Re: [PATCH v5 11/11] intel_sgx: driver documentation

From: Jethro Beekman
Date: Tue Nov 21 2017 - 19:27:58 EST

On 2017-11-21 16:10, Borislav Petkov wrote:
On Tue, Nov 21, 2017 at 03:45:31PM -0800, Jethro Beekman wrote:
Boris & Peter: this key has nothing to do with "trust" or "security".

But with what? Why is the firmware at all involved then?

See under "Launch control". Essentially, firmware can make it so that user has no control over IA32_SGXLEPUBKEYHASHn value.

One comment on the documentation I linked:

> +The BIOS can configure IA32_SGXLEPUBKEYHASHn MSRs before feature control
> +register is locked.

This is not entirely accurate, hardware exists on the market today where IA32_SGXLEPUBKEYHASHn can't be configured, even by firmware. As mentioned in my previous email, I'd like to use said hardware.

Jethro Beekman

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature