[Cryptography] Intel SGX: Augean stables piled higher & deeper?

[Steve Weis]

On Tue, May 19, 2015 at 7:09 AM, John Ioannidis <ji at tla.org> wrote:
>
> So how is SGX different from Palladium from 15 years ago?
>
> I'm not worried about its potential use for DRM. OTOH, I *am* worried
> about code installed by, say, Lenovo, that I can't even see is running,
> that's leaking secrets.
>

Palladium's "curtained memory" is similar in concept to SGX secure
enclaves. However, to my knowledge, the Palladium vision of curtained
memory was never implemented. My guess is that they wanted something like
SGX in the architecture, but ended up with TPMs as a compromise.

I think there were proposals to run trusted applications inside the TPM,
similar to a smart card applications. I don't know of any TPM functionality
that would support that. I've also seen the phrase "memory curtaining"
applied to VT-d and IOMMU, which I don't think is what Palladium originally
envisioned.

Another key difference is that SGX is running on encrypted memory. That
didn't make as much sense in 1997, but today you have three differences: 1)
Fast hardware crypto support in the architecture 2) The cloud: people
running on servers they don't physically own 3) Likely adoption of
non-volatile RAM in coming years.

In terms of your Lenovo concern: SGX is user-mode only. If you control the
kernel, you can kill enclaves. Enclaves can't hide from the kernel like
SMM. This does mean compromised kernel code can deny service to your
enclaves though.

Incidentally, Apple's iOS secure enclave is not SGX, but I see some
similarities: backed by encrypted memory, attested, hardware-backed keys,
used for cryptographic operations, etc. See:
https://www.apple.com/business/docs/iOS_Security_Guide.pdf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150519/28187fe9/attachment.html>