lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <abe544be-46e9-15f6-98ca-808f3d22cca7@fortanix.com>
Date:   Fri, 18 Mar 2022 10:04:37 +0100
From:   Jethro Beekman <jethro@...tanix.com>
To:     Dave Hansen <dave.hansen@...el.com>,
        Cathy Zhang <cathy.zhang@...el.com>, linux-sgx@...r.kernel.org,
        linux-kernel@...r.kernel.org
Cc:     ashok.raj@...el.com
Subject: Re: [RFC PATCH v2 09/10] x86/cpu: Call ENCLS[EUPDATESVN] procedure in
 microcode update

On 2022-03-16 16:42, Dave Hansen wrote:
> On 3/16/22 02:46, Jethro Beekman wrote:
>>> +void update_cpusvn_intel(void) +{ +	sgx_lock_epc(); +	if
>>> (sgx_zap_pages())
>> Doing this automatically and unconditionally during a microcode
>> update seems undesirable. This requires the userland tooling that is
>> coordinating the microcode update to be aware of any SGX enclaves
>> that are running and possibly coordinate sequencing with the
>> processes containing those enclaves. This coupling does not exist
>> today.
> 
> "Today" in what?

In distros.

> If a microcode update changes SGX behavior and bumps CPUSVN, it's
> fundamentally incompatible with letting enclaves continue to run.  They
> might as well be killed.

It's not "fundamentally incompatible". It works fine today and will continue to work fine in CPUs that have EUPDATESVN support. Yes your enclaves are probably vulnerable to some attacks, but people run vulnerable software intentionally all the time.

> But, seriously, if you can't handle enclaves being killed every few
> months, don't use SGX.  The architecture doesn't allow data to be

I don't think anyone is making a claim that there are enclaves that wouldn't be able handle this? Being able to deal with something is not the same as wanting to deal with something. My laptop can handle running out of battery in the middle of writing some new code. That doesn't mean I want my laptop to arbitrarily turn off at uncontrollable times?

> persistent like normal x86.  It's fundamental to the architecture.  You
> can also think of this as a shiny new SGX *testing* feature: one that
> keeps enclave owners from becoming complacent and forgetting about what
> the SGX architecture provides.

Great idea, why not expand on this and just randomly call EREMOVE at timed intervals?

--
Jethro Beekman | Fortanix

Download attachment "smime.p7s" of type "application/pkcs7-signature" (4490 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ