Intel SDK has stopped the support of monotonic counter APIs since version 2.8. What are your suggestions for SGX application developers for preventing sealing replay (old sealing data replay) problems?
It will take a bit of reading but I think this post and the answers below it may address your question: https://community.intel.com/t5/Intel-Software-Guard-Extensions/Platform-Service-Enclave-and-ME-for-I...
Thank you for your responses.
I read the thread detail there, but I am not sure If I understand it correctly.
This is what I understand -- Since Intel is not able to establish a secure path between TPM and Enclave to utilize Trusted Monotonic- counters, it is discontinued in SDK 2.8 onwards. Is that correct?
Also Could you please answer these follow up questions --
1. Why Intel is not able to secure a path between TPM and Enclave?
2 Is it discontinued for all platforms or some specific ones?
SGX never had a secure path to any TPM. SGX used the Intel Converged Security and Management Engine (Intel CSME) for monotonic counters and trusted time, aka SGX Platform Services. Almost no, and possibly none at all, server platforms contain or ship with the CSME. Therefore, we cannot support SGX Platform Services on servers.
We no longer support Platform Services on any platform.
Thank you for the clarification.
What about a normal personal laptop and desktop users?
If no machines are shipped with Intel CSME, then how do SGX SDKs (2.7 and below) provide Monotonic Counter support?
I wrote that "server" platforms do not ship with Intel CSME. Client platforms do ship with Intel CSME.
Since the biggest market for SGX is server-based, and servers do not have CSME, it was decided to pull Platform Services, which includes monotonic counters, from all platforms.
Intel Customer Support
Appreciate your prompt response. I got your point.
A few more followup questions --
1. So, the discontinuation of PSE is a market logistics-based decision; Not that there were some security concerns regarding PSE implementation. Am I right?
2. Now that the platforms do not ship with Intel CSME, what are Intel's future plans to support state continuity? How are current users suppose to workaround it?
You are correct on question #1.
For question #2, let's clarify. Client platforms ship with Intel CSME, server platforms do not ship with Intel CSME. None of the platforms have SGX Platform Services, which include monotonic counters.
As a workaround, some cloud service providers who require trusted time are utilizing a remote/centralized trusted time source in their solutions.
As explained in this Github issue, "you can arguably have fully capable SGX instances: you should be able to open a TLS connection to an NTP server you trust from within the enclave to obtain a source of trusted time. If you think of trusted monotonic counter as an instance of trusted time, you could get both using the same mechanism."
Intel Customer Support