- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I don't understand the EWB/ELD part in the SDM because of missing information so I would appreciate if someone could help clarifying. Following the SDM's EWB microcode and Intel Patent US9690704, I think MAC created by EWB does not cover the EID, and the hardware saves the EID into PCMD structure. In the SDM, ELDU instruction part, the AES_GCM_DEC algorithm of ELD instruction takes the EID as one of its argument. How can the verification between MAC produced by ELD and MAC produced by EWB pass, which does not cover EID in the MAC ? How should I interpret this part ?
On the other hand, the SDM section 39.5.3 mentions that
Evict the page using the EWB leaf function with parameters include the effective-address pointer to the EPC
page, the VA slot, a 4K byte buffer to hold the encrypted page contents, and a 128 byte buffer to hold page
metadata. The last three elements are tied together cryptographically and must be used to later reload the
page.
and the Intel SGX Explained says that
The MAC tag covers the authenticity of the EPC page contents, the metadata, and the nonce. The MAC tag is checked by ELDU and ELDB , which will only load an evicted page back into the EPC if the MAC verification confirms the authenticity of the page data, metadata, and nonce.
For which I think they indicate that EID must be part of the MAC
In summary, I am uncertain whether the EID is covered by the MAC created by EWB, or the SDM just omits this step in the microcode.
Best regards,
Hoang Minh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Minh.
Now I understand your confusion and I have confirmed this is an issue in the SDM pseudocode for EWB. For clarification, the TMP_HEADER is actually cleared before any data is written into it, as you would expect. I will work to get that corrected.
Regards.
Scott
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Hoang.
Yes, the EID is included in the MAC. You can find reference to this being used, and therefore needing to be MAC'd in the EWD and EWB and ELD pseudo code in the SDM...
EWB - where the TMP_HEADER is the MAC Header and is passed to AES_GCM_ENC:
(* Obtain EID to establish cryptographic binding between the paged-out page and the enclave *)
TMP_HEADER.EID <- TMP_SECS.EID;
ELD - where again the TMP_HEADER is the MAC header and is passed to AES_GCM_DEC:
TMP_HEADER.EID <- DS:TMP_SECS.EID;
Regards.
Scott
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Scott,
Thank for your confirmation! As for the EWB, the SDM states that the entire TMP_HEADER will be zeroed out after the EID is assigned to the header, which leads to confusion
TMP_HEADER.EID <- TMP_SECS.EID
...
(* Zero out TMP_HEADER *)
TMP_HEADER[sizeof(TMP_HEADER)-1:0] <- 0
I agree with you on the ELD part.
Regards,
Minh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Minh.
Now I understand your confusion and I have confirmed this is an issue in the SDM pseudocode for EWB. For clarification, the TMP_HEADER is actually cleared before any data is written into it, as you would expect. I will work to get that corrected.
Regards.
Scott
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Scott,
Thank you so much for the clarifications!
Regards,
Minh
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page