Solved: Does PRERELEASE compilation mode enforce memory isolation of the enclaves on Linux?

Ket · ‎06-02-2022

Dear all,

I'm working on a proof of concept to demonstrate that SGX enclaves protect the content of the memory, by scanning the allocated memory of a process that hosts an enclave.

From the untrusted part, when scanning some values that are only located in the enclave (transferred using TLS, not hardcoded in the enclave binary), I found them in a memory range allocated in the process and indicated to be part of the mapped pages of /dev/isgx when checking /proc/<pid>/maps, which surprises me because I thought PRERELEASE mode offered the same security guarantees than RELEASE in terms of isolation.

My enclave is compiled using the following flags:

SGX_MODE ?= HW
SGX_PRERELEASE ?= 1
SGX_DEBUG ?= 0

The XML config file looks like this:

<EnclaveConfiguration>
<ProdID>0</ProdID>
<ISVSVN>0</ISVSVN>
<StackMaxSize>0x100000</StackMaxSize>
<HeapMaxSize>0x2000000</HeapMaxSize>
<ReservedMemMaxSize>0x1000000</ReservedMemMaxSize>
<ReservedMemExecutable>1</ReservedMemExecutable>
<TCSNum>10</TCSNum>
<TCSPolicy>1</TCSPolicy>
<DisableDebug>0</DisableDebug>
<MiscSelect>0</MiscSelect>
<MiscMask>0xFFFFFFFF</MiscMask>
</EnclaveConfiguration>

Note that according to this article, that seems OK to have DisableDebug set to zero. I'm wondering if this flag may leak the values stored in an enclave. It is worth noting that switching this flag to 1 throws the same error described in the article, preventing further testing in that direction.

My question is: when the enclave is compiled in PRERELEASE mode with the aforementioned settings, is the memory isolation enforced by SGX on Linux? If not so, is it possible to tweak some parameters to enforce it, without having a commercial license?

Many thanks for your time!

Cheers

EDIT (2022-06-03): I have found an article regarding SCONE (aka Scontains) that describes a similar use case as mine (dumping secrets from a memory scanner). It seems it is normal to be able to dump secrets when compiled in PRERELEASE (see Hardware Mode in the article). I still would like an official confirmation from Intel about it though.

Sahira_Intel · ‎06-16-2022

Hi Ket,

In an enclave launched in release mode, which disables the access to the enclave's memory (by untrusted apps, debugger, etc) at a hardware level. Pre-Release mode does not have this functionality.

Hope this helps

Sincerely,

Sahira

View solution in original post

Sahira_Intel · ‎06-08-2022

Hi Ket,

Yes, DisableDebug flag must remain 0 if you are running in pre-release mode. Also make sure the other flags are set correctly to run in pre-release mode (sgx_prerelease =1, sgx_debug=0, sgx_mode=hw)

In pre-release mode, the data is not necessarily protected by the hw. For full memory protection, you would need to have the enclave signed by intel.

Hope this is helpful.

Sincerely,

Sahira

Ket · ‎06-16-2022

Dear Sahira,

Many thanks for your response! This explains why we observe such results. May you please share more information regarding how data is protected in PRERELEASE mode and the difference between PRERELEASE and RELEASE in terms of memory isolation (provided we use an up-to-date Linux distribution as an OS)?

Many thanks!

Cheers

Sahira_Intel · ‎06-16-2022

Hi Ket,

In an enclave launched in release mode, which disables the access to the enclave's memory (by untrusted apps, debugger, etc) at a hardware level. Pre-Release mode does not have this functionality.

Hope this helps

Sincerely,

Sahira