Intel SGX Enclaves Were Prone To Crashes On Linux Under Heavy Memory Pressure

Written by Michael Larabel in Intel on 24 May 2022 at 04:55 AM EDT. 4 Comments
INTEL
Intel's Software Guard Extensions (SGX) as security-related extensions to their processors that allow for protected memory enclaves has had a rather bouncy journey. Intel continues supporting SGX on their latest Xeon processors but on the client side have been deprecated since 11th Gen Core. Over the years SGX has been found vulnerable to various attacks from speculative execution exploits to Plundervolt. It also turns out under Linux until now was also open to crashing under memory pressure.

Queued up as part of the SGX changes for Linux 5.19 is addressing the possibility of the SGX support crashing when under heavy memory pressure. Dave Hansen of Intel explained in the SGX updates for v5.19:
A set of patches to prevent crashes in SGX enclaves under heavy memory pressure:

SGX uses normal RAM allocated from special shmem files as backing storage when it runs out of SGX memory (EPC). The code was overly aggressive when freeing shmem pages and was inadvertently freeing perfectly good data. This resulted in failures in the SGX instructions used to swap data back into SGX memory.

The "good" news is that it's difficult to trigger this behavior on the mainline Linux kernel and likely how the problem lasted so long. Intel noticed the issue when testing their latest out-of-tree patches for "SGX2" and then when investigating that discovered that the mainline code is also vulnerable albeit less likely to be encountered.


The SGX updates for Linux 5.19 fix this issue by being more careful about truncating pages out of the backing storage and the marking of dirty pages.
4 Comments
Related News
Intel P-State Energy Aware Scheduling Patches Updated For Lunar Lake
Intel Lands "Round Robin Strict" Driver Optimization For Helping Battlemage/Xe2
Intel Looking To Raise SPIR-V Backend To Becoming An Official LLVM Target
Intel Panther Lake & Clearwater Forest Power Management Patches For Linux 6.14
Intel Begins Readying Graphics Driver Changes For The Linux 6.14 Kernel
UMD Direct Submission "Proof Of Concept" For The Intel Xe Linux Driver
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
How AMD Is Taking Standard C/C++ Code To Run Directly On GPUs
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
GNU Shepherd 1.0 Service Manager Released As "Solid Tool" Alternative To systemd
KDE Starts December By Landing A Number Of New Features
NTSYNC Linux Patches Revived To Help Boost Steam Play Gaming Performance
Rust-Based, Memory-Safe PNG Decoders "Vastly Outperform" C-Based PNG Libraries