28, 2020 at 11:35:11PM +0200, Pavel Machek wrote:

> Hi!

Good morning, I hope the week is progressing well for everyone.

> > CPUs starting from Icelake use Total Memory Encryption (TME) in
> > the place of MEE. TME throws away the Merkle tree, which means
> > losing integrity and anti-replay protection but also enables
> > variable size memory pools for EPC. Using this attack for
> > benefit would require an interposer on the system bus.

> It is not exactly clear what "this attack" means.

In the new world that is SGX, 'this attack', roughly means that
enclaves are susceptible to the same security threats that would be
faced if you were running TLS/HTTPS or SSH without packet checksums
and replay avoidance/detection mechanisms in place.

It is extremely unfortunate to the nascent field of confidential
computing that an option was not made available to the platform owner
to choose between full and partial security. The decision to opt for
partial security only, significantly limits the utility of this
technology for architects who are serious about the ability to push
applications into the 'cloud', or other environments without direct
physical control, with an expectation that it will be running in an
'island' of confidentiality or security.

> (And it would be cool to explain against what SGX is protecting. I
> thought it was malicious RAM, but apparently not on Icelake+).

The best way to understand the implications of all this is to review
the following paper:

It is the canonical and very thorough description of the Memory
Encryption Engine (MEE) by its designer Shay Gueron. Shay is notable
in that he led the development of the Intel hardware AES architecture
including the 'shuffle' instructions that make it possible.

As would be expected for a scientific paper on security, it has a full
description of the threat model that the MEE was designed to address
and mathematical proofs of its correctness in doing so. Absent its
implementation, the 'new' SGX is vulnerable to the threats described
in that paper.

This ultimately calls into question what the Confidential Computing
Initiative (CCI) actually represents. The question to be answered is
whether or not one believes that encryption without integrity is an
acceptable security architecture.

One can make a perfectly legitimate argument, which Jarkko notes, in
that an adversary has to control the physical hardware. A very candid
assessment is that the CCI is predicated on the notion of providing
protection in an environment where you push your computation and data
into an environment where an adversary has both the access and ability
to mount an attack.

There are certainly economic issues driving these decisions. Which is
ultimately a statement on the actual and very difficult inherency
barriers that security innovation and advancement faces.

> (english)
> (cesky, pictures)

Hopefully the above is helpful and informative to those who are
interested in these types of issues.

Best wishes for a productive remainder of the week.

Dr. Greg

As always,
Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC.
4206 N. 19th Ave. Specializing in information infra-structure
Fargo, ND 58102 development.
PH: 701-281-1686 EMAIL: greg@xxxxxxxxxxxx
"We can't solve today's problems by using the same thinking we used in
creating them."
-- Einstein