Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
99 Views

Sealing Rollback issues in absence of Monotonic Counter APIs

Hi There,


Intel SDK has stopped the support of monotonic counter APIs since version 2.8. What are your suggestions for SGX application developers for preventing sealing replay (old sealing data replay) problems?  

Thank you

0 Kudos
8 Replies
Highlighted
Moderator
87 Views

Hello Jangid__Mohit_Kumar,


It will take a bit of reading but I think this post and the answers below it may address your question: https://community.intel.com/t5/Intel-Software-Guard-Extensions/Platform-Service-Enclave-and-ME-for-I...


0 Kudos
Highlighted
Moderator
64 Views

Hello Jangid__Mohit_Kumar,


Did the thread I provided above help answer your question?


0 Kudos
Highlighted
58 Views

Hi There,

Thank you for your responses. 
I read the thread detail there, but I am not sure If I understand it correctly.
This is what I understand -- Since Intel is not able to establish a secure path between TPM and Enclave to utilize Trusted Monotonic- counters, it is discontinued in SDK 2.8 onwards.   Is that correct?

 

Also Could you please answer these follow up questions --

1. Why Intel is not able to secure a path between TPM and Enclave? 

2 Is it discontinued for all platforms or some specific ones?    

 

Thank you

0 Kudos
Highlighted
Moderator
52 Views

Hello Jangid__Mohit_Kumar,


SGX never had a secure path to any TPM. SGX used the Intel Converged Security and Management Engine (Intel CSME) for monotonic counters and trusted time, aka SGX Platform Services. Almost no, and possibly none at all, server platforms contain or ship with the CSME. Therefore, we cannot support SGX Platform Services on servers.

 

We no longer support Platform Services on any platform.


0 Kudos
Highlighted
43 Views

Thank you for the clarification. 

What about a normal personal laptop and desktop users?
If no machines are shipped with Intel CSME, then how do SGX SDKs (2.7 and below) provide Monotonic Counter support?       

Thank you

0 Kudos
Highlighted
Moderator
33 Views

Hello Jangid__Mohit_Kumar,


I wrote that "server" platforms do not ship with Intel CSME. Client platforms do ship with Intel CSME.


Since the biggest market for SGX is server-based, and servers do not have CSME, it was decided to pull Platform Services, which includes monotonic counters, from all platforms.


Regards,

Jesus G.

Intel Customer Support


0 Kudos
Highlighted
21 Views

Appreciate your prompt response. I got your point. 

A few more followup questions -- 

1. So, the discontinuation of PSE is a market logistics-based decision; Not that there were some security concerns regarding PSE implementation. Am I right?

2. Now that the platforms do not ship with Intel CSME, what are Intel's future plans to support state continuity? How are current users suppose to workaround it?   

 

Thank you

0 Kudos
Highlighted
Moderator
7 Views

Hello Jangid__Mohit_Kumar,


You are correct on question #1.


For question #2, let's clarify. Client platforms ship with Intel CSME, server platforms do not ship with Intel CSME. None of the platforms have SGX Platform Services, which include monotonic counters.


As a workaround, some cloud service providers who require trusted time are utilizing a remote/centralized trusted time source in their solutions.


As explained in this Github issue, "you can arguably have fully capable SGX instances: you should be able to open a TLS connection to an NTP server you trust from within the enclave to obtain a source of trusted time. If you think of trusted monotonic counter as an instance of trusted time, you could get both using the same mechanism."


Regards,

Jesus G.

Intel Customer Support


0 Kudos