Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Question about if we need to trust BIOS for CPUSVN

Rd3
Beginner
551 Views

Hi Sir/Madam,

I am wondering about if I need to trust BIOS when using SGX platform. It seems to me that BIOS controls the firmware update including the microcode update. And BIOS controls the generation of CPUSVN. So if a malicious user reverse engineered the BIOS and switch it to his homebrew version. Can he downgrade the microcode version and still put the updated CPUSVN version number in QUOTE REPORT during remote attestation?

Thanks!

Rd

0 Kudos
2 Replies
Michalevsky__Yan
Beginner
551 Views

Hi Rd,

You don't need to trust the bios for that. While you do update microcode through the BIOS, or by running an Intel script with root permissions, it is a one-way transition till the next reboot, that cannot be reverted without restarting the machine. You don't need to worry about the BIOS if you correctly check the attestation quote you receive from the enclave which contains the CPUSVN. If the microcode is downgraded, the enclave would neither be able to attest to a more recent CPUSVN, nor derive a sealing key to access any data sealed under the more recent CPUSVN. While the BIOS helps you update the microcode, the CPU itself is producing the attestation quote.

Yan,
Anjuna.io

0 Kudos
Rd3
Beginner
551 Views

Michalevsky, Yan wrote:

Hi Rd,

You don't need to trust the bios for that. While you do update microcode through the BIOS, or by running an Intel script with root permissions, it is a one-way transition till the next reboot, that cannot be reverted without restarting the machine. You don't need to worry about the BIOS if you correctly check the attestation quote you receive from the enclave which contains the CPUSVN. If the microcode is downgraded, the enclave would neither be able to attest to a more recent CPUSVN, nor derive a sealing key to access any data sealed under the more recent CPUSVN. While the BIOS helps you update the microcode, the CPU itself is producing the attestation quote.

Yan,
Anjuna.io

Hi Yanm

Thanks for your reply! Correct me if I am wrong. My current understanding is that bios or root can update the microcode, and the microcode update will update the CPUSVN. When a CPUSVN is embedded into a report, it actually comes from the CPU directly (through some microcodes or specific instruction?). So BIOS has no way to interfere with the process of correct CPUSVN getting report.

Am i right?

Thanks!

Rd

0 Kudos
Reply