Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.

BIOS part of TCB in case of SGX

Roshan_Mehta
Beginner
396 Views

I had an argument with my friend who says BIOS is also a part of TCB for an application using SGX and his point is as follows:

SGX support detection is indicated in CPUID EBX bit 02, but its availability to applications requires BIOS support and opt-in enabling which is not reflected in CPUID bits. So if your BIOS is corrupt or compromised, you could never be able to detect SGX and use SGX feature. 

Does he make sense? because I remember reading it somewhere that SGX TCB is the only CPU.

0 Kudos
1 Solution
Juan_d_Intel
Employee
396 Views

A compromised BIOS could disable SGX on a platform. But that's a DoS attack, which SGX has no way to prevent.

However, the BIOS is outside an enclave TCB. A running enclave doesn't "use" the BIOS.

View solution in original post

1 Reply
Juan_d_Intel
Employee
397 Views

A compromised BIOS could disable SGX on a platform. But that's a DoS attack, which SGX has no way to prevent.

However, the BIOS is outside an enclave TCB. A running enclave doesn't "use" the BIOS.

Reply