Re: [PATCH 0/6] Intel Secure Guard Extensions

From: Ingo Molnar
Date: Wed Apr 27 2016 - 04:18:19 EST



* Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:

> > What new syscalls would be needed for ssh to get all this support?
>
> This patchset or similar, plus some user code and an enclave to use.
>
> Sadly, on current CPUs, you also need Intel to bless the enclave. It looks like
> new CPUs might relax that requirement.

That looks like a fundamental technical limitation in my book - to an open source
user this is essentially a very similar capability as tboot: it only allows the
execution of externally blessed static binary blobs...

I don't think we can merge any of this upstream until it's clear that the hardware
owner running open-source user-space can also freely define/start his own secure
enclaves without having to sign the enclave with any external party. I.e.
self-signed enclaves should be fundamentally supported as well.

Thanks,

Ingo