- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Intel
Because the request/response packets are communicated in IPC when invoking sgx_get_trusted_time, I wonder if these packets are vulnerable to delay attacks, i.e., the malicious OS intercept these packets and the measured elapsed time may not correct.
Moreover, if this kind of attack exists, I also wonder to know how to mitigate this attack.
Best regards,
SunnySun
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello SunnySun,
I will answer your questions related to trusted time and monotonic counters in this thread and will remove the previous thread.
Support for Intel SGX Platform Services was removed from all Linux-based platforms, including client platforms, beginning with Intel SGX SDK for Linux 2.9.
The Intel SGX API for monotonic counters is still part of the Intel SGX SDK for Windows and is supported on Windows 10 platforms via the Intel SGX Platform Software for Windows. The Intel SGX Platform Software for Windows is usually installed via Windows Update from the platform OEM.
The paper, Intel SGX Platform Services, describes in detail how the SGX SDK accesses hardware-based monotonic counters implemented in the Intel Converged Security and Management Engine (CSME), which is only available in client systems.
The sgx_get_trusted_time function includes a nonce argument. According to the Intel SGX Developer Reference for Windows: "The Enclave retrieves the time reference and the time source nonce using sgx_get_trusted_time." To guarantee that the time source does not change between two readings of sgx_get_trusted_time, compare the nonce from each reading - they should be the same.
Read more about protecting against replay attacks by referring to the section on the Sealed Data example in the Intel SGX Developer Reference for Windows.
These articles may also be interesting to you:
Sincerely,
Jesus G.
Intel Customer Support
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello SunnySun,
I will answer your questions related to trusted time and monotonic counters in this thread and will remove the previous thread.
Support for Intel SGX Platform Services was removed from all Linux-based platforms, including client platforms, beginning with Intel SGX SDK for Linux 2.9.
The Intel SGX API for monotonic counters is still part of the Intel SGX SDK for Windows and is supported on Windows 10 platforms via the Intel SGX Platform Software for Windows. The Intel SGX Platform Software for Windows is usually installed via Windows Update from the platform OEM.
The paper, Intel SGX Platform Services, describes in detail how the SGX SDK accesses hardware-based monotonic counters implemented in the Intel Converged Security and Management Engine (CSME), which is only available in client systems.
The sgx_get_trusted_time function includes a nonce argument. According to the Intel SGX Developer Reference for Windows: "The Enclave retrieves the time reference and the time source nonce using sgx_get_trusted_time." To guarantee that the time source does not change between two readings of sgx_get_trusted_time, compare the nonce from each reading - they should be the same.
Read more about protecting against replay attacks by referring to the section on the Sealed Data example in the Intel SGX Developer Reference for Windows.
These articles may also be interesting to you:
Sincerely,
Jesus G.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Jesus,
Thanks for your answer. Further, I also have some questions:
- I am still curious about why Intel suddenly removed the Intel SGX Platform Service from Linux-based platform beginning with Intel SGX SDK for Linux 2.9, while still retain the Intel SGX Platform Service on Windows platforms. In my understanding, this service may have nothing to do with hardware but with software (e.g., the version of the SDK).
- What is the thinking behind the design, in which the server system does not support Intel Converged Security and Management Engine (CSME)?
- Moreover, on a Linux-based platform equipped with the 8th Gen Core-i7 CPU, If I now install the Intel SGX SDK before Linux 2.9, can I use the trusted time and monotonic counter via Intel SGX's API?
Sincerely,
SunnySun
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Jesus,
I would like to add more to the Question 2 in my last reply.
- What is the thinking behind the design, in which the server system does not support Intel Converged Security and Management Engine (CSME)?In the future, will Intel consider supporting CSME, trusted time, monotonic counters in SGX for server platforms in the future.
Sincerely,
SunnySun
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello SunnySun,
- OEMs must accept a license to support Platform Services. OEMs can accept this license on their Windows systems because the OS is pre-installed at the factory. However, due to how Linux is distributed and installed, the OEMs could not accept that license for Linux installations.
- Intel server products use Intel Server Platform Services for manageability. Servers and clients have different manageability needs that are addressed by different technologies.
- Intel does not recommend installing older versions of SGX software. As this is security software, you should always install the most recent version to get all the latest security and bug fixes. Also, you would need the Linux ME drivers, which Intel does not provide.
- We cannot comment on future roadmaps.
Sincerely,
Jesus G.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page