Announcement

Collapse
No announcement yet.

Intel Preparing Linux Support To Handle Live Microcode Updates Affecting SGX

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Intel Preparing Linux Support To Handle Live Microcode Updates Affecting SGX

    Phoronix: Intel Preparing Linux Support To Handle Live Microcode Updates Affecting SGX

    While there have already been a number of vulnerabilities exhibited for Intel's Software Guard Extensions (SGX) from Prime+Probe to Plundervolt, Spectre-like attacks, SGAxe, and others, it looks like they expect more still to come in the future. Intel engineers are working on the ability for SGX to gracefully handle live CPU microcode updates without a reboot, which these days is increasingly driven for security mitigations and system administrators wanting to apply said updates right away while foregoing downtime...

    Intel Preparing Linux Support To Handle Live Microcode Updates Affecting SGX - Phoronix
    https://www.phoronix.com/scan.php?page=news_item&px=Intel-SGX-Live-Microcode-Update
    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
    Tags: None
  • #2
    I seem to recall intel deprecating SGX in some of their recent chips. I had thought they might have finally realized just how terrible and unworkable an idea it is to run your code on your adversary's hardware, but it seems the Hollywood money is too strong.
    • Likes 1

    Comment

    • #3
      How is it possible to update the microcode for the enclave if it should be non-changeable from the software side? Do the microcode files need to be signed by intel and are then uploaded to the SGX which then checks the signature and runs the update?

      Comment

      • #4
        Originally posted by Developer12 View Post
        I seem to recall intel deprecating SGX in some of their recent chips. I had thought they might have finally realized just how terrible and unworkable an idea it is to run your code on your adversary's hardware, but it seems the Hollywood money is too strong.
        They deprecated it from mainstream platforms (AFAIK rendering UHD Blurays essentially legally unwatchable on new CPUs in PCs). It's still alive in Xeons.

        Originally posted by baka0815 View Post
        How is it possible to update the microcode for the enclave if it should be non-changeable from the software side? Do the microcode files need to be signed by intel and are then uploaded to the SGX which then checks the signature and runs the update?
        Microcode updates are encrypted and signed (since ~Nehalem) by Intel so are still within the chain of trust. You can't just run your own (as cool as that would be).

        Comment

        Previous template Next
        Working...
        X