Intel AEX Notify Support Prepped For Linux To Help Enhance SGX Enclave Security
Intel's Asynchronous EXit (AEX) notification mechanism lets SGX enclaves run a handler after an AEX event. Those handlers can be used for things like mitigating SGX-Step as an attack framework for precise enclave execution control.
The pending Linux patches confirm the AEX Notify support will be found on upcoming processors (presumably Sapphire Rapids) as well as some existing processors via microcode update.
This patch in TIP's x86/sgx branch sums up AEX Notify and the kernel-side work:
== AEX Notify Background ==
"Intel Architecture Instruction Set Extensions and Future Features - Version 45" is out. There is a new chapter:
Asynchronous Enclave Exit Notify and the EDECCSSA User Leaf Function.
Enclaves exit can be either synchronous and consensual (EEXIT for instance) or asynchronous (on an interrupt or fault). The asynchronous ones can evidently be exploited to single step enclaves, on top of which other naughty things can be built.
AEX Notify will be made available both on upcoming processors and on some older processors through microcode updates.
== The Problem ==
These attacks are currently entirely opaque to the enclave since the hardware does the save/restore under the covers. The Asynchronous Enclave Exit Notify (AEX Notify) mechanism provides enclaves an ability to detect and mitigate potential exposure to these kinds of attacks.
== The Solution ==
Define the new attribute value for AEX Notification. Ensure the attribute is cleared from the list reserved attributes. Instead of adding to the open-coded lists of individual attributes, add named lists of privileged (disallowed by default) and unprivileged (allowed by default) attributes. Add the AEX notify attribute as an unprivileged attribute, which will keep the kernel from rejecting enclaves with it set.
See the Intel documentation for more details on the Asynchronous Enclave Exit Notify support.
The patch now in TIP's x86/sgx adds support for allowing the secure enclaves to use AEX Notify. A separate patch also from Intel then exposes the EDECCSSA user leaf function to KVM guests. With now hitting the TIP x86 area, the code is expected to be merged for the Linux 6.2 merge window or given that it's security-related could even be attempted to land still for Linux 6.1 if deemed important enough for getting this more secure SGX enclave feature out there for helping prevent enclave attacks.