Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1448 Discussions

Sealing Rollback issues in absence of Monotonic Counter APIs

Jangid__Mohit_Kumar
917 Views

Hi There,


Intel SDK has stopped the support of monotonic counter APIs since version 2.8. What are your suggestions for SGX application developers for preventing sealing replay (old sealing data replay) problems?  

Thank you

0 Kudos
1 Solution
JesusG_Intel
Moderator
825 Views

Hello Jangid__Mohit_Kumar,


You are correct on question #1.


For question #2, let's clarify. Client platforms ship with Intel CSME, server platforms do not ship with Intel CSME. None of the platforms have SGX Platform Services, which include monotonic counters.


As a workaround, some cloud service providers who require trusted time are utilizing a remote/centralized trusted time source in their solutions.


As explained in this Github issue, "you can arguably have fully capable SGX instances: you should be able to open a TLS connection to an NTP server you trust from within the enclave to obtain a source of trusted time. If you think of trusted monotonic counter as an instance of trusted time, you could get both using the same mechanism."


Regards,

Jesus G.

Intel Customer Support


View solution in original post

0 Kudos
9 Replies
JesusG_Intel
Moderator
905 Views

Hello Jangid__Mohit_Kumar,


It will take a bit of reading but I think this post and the answers below it may address your question: https://community.intel.com/t5/Intel-Software-Guard-Extensions/Platform-Service-Enclave-and-ME-for-Intel-Xeon-Server/m-p/1173100/highlight/true#M3285


0 Kudos
JesusG_Intel
Moderator
882 Views

Hello Jangid__Mohit_Kumar,


Did the thread I provided above help answer your question?


0 Kudos
Jangid__Mohit_Kumar
876 Views

Hi There,

Thank you for your responses. 
I read the thread detail there, but I am not sure If I understand it correctly.
This is what I understand -- Since Intel is not able to establish a secure path between TPM and Enclave to utilize Trusted Monotonic- counters, it is discontinued in SDK 2.8 onwards.   Is that correct?

 

Also Could you please answer these follow up questions --

1. Why Intel is not able to secure a path between TPM and Enclave? 

2 Is it discontinued for all platforms or some specific ones?    

 

Thank you

0 Kudos
JesusG_Intel
Moderator
870 Views

Hello Jangid__Mohit_Kumar,


SGX never had a secure path to any TPM. SGX used the Intel Converged Security and Management Engine (Intel CSME) for monotonic counters and trusted time, aka SGX Platform Services. Almost no, and possibly none at all, server platforms contain or ship with the CSME. Therefore, we cannot support SGX Platform Services on servers.

 

We no longer support Platform Services on any platform.


0 Kudos
Jangid__Mohit_Kumar
861 Views

Thank you for the clarification. 

What about a normal personal laptop and desktop users?
If no machines are shipped with Intel CSME, then how do SGX SDKs (2.7 and below) provide Monotonic Counter support?       

Thank you

0 Kudos
JesusG_Intel
Moderator
851 Views

Hello Jangid__Mohit_Kumar,


I wrote that "server" platforms do not ship with Intel CSME. Client platforms do ship with Intel CSME.


Since the biggest market for SGX is server-based, and servers do not have CSME, it was decided to pull Platform Services, which includes monotonic counters, from all platforms.


Regards,

Jesus G.

Intel Customer Support


0 Kudos
Jangid__Mohit_Kumar
839 Views

Appreciate your prompt response. I got your point. 

A few more followup questions -- 

1. So, the discontinuation of PSE is a market logistics-based decision; Not that there were some security concerns regarding PSE implementation. Am I right?

2. Now that the platforms do not ship with Intel CSME, what are Intel's future plans to support state continuity? How are current users suppose to workaround it?   

 

Thank you

0 Kudos
JesusG_Intel
Moderator
826 Views

Hello Jangid__Mohit_Kumar,


You are correct on question #1.


For question #2, let's clarify. Client platforms ship with Intel CSME, server platforms do not ship with Intel CSME. None of the platforms have SGX Platform Services, which include monotonic counters.


As a workaround, some cloud service providers who require trusted time are utilizing a remote/centralized trusted time source in their solutions.


As explained in this Github issue, "you can arguably have fully capable SGX instances: you should be able to open a TLS connection to an NTP server you trust from within the enclave to obtain a source of trusted time. If you think of trusted monotonic counter as an instance of trusted time, you could get both using the same mechanism."


Regards,

Jesus G.

Intel Customer Support


0 Kudos
JesusG_Intel
Moderator
805 Views

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


0 Kudos
Reply