Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1492 Discussions

Question about if we need to trust BIOS for CPUSVN

Rd3
Beginner
‎06-21-2019 09:48 AM
854 Views

Hi Sir/Madam,

I am wondering about if I need to trust BIOS when using SGX platform. It seems to me that BIOS controls the firmware update including the microcode update. And BIOS controls the generation of CPUSVN. So if a malicious user reverse engineered the BIOS and switch it to his homebrew version. Can he downgrade the microcode version and still put the updated CPUSVN version number in QUOTE REPORT during remote attestation?

Thanks!

Rd

0 Kudos

Link Copied

2 Replies
Michalevsky__Yan
Beginner
‎06-21-2019 04:03 PM
854 Views

Hi Rd,

You don't need to trust the bios for that. While you do update microcode through the BIOS, or by running an Intel script with root permissions, it is a one-way transition till the next reboot, that cannot be reverted without restarting the machine. You don't need to worry about the BIOS if you correctly check the attestation quote you receive from the enclave which contains the CPUSVN. If the microcode is downgraded, the enclave would neither be able to attest to a more recent CPUSVN, nor derive a sealing key to access any data sealed under the more recent CPUSVN. While the BIOS helps you update the microcode, the CPU itself is producing the attestation quote.

Yan,
Anjuna.io

0 Kudos
Copy link
Rd3
Beginner
‎07-02-2019 08:40 PM
854 Views

Michalevsky, Yan wrote:

Hi Rd,

You don't need to trust the bios for that. While you do update microcode through the BIOS, or by running an Intel script with root permissions, it is a one-way transition till the next reboot, that cannot be reverted without restarting the machine. You don't need to worry about the BIOS if you correctly check the attestation quote you receive from the enclave which contains the CPUSVN. If the microcode is downgraded, the enclave would neither be able to attest to a more recent CPUSVN, nor derive a sealing key to access any data sealed under the more recent CPUSVN. While the BIOS helps you update the microcode, the CPU itself is producing the attestation quote.

Yan,
Anjuna.io

Hi Yanm

Thanks for your reply! Correct me if I am wrong. My current understanding is that bios or root can update the microcode, and the microcode update will update the CPUSVN. When a CPUSVN is embedded into a report, it actually comes from the CPU directly (through some microcodes or specific instruction?). So BIOS has no way to interfere with the process of correct CPUSVN getting report.

Am i right?

Thanks!

Rd

0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.