On 3/9/22 11:36, Borislav Petkov wrote: > On Wed, Mar 09, 2022 at 11:14:22AM -0800, Dave Hansen wrote: >> Let's imagine an extreme (thankfully imaginary) case: SGX has been >> totally broken by some attack. All running enclaves might have been >> compromised. A magical microcode update comes and saves the day and >> mitigates the attack. >> >> From the hardware perspective, at the time of the microcode update, the >> (presumably compromised) enclaves *can* still run. > Here's where you lost me: the enclaves are presumably compromised and > yet you wanna leave them running?! Isn't the strategy to kill them to > limit the spread of whatever has compromised them? Killing them immediately is a totally valid policy. But, I think it's also a valid policy to continue to let them run. Maybe you know they were not vulnerable to whatever got mitigated. Or, maybe they're sufficiently sandboxed that they are not of any concern. You want new enclaves to be able to attest to the new microcode, but you're just not that worried about the old ones. This mechanism allows userspace to separate the "update the microcode" and "destroy the enclaves" and implement a policy which separates them (or doesn't). In either case, the specific demand from end users for this flexibility is clearly lacking. I'm sure Cathy and Ashok will get working to flesh that out.