Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Question on MAC in the PCMD of evicted page

Nguyen__Minh
Beginner
474 Views

Hi,

I don't understand the EWB/ELD part in the SDM because of missing information so I would appreciate if someone could help clarifying. Following the SDM's EWB microcode and Intel Patent US9690704, I think MAC created by EWB does not cover the EID, and the hardware saves the EID into PCMD structure. In the SDM, ELDU instruction part, the AES_GCM_DEC algorithm of ELD instruction takes the EID as one of its argument. How can the verification between MAC produced by ELD and MAC produced by EWB pass, which does not cover EID in the MAC ? How should I interpret this part ?

On the other hand, the SDM section 39.5.3 mentions that

Evict the page using the EWB leaf function with parameters include the effective-address pointer to the EPC
page, the VA slot, a 4K byte buffer to hold the encrypted page contents, and a 128 byte buffer to hold page
metadata. The last three elements are tied together cryptographically and must be used to later reload the
page.

and the Intel SGX Explained says that

The MAC tag covers the authenticity of the EPC page contents, the metadata, and the nonce. The MAC tag is checked by ELDU and ELDB , which will only load an evicted page back into the EPC if the MAC verification confirms the authenticity of the page data, metadata, and nonce.

For which I think they indicate that EID must be part of the MAC

In summary, I am uncertain whether the EID is covered by the MAC created by EWB, or the SDM just omits this step in the microcode.

Best regards,

Hoang Minh

 

 

 

0 Kudos
1 Solution
Scott_R_Intel
Employee
474 Views

Hi Minh.

Now I understand your confusion and I have confirmed this is an issue in the SDM pseudocode for EWB.  For clarification, the TMP_HEADER is actually cleared before any data is written into it, as you would expect.  I will work to get that corrected.

Regards.

Scott

View solution in original post

0 Kudos
4 Replies
Scott_R_Intel
Employee
474 Views

Hello Hoang.

Yes, the EID is included in the MAC.  You can find reference to this being used, and therefore needing to be MAC'd in the EWD and EWB and ELD pseudo code in the SDM...

EWB - where the TMP_HEADER is the MAC Header and is passed to AES_GCM_ENC:

           (* Obtain EID to establish cryptographic binding between the paged-out page and the enclave *)

           TMP_HEADER.EID <- TMP_SECS.EID;

ELD - where again the TMP_HEADER is the MAC header and is passed to AES_GCM_DEC:

           TMP_HEADER.EID  <- DS:TMP_SECS.EID;

 

Regards.

Scott

 

0 Kudos
Nguyen__Minh
Beginner
474 Views

Hi Scott,

Thank for your confirmation! As for the EWB, the SDM states that the entire TMP_HEADER will be zeroed out after the EID is assigned to the header, which leads to confusion

TMP_HEADER.EID <- TMP_SECS.EID

...

(* Zero out TMP_HEADER *)

TMP_HEADER[sizeof(TMP_HEADER)-1:0] <- 0

I agree with you on the ELD part.

Regards,

Minh

0 Kudos
Scott_R_Intel
Employee
475 Views

Hi Minh.

Now I understand your confusion and I have confirmed this is an issue in the SDM pseudocode for EWB.  For clarification, the TMP_HEADER is actually cleared before any data is written into it, as you would expect.  I will work to get that corrected.

Regards.

Scott

0 Kudos
Nguyen__Minh
Beginner
474 Views

Hi Scott,

Thank you so much for the clarifications!

Regards,

Minh

0 Kudos
Reply