- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The recent Intel SDM volume 3 (Section 42.2.2) notes that the public-key for verifying Launch Enclave can be configured on new SGX processors. Examining the processors I bought in Dec 2015, none of them have IA32_FEATURE_CONTROL[bit 17] set, so my question is can someone at Intel point to any processor which is in production and which I can use to configure IA32_SGXLEPUBKEYHASH.
From a cryptographic perspective (as has been independently noted by others https://eprint.iacr.org/2016/086.pdf ), the policy decisions for which enclave should be allowed to run on a platform is a very local to the 3rd party environment. Launch enclave is the ideal place for enforcing these policy decisions, but when third parties cannot sign their own Launch Enclave, they are limited to the generic policies (basic white-listing/black-listing) that can be enforced using Intel provided Launch Enclave. (For example, I'd like the launch enclave to authenticate a certain limited set of users on the system before granting EINIT token. Granted that EINIT is not replay-protected by default, so user auth is not that useful, but that's a flaw in the EINIT design which can be somewhat mitigated if one writes his/her my own Enclave loader.) Furthermore, as a third party, I do not want to place my trust in Intel provided Launch Enclave (unless you can provide a formal proof -- open source is not good enough -- that your launch enclave is only doing what it's supposed to do), so it will be really useful if Intel allowed 3rd parties to create their own launch enclaves.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Suman,
The Intel® SGX flexible launch policy capability is targeted for future Intel platforms. Currently, there are no production processors supporting this capability today. We appreciate your feedback and your 3rd party perspective
Thanks and Regards,
Surenthar Selvaraj
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anyone who knows of a Processor Model number that might have IA32_SGXLEPUBKEYHASH configurable?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Suman,
The Intel® SGX flexible launch policy capability is targeted for future Intel platforms. Currently, there are no production processors supporting this capability today. We appreciate your feedback and your 3rd party perspective
Thanks and Regards,
Surenthar Selvaraj

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page