On 2022-03-16 16:47, Dave Hansen wrote: > On 3/16/22 03:24, Jethro Beekman wrote: >>> Doing this automatically and unconditionally during a microcode >>> update seems undesirable. This requires the userland tooling that >>> is coordinating the microcode update to be aware of any SGX >>> enclaves that are running and possibly coordinate sequencing with >>> the processes containing those enclaves. This coupling does not >>> exist today. >> Also, a microcode update may not affect SGX security at all and doing >> the EUPDATESVN procedure may not be required for this particular >> update. This case is called out specifically in the EUPDATESVN >> documentation. > > I don't think Intel provides the metadata for the kernel to tell if an > update requires an EUPDATESVN procedure or not. If this is inconvenient > for you, I'd suggest reporting this to the folks at Intel who can fix > it. It doesn't seem like something which they are motivated to fix. Whether or not metadata is currently made available is orthogonal to creating a mechanism by which userspace can indidate that a particular microcode update shouldn't trigger the EUPDATESVN procedure. -- Jethro Beekman | Fortanix
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature