On 2018-06-20 11:16, Jethro Beekman wrote:
> This last bit is also repeated in different words in Table 35-2 and > Section 42.2.2. The MSRs are *not writable* before the write-lock bit > itself is locked. Meaning the MSRs are either locked with Intel's key > hash, or not locked at all.
Actually, this might be a documentation bug. I have some test hardware and I was able to configure the MSRs in the BIOS and then read the MSRs after boot like this:
MSR 0x3a 0x0000000000040005 MSR 0x8c 0x20180620aaaaaaaa MSR 0x8d 0x20180620bbbbbbbb MSR 0x8e 0x20180620cccccccc MSR 0x8f 0x20180620dddddddd Since this is not production hardware, it could also be a CPU bug of course.If it is indeed possible to configure AND lock the MSR values to non-Intel values, I'm very much in favor of Nathaniels proposal to treat the launch enclave like any other firmware blob.
Jethro Beekman | Fortanix
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
