Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.
1217 Discussions

Sealing Rollback issues in absence of Monotonic Counter APIs

Jangid__Mohit_Kumar
382 Views

Hi There,


Intel SDK has stopped the support of monotonic counter APIs since version 2.8. What are your suggestions for SGX application developers for preventing sealing replay (old sealing data replay) problems?  

Thank you

0 Kudos
1 Solution
JesusG_Intel
Moderator
290 Views

Hello Jangid__Mohit_Kumar,


You are correct on question #1.


For question #2, let's clarify. Client platforms ship with Intel CSME, server platforms do not ship with Intel CSME. None of the platforms have SGX Platform Services, which include monotonic counters.


As a workaround, some cloud service providers who require trusted time are utilizing a remote/centralized trusted time source in their solutions.


As explained in this Github issue, "you can arguably have fully capable SGX instances: you should be able to open a TLS connection to an NTP server you trust from within the enclave to obtain a source of trusted time. If you think of trusted monotonic counter as an instance of trusted time, you could get both using the same mechanism."


Regards,

Jesus G.

Intel Customer Support


View solution in original post

9 Replies
JesusG_Intel
Moderator
370 Views

Hello Jangid__Mohit_Kumar,


It will take a bit of reading but I think this post and the answers below it may address your question: https://community.intel.com/t5/Intel-Software-Guard-Extensions/Platform-Service-Enclave-and-ME-for-I...


JesusG_Intel
Moderator
347 Views

Hello Jangid__Mohit_Kumar,


Did the thread I provided above help answer your question?


Jangid__Mohit_Kumar
341 Views

Hi There,

Thank you for your responses. 
I read the thread detail there, but I am not sure If I understand it correctly.
This is what I understand -- Since Intel is not able to establish a secure path between TPM and Enclave to utilize Trusted Monotonic- counters, it is discontinued in SDK 2.8 onwards.   Is that correct?

 

Also Could you please answer these follow up questions --

1. Why Intel is not able to secure a path between TPM and Enclave? 

2 Is it discontinued for all platforms or some specific ones?    

 

Thank you

JesusG_Intel
Moderator
335 Views

Hello Jangid__Mohit_Kumar,


SGX never had a secure path to any TPM. SGX used the Intel Converged Security and Management Engine (Intel CSME) for monotonic counters and trusted time, aka SGX Platform Services. Almost no, and possibly none at all, server platforms contain or ship with the CSME. Therefore, we cannot support SGX Platform Services on servers.

 

We no longer support Platform Services on any platform.


Jangid__Mohit_Kumar
326 Views

Thank you for the clarification. 

What about a normal personal laptop and desktop users?
If no machines are shipped with Intel CSME, then how do SGX SDKs (2.7 and below) provide Monotonic Counter support?       

Thank you

JesusG_Intel
Moderator
316 Views

Hello Jangid__Mohit_Kumar,


I wrote that "server" platforms do not ship with Intel CSME. Client platforms do ship with Intel CSME.


Since the biggest market for SGX is server-based, and servers do not have CSME, it was decided to pull Platform Services, which includes monotonic counters, from all platforms.


Regards,

Jesus G.

Intel Customer Support


Jangid__Mohit_Kumar
304 Views

Appreciate your prompt response. I got your point. 

A few more followup questions -- 

1. So, the discontinuation of PSE is a market logistics-based decision; Not that there were some security concerns regarding PSE implementation. Am I right?

2. Now that the platforms do not ship with Intel CSME, what are Intel's future plans to support state continuity? How are current users suppose to workaround it?   

 

Thank you

JesusG_Intel
Moderator
291 Views

Hello Jangid__Mohit_Kumar,


You are correct on question #1.


For question #2, let's clarify. Client platforms ship with Intel CSME, server platforms do not ship with Intel CSME. None of the platforms have SGX Platform Services, which include monotonic counters.


As a workaround, some cloud service providers who require trusted time are utilizing a remote/centralized trusted time source in their solutions.


As explained in this Github issue, "you can arguably have fully capable SGX instances: you should be able to open a TLS connection to an NTP server you trust from within the enclave to obtain a source of trusted time. If you think of trusted monotonic counter as an instance of trusted time, you could get both using the same mechanism."


Regards,

Jesus G.

Intel Customer Support


View solution in original post

JesusG_Intel
Moderator
270 Views

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


Reply