Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1362 Discussions

BIOS part of TCB in case of SGX

Roshan_Mehta
Beginner
‎11-17-2017 07:16 AM
537 Views
Solved Jump to solution

I had an argument with my friend who says BIOS is also a part of TCB for an application using SGX and his point is as follows:

SGX support detection is indicated in CPUID EBX bit 02, but its availability to applications requires BIOS support and opt-in enabling which is not reflected in CPUID bits. So if your BIOS is corrupt or compromised, you could never be able to detect SGX and use SGX feature. 

Does he make sense? because I remember reading it somewhere that SGX TCB is the only CPU.

0 Kudos
1 Solution
Juan_d_Intel
Employee
‎11-21-2017 10:36 AM
537 Views
Solved Jump to solution

A compromised BIOS could disable SGX on a platform. But that's a DoS attack, which SGX has no way to prevent.

However, the BIOS is outside an enclave TCB. A running enclave doesn't "use" the BIOS.

View solution in original post

0 Kudos
Copy link

Link Copied

1 Reply
Juan_d_Intel
Employee
‎11-21-2017 10:36 AM
538 Views
Solved Jump to solution

A compromised BIOS could disable SGX on a platform. But that's a DoS attack, which SGX has no way to prevent.

However, the BIOS is outside an enclave TCB. A running enclave doesn't "use" the BIOS.

0 Kudos
Copy link
Reply

For more complete information about compiler optimizations, see our Optimization Notice.