lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160508095843.GA5144@wind.enjellic.com>
Date:	Sun, 8 May 2016 04:58:43 -0500
From:	"Dr. Greg Wettstein" <greg@...ellic.com>
To:	Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
Cc:	"Dr. Greg Wettstein" <greg@...ellic.com>,
	"Austin S. Hemmelgarn" <ahferroin7@...il.com>,
	Pavel Machek <pavel@....cz>, gregkh@...uxfoundation.org,
	Andy Lutomirski <luto@...nel.org>,
	Borislav Petkov <bp@...e.de>,
	Boris Ostrovsky <boris.ostrovsky@...cle.com>,
	"open list:STAGING SUBSYSTEM" <devel@...verdev.osuosl.org>,
	Ingo Molnar <mingo@...nel.org>,
	Kristen Carlson Accardi <kristen@...ux.intel.com>,
	"open list:DOCUMENTATION" <linux-doc@...r.kernel.org>,
	open list <linux-kernel@...r.kernel.org>,
	Mathias Krause <minipli@...glemail.com>,
	Thomas Gleixner <tglx@...utronix.de>,
	Wan Zongshun <Vincent.Wan@....com>
Subject: Re: [PATCH 0/6] Intel Secure Guard Extensions

Hi, I hope the weekend is going well for everyone.

On Fri, May 06, 2016 at 02:39:44PM +0300, Jarkko Sakkinen wrote:
> On Tue, May 03, 2016 at 04:06:27AM -0500, Dr. Greg Wettstein wrote:
> > It would be helpful and instructive for anyone involved in this debate
> > to review the following URL which details Intel's SGX licening
> > program:
> > 
> > https://software.intel.com/en-us/articles/intel-sgx-product-licensing

> I think it would be good to note that the licensing process is
> available only for Windows. For Linux you can only use debug
> enclaves at the moment. The default LE has "allow-all" policy for
> debug enclaves.

As others have noted, unfortunately, this renders the technology
largely useless on Linux, at least for anything beyond
experimentation.  That is somewhat strange given that one of the
primary intentions of the technology is to push applications into
untrusted cloud environments, particularly given the use of Linux in
the 'cloud'.  So I guess Azure is the only security beneficiary at
this time... :-)

I assume that Intel will be releasing a launch enclave with its
upcoming Linux SDK?

> > I think the only way forward to make all of this palatable is to
> > embrace something similar to what has been done with Secure Boot.  The
> > Root Enclave Key will need to be something which can be reconfigured
> > by the Platform Owner through BIOS/EFI.  That model would take Intel
> > off the hook from a security perspective and establish the notion of
> > platform trust to be a bilateral relationship between a service
> > provider and client.

> This concern has been raised many times now. Sadly this did not make
> into Skyle but in future we will have one shot MSRs (can be set only
> once per boot cycle) for defining your own root of trust.

It is encouraging to hear that Intel will be implementing one shot
MSR's for the identity modulus signature.  That would be consistent
with what we would advocate for.

This now means the security of SGX on 'unlocked' platforms, at least
from a trust perspective, will be dependent on using TXT so as to
provide a hardware root of trust on which to base the SGX trust model.
I was out walking with Izzy our Golden Retriever last night and as I
thought about the implicatioins of all this I think the solution, at
least as we would implement it, will tie together rather nicely.

I would assume that everyone is using signed Launch Control Policies
(LCP) as we are.  This means that TXT/tboot already has access to the
public key which is used for the LCP data file signature.  It would
seem logical to have tboot compute the signature on that public key
and program that signature into the module signature registers.  That
would tie the hardware root of trust to the SGX root of trust.

If that is undesirable the other alternative would be to pass a custom
LCP policy element into tboot which would define the desired SGX
trust signature.

It is unfortunate that SGX took the path it did on Linux.  We actually
have application for the technology now in our security supervisor.

When you say that unlocked SGX did not make it into Skylake does this
mean we need to wait for a new micro-architecture or a die shrink?
Given that tick/tock is now expanding in time it would be useful to
have unlocked SGX be one of the extension features of Skylake.
Otherwise there is certainly no rush for the Linux driver... :-)

> /Jarkko

Have a good week.

Greg

As always,
Dr. G.W. Wettstein, Ph.D.   Enjellic Systems Development, LLC.
4206 N. 19th Ave.           Specializing in information infra-structure
Fargo, ND  58102            development.
PH: 701-281-1686
FAX: 701-281-3949           EMAIL: greg@...ellic.com
------------------------------------------------------------------------------
"If you get to thinkin' you're a person of some influence, try
 orderin' somebody else's dog around."
                                -- Cowboy Wisdom

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ