Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1464 Discussions

CPUID enclave calls: can they be fwd to the host? Why not allowed?

josebraga
Beginner
613 Views

Hello,

Several projects like EdgelessRT's Ego and mysticos use OpenEnclave's  `oe_add_vectored_exception_handler` to add a callback (*). This callback filters the exception by the CPUID opcall and then make an ocall to fwd that to the host.

 

For instance, I am using a dependency in the enclave that will depend on https://github.com/minio/sha256-simd - so as I understand the cpuid calls are to check if CPU is capable of these optimizations. 

So this generated more doubts in me.
If we pass that to the host, and the host is able to show the CPU is capable of everything, will the code inside the enclave be able to take advantage of that? Or, is there a possibility that the CPU is capable, but the SGX enclave is "locking" those resources, so they are unusable?

Thanks for the support


 

(*) example
https://github.com/edgelesssys/ego/blob/master/src/exception_handler.cpp#L19

0 Kudos
1 Solution
Wan_Intel
Moderator
557 Views

Hi Josebraga,

"The CPUID instruction is also illegal inside the enclave. Thus software that retrieves CPUID information must do so outside the enclave. Therefore, this information cannot be assured from a security viewpoint and should be used carefully.


An enclave writer may write a custom untrusted function for gathering host system state, which may include CPUID values, system environment variables, and additional application attributes.


The results from a specific CPUID leaf could then be preserved inside the enclave (via a specific ECall) to avoid the overhead associated with performing an OCall to execute the CPUID instruction outside an enclave.


The key point is that this information is gathered in the untrusted domain and thus the application enclave should design and validate for the scenario in which unexpected or inconsistent data is provided. "

 

For more information, refer https://download.01.org/intel-sgx/sgx-linux/2.11/docs/Intel_SGX_Developer_Guide.pdf page 35

 

For more exception handling in SGX, refer https://cdrdv2-public.intel.com/671544/exception-handling-in-intel-sgx.pdf



Regards,

Wan


View solution in original post

0 Kudos
3 Replies
Wan_Intel
Moderator
590 Views

Hi Josebraga,

Thanks for reaching out to us.

Let me check with relevant team and I'll update here at the earliest.



Regards,

Wan


0 Kudos
Wan_Intel
Moderator
558 Views

Hi Josebraga,

"The CPUID instruction is also illegal inside the enclave. Thus software that retrieves CPUID information must do so outside the enclave. Therefore, this information cannot be assured from a security viewpoint and should be used carefully.


An enclave writer may write a custom untrusted function for gathering host system state, which may include CPUID values, system environment variables, and additional application attributes.


The results from a specific CPUID leaf could then be preserved inside the enclave (via a specific ECall) to avoid the overhead associated with performing an OCall to execute the CPUID instruction outside an enclave.


The key point is that this information is gathered in the untrusted domain and thus the application enclave should design and validate for the scenario in which unexpected or inconsistent data is provided. "

 

For more information, refer https://download.01.org/intel-sgx/sgx-linux/2.11/docs/Intel_SGX_Developer_Guide.pdf page 35

 

For more exception handling in SGX, refer https://cdrdv2-public.intel.com/671544/exception-handling-in-intel-sgx.pdf



Regards,

Wan


0 Kudos
Wan_Intel
Moderator
503 Views

Hello Josebraga,

Thanks for your question.

 

If you need any additional information from Intel, please submit a new question as this thread will no longer be monitored.

 

 

Regards,

Wan


0 Kudos
Reply