Announcement

Collapse
No announcement yet.

Intel AEX Notify Support Prepped For Linux To Help Enhance SGX Enclave Security

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Intel AEX Notify Support Prepped For Linux To Help Enhance SGX Enclave Security

    Phoronix: Intel AEX Notify Support Prepped For Linux To Help Enhance SGX Enclave Security

    Future Intel CPUs and some existing processors via a microcode update will support a new feature called the Asynchronous EXit (AEX) notification mechanism to help with Software Guard Extensions (SGX) enclave security. Patches for the Linux kernel are pending for implementing this Intel AEX Notify support with capable processors...

    https://www.phoronix.com/news/Intel-AEX-Notify-Linux

  • #2
    I guess news don't get any nerdier than this

    Comment


    • #3
      Meh. Given how thoroughly SGX and TSX have been compromised in the past, I think they either need to be discarded or redone from scratch, and called SGX2 and TSX2 or something. Hard to have much faith in them with their current record.

      Comment


      • #4
        Originally posted by cl333r View Post
        I guess news don't get any nerdier than this
        Except perhaps how to use SGX and related features to execute and run malware that no anti-virus system can find...

        https://i.blackhat.com/briefings/asi...itcoins-wp.pdf

        That one is about stealing cryptocurrencies, but there's no reason any given malware can't use SGX and associated technologies the same way as any legit software can.

        Edit to add: This is why features like this should be disabled by default unless there's a legitimate reason to be using them - and no, enforcing DRM is not a legitimate reason.
        Last edited by stormcrow; 06 November 2022, 01:40 PM.

        Comment


        • #5
          Originally posted by Snaipersky View Post
          Meh. Given how thoroughly SGX and TSX have been compromised in the past, I think they either need to be discarded or redone from scratch, and called SGX2 and TSX2 or something. Hard to have much faith in them with their current record.
          There is already SGX2 - https://www.phoronix.com/search/SGX2
          Michael Larabel
          https://www.michaellarabel.com/

          Comment


          • #6
            Originally posted by Snaipersky View Post
            Meh. Given how thoroughly SGX and TSX have been compromised in the past, I think they either need to be discarded or redone from scratch, and called SGX2 and TSX2 or something. Hard to have much faith in them with their current record.
            I have been expecting for a long time that intel will move all of SGX down into SMM. They seem to be trying to recapture SMM, with recent versions of their Firmware Support Package blob registering payloads in SMM for some reason. Could be runtime memory recalibrations or god knows what else.

            Putting SGX into SMM would place it *firmly* outside the reach of the OS, and thus make it much harder for people to introspect. I imagine services there would be patterned a bit like USB mouse "drivers" where SMM and a USB stack located there captured USB events and emulated a PS2 mouse for DOS.

            Comment

            Working...
            X