Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

BIOS part of TCB in case of SGX

Roshan_Mehta
Beginner
1,089 Views

I had an argument with my friend who says BIOS is also a part of TCB for an application using SGX and his point is as follows:

SGX support detection is indicated in CPUID EBX bit 02, but its availability to applications requires BIOS support and opt-in enabling which is not reflected in CPUID bits. So if your BIOS is corrupt or compromised, you could never be able to detect SGX and use SGX feature. 

Does he make sense? because I remember reading it somewhere that SGX TCB is the only CPU.

0 Kudos
1 Solution
Juan_d_Intel
Employee
1,089 Views

A compromised BIOS could disable SGX on a platform. But that's a DoS attack, which SGX has no way to prevent.

However, the BIOS is outside an enclave TCB. A running enclave doesn't "use" the BIOS.

View solution in original post

0 Kudos
1 Reply
Juan_d_Intel
Employee
1,090 Views

A compromised BIOS could disable SGX on a platform. But that's a DoS attack, which SGX has no way to prevent.

However, the BIOS is outside an enclave TCB. A running enclave doesn't "use" the BIOS.

0 Kudos
Reply