On Mon, Apr 22, 2019 at 08:01:19AM -0700, Sean Christopherson wrote: Good morning to everyone, I hope the week is starting well. > On Sat, Apr 20, 2019 at 11:02:47AM -0500, Dr. Greg wrote: > > We understand and support the need for the LSM to trap these > > events, but what does LSM provenance mean if the platform is > > compromised? That is, technically, the target application for SGX > > technology. > No, it's not. Protecting the kernel/platform from a malicious > entity is outside the scope of SGX. You must have misinterpreted my statement, providing security guarantees in the face of a compromised platform is exactly what SGX was designed to do and is how Intel is marketing the technology. >From the first paragraph (Introduction) in the following document: https://software.intel.com/sites/default/files/managed/50/8c/Intel-SGX-Product-Brief.pdf "Intel Software Guard Extensions (Intel SGX) protects selected code and data from disclosure or modification. Developers can partition their application into CPU hardened 'enclaves' or protected areas of execution that increase security even on compromised platforms". In addition, one of the major use cases for this technology is the ability to push data and application code up onto cloud platforms with a guarantee that not even the platform owner or administrators can compromise the integrity or confidentiality of the code and data. As I've noted before, from an OS driver perspective, security and privacy models which are dependent on an uncompromised platform and user privileges are inconsistent with the SGX security architecture. Doing SGX right is about applying cryptographically defined provenance and integrity models. Our autonomous introspection technology uses SGX to protect the platform at large but we are unique with respect to how the technology is being applied. Have a good day. Dr. Greg As always, Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC. 4206 N. 19th Ave. Specializing in information infra-structure Fargo, ND 58102 development. PH: 701-281-1686 FAX: 701-281-3949 EMAIL: greg@xxxxxxxxxxxx ------------------------------------------------------------------------------ "You and Uncle Pete drank the whole thing? That was a $250.00 bottle of whisky. Yeah, it was good." -- Rick Engen Resurrection.
