lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 6 Feb 2020 01:07:56 +0200
From:   Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
To:     Randy Dunlap <rdunlap@...radead.org>
Cc:     linux-kernel@...r.kernel.org, x86@...nel.org,
        linux-sgx@...r.kernel.org, akpm@...ux-foundation.org,
        dave.hansen@...el.com, sean.j.christopherson@...el.com,
        nhorman@...hat.com, npmccallum@...hat.com, haitao.huang@...el.com,
        andriy.shevchenko@...ux.intel.com, tglx@...utronix.de,
        kai.svahn@...el.com, bp@...en8.de, josh@...htriplett.org,
        luto@...nel.org, kai.huang@...el.com, rientjes@...gle.com,
        cedric.xing@...el.com, puiterwijk@...hat.com,
        linux-doc@...r.kernel.org
Subject: Re: [PATCH v25 21/21] docs: x86/sgx: Document SGX micro architecture
 and kernel internals

On Wed, Feb 05, 2020 at 09:54:31AM -0800, Randy Dunlap wrote:
> Hi,
> I have some Documentation edits. Please see inline below...
>
> or just: ``grep sgx /proc/cpuinfo

Makes sense.

> > +key set into MSRs, which would then generate launch tokens for other enclaves.
> > +This would only make sense with read-only MSRs, and thus the option has been
> > +discluded.
> 
> I can't find "discluded" in a dictionary.

Should be "discarded".

> "MAC" can mean a lots of different things.  Which one is this?

Message authentication code. I open

I rewrote the whole local attestation section:

"In local attestation an enclave creates a **REPORT** data structure
with **ENCLS[EREPORT]**, which describes the origin of an enclave. In
particular, it contains a AES-CMAC of the enclave contents signed with a
report key unique to each processor. All enclaves have access to this
key.

This mechanism can also be used in addition as a communication channel
as the **REPORT** data structure includes a 64-byte field for variable
information."

> > +* ECDSA based scheme, which 3rd party to act as an attestation service.
> 
>                          which uses a 3rd party
> or
>                          using a 3rd party

It should be "allows a 3rd party".

> > +Intel provides an open source *quoting enclave (QE)* and *provisioning
> > +certification enclave (PCE)* for the ECDSA based scheme. The latter acts as
> > +the CA for the local QE's. Intel also a precompiled binary version of the PCE
> 
>                                     also provides [??]

I rewrote it as:

"Intel provides a proprietary binary version of the PCE. This is a
necessity when the software needs to prove to be running inside a legit
enclave on real hardware."

Thank you for the comments.

/Jarkko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ