Announcement

Collapse
No announcement yet.

27th Time The Charm? Intel SGX Enclaves Support For Linux Revved Again

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • 27th Time The Charm? Intel SGX Enclaves Support For Linux Revved Again

    Phoronix: 27th Time The Charm? Intel SGX Enclaves Support For Linux Revved Again

    For four years we have been seeing Intel Secure Guard Extensions (SGX) bring-up for the Linux kernel and that work continues with the Intel SGX Enclaves support now having been sent out for review twenty-seven times as it tries to work its way towards the mainline Linux kernel...

    http://www.phoronix.com/scan.php?pag...-For-Linux-v27

  • #2
    Isn't it such a oxymoron that Intel is pushing various security enhancements when their architecture is so filled with bugs, backdoors and security issues that never end?

    Comment


    • #3
      Originally posted by Spam View Post
      Isn't it such a oxymoron that Intel is pushing various security enhancements when their architecture is so filled with bugs, backdoors and security issues that never end?
      It's not security. It's DRM.

      Comment


      • #4
        Did FSGSBASE support ever land? The last article I can find about it talked about maybe landing for 5.5.

        Comment


        • #5
          So is PPI the same as SGX?

          Comment


          • #6
            Well, SGX has already been compromised several times. If you want to use it safely you need to cripple your system, otherwise you are vulnerable to "Plundervolt" and you would have already lost a lot of Performance, because hey L1TF also affects SGX as does Spectre.
            So really... How safe is it? When can we expect the next vulnerability?
            The better option is a dedicate security processor on the motherboard. Not a set of extensions to an already compromised CPU

            Comment


            • #7
              Originally posted by FPScholten View Post
              The better option is a dedicate security processor on the motherboard. Not a set of extensions to an already compromised CPU
              Oh, you mean like the Intel Management Engine that implements Intel Active Management Technology that allowed you super-root access with a blank password (CVE-2017-5689)? It's capable of full power control, remote VNC and remote boot from network even if the PC is powered off
              Granted AMT is not usually available in non-vPro SKUs for business customers, but it gives a hint about the overall level of security in ME.

              Comment


              • #8
                No, IME is by no means ever intended to be a security device (more like the opposite I would say). I mean real Cryptoprocessors like those used in HSM devices. A known example of a simple cryptoprocessor is the TPM that is in many laptops and motherboards, There are however much more advanced cryptoprocessors that are being used in financial, military and other systems that need to be foolproof secured.

                Comment


                • #9
                  Originally posted by numacross View Post

                  Oh, you mean like the Intel Management Engine that implements Intel Active Management Technology that allowed you super-root access with a blank password (CVE-2017-5689)? It's capable of full power control, remote VNC and remote boot from network even if the PC is powered off
                  Granted AMT is not usually available in non-vPro SKUs for business customers, but it gives a hint about the overall level of security in ME.
                  These ring -1 features are essential for server management , and I used them as a cheap alternative to IPMI.
                  The real problems are Intel was not doing it right (implemented with seL4 or other formally proofed system), and refuse to release the code for third party review.
                  Now I had to disable vPro and control my home server physically

                  Comment


                  • #10
                    Originally posted by FPScholten View Post
                    No, IME is by no means ever intended to be a security device (more like the opposite I would say). I mean real Cryptoprocessors like those used in HSM devices. A known example of a simple cryptoprocessor is the TPM that is in many laptops and motherboards, There are however much more advanced cryptoprocessors that are being used in financial, military and other systems that need to be foolproof secured.
                    FYI: The IME and AMD's PSP are/(can be) used to create a so-called "software TPM", among other things

                    Are you aware that Intel's ME is now called CSME (Converged Security Management Engine)?

                    Comment

                    Working...
                    X