| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 20 Jun 2018 11:39:00 -0700
From: Jethro Beekman <jethro@...tanix.com>
To: Nathaniel McCallum <npmccallum@...hat.com>, luto@...nel.org
Cc: Neil Horman <nhorman@...hat.com>, jarkko.sakkinen@...ux.intel.com,
x86@...nel.org, platform-driver-x86@...r.kernel.org,
linux-kernel@...r.kernel.org, mingo@...hat.com,
intel-sgx-kernel-dev@...ts.01.org, hpa@...or.com,
dvhart@...radead.org, tglx@...utronix.de, andy@...radead.org,
Peter Jones <pjones@...hat.com>
Subject: Re: [intel-sgx-kernel-dev] [PATCH v11 13/13] intel_sgx: in-kernel
launch enclave
On 2018-06-20 11:16, Jethro Beekman wrote:
> > This last bit is also repeated in different words in Table 35-2 and
> > Section 42.2.2. The MSRs are *not writable* before the write-lock bit
> > itself is locked. Meaning the MSRs are either locked with Intel's key
> > hash, or not locked at all.
Actually, this might be a documentation bug. I have some test hardware
and I was able to configure the MSRs in the BIOS and then read the MSRs
after boot like this:
MSR 0x3a 0x0000000000040005
MSR 0x8c 0x20180620aaaaaaaa
MSR 0x8d 0x20180620bbbbbbbb
MSR 0x8e 0x20180620cccccccc
MSR 0x8f 0x20180620dddddddd
Since this is not production hardware, it could also be a CPU bug of course.
If it is indeed possible to configure AND lock the MSR values to
non-Intel values, I'm very much in favor of Nathaniels proposal to treat
the launch enclave like any other firmware blob.
Jethro Beekman | Fortanix
Download attachment "smime.p7s" of type "application/pkcs7-signature" (3994 bytes)
Powered by blists - more mailing lists