lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAFbLv2dmUdqm-VZBi+cSEhpXUpJ=ZsnCn9k=Qfk9sZAtY82gbg@mail.gmail.com>
Date: Mon, 29 Sep 2025 14:58:41 -0700
From: Nataliia Bondarevska <bondarn@...gle.com>
To: Dave Hansen <dave.hansen@...el.com>
Cc: "Reshetova, Elena" <elena.reshetova@...el.com>, "Annapurve, Vishal" <vannapurve@...gle.com>, 
	"jarkko@...nel.org" <jarkko@...nel.org>, "seanjc@...gle.com" <seanjc@...gle.com>, 
	"Huang, Kai" <kai.huang@...el.com>, "mingo@...nel.org" <mingo@...nel.org>, 
	"linux-sgx@...r.kernel.org" <linux-sgx@...r.kernel.org>, 
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "x86@...nel.org" <x86@...nel.org>, 
	"Mallick, Asit K" <asit.k.mallick@...el.com>, 
	"Scarlata, Vincent R" <vincent.r.scarlata@...el.com>, "Cai, Chong" <chongc@...gle.com>, 
	"Aktas, Erdem" <erdemaktas@...gle.com>, "Raynor, Scott" <scott.raynor@...el.com>
Subject: Re: [PATCH v15 0/5] Enable automatic SVN updates for SGX enclaves

On Mon, Sep 29, 2025 at 1:50 PM Dave Hansen <dave.hansen@...el.com> wrote:
>
> On 9/29/25 13:33, Nataliia Bondarevska wrote:
> >> Could someone please spend a few minutes to explain what this tag means?
> > My apologies; I've clarified the details of the testing below.
> >
> > The verification was performed on a SPR machine. The objective was to
> > confirm the successful, runtime update of the CPUSVN using a targeted
> > microcode package.
> > Steps Taken:
> >  - identified a microcode package version, designed to update CPUSVN
> >    number on the machine;
> >  - initiated a dynamic load of the package during OS runtime;
> >  - confirmed the CPUSVN was upgraded post-load.
>
> OK, so you're basically saying it managed to update the SVN on real
> hardware. You also had to go run an enclave or at least open /dev/sgx,
> right?
>

To confirm the CPUSVN update, I did run an enclave to retrieve the
attestation report and compare cpusvn values generated before and
after microcode load + the custom logs I incorporated into the
sgx_update_svn execution helped me to confirm the expected logic.

> Also, does this tag mean, "I tested this in my company's environment and
> this ABI is sufficient for us until the end of time?" Because there was
> also some feedback on earlier work that this series as-is was going to
> be insufficient.

The test was performed on a SPR machine using the kernel version
deployed across Google's TDX production fleet.
Yes, this ABI is sufficient enough for us.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ