On Fri, Aug 31, 2018 at 10:43:30AM -0700, Sean Christopherson wrote:
Good afternoon to everyone.
> > Sorry I missed this one. To be honest I don't know. I checked the
> > SDM and all I can find is:
> >
> > "On reset, the default value is the digest of Intel's signing key."
> I confirmed the MSRs are reset any time the EPC is lost. Not sure
> what happens if the MSRs contained a non-Intel value but feature
> control is locked with SGX launch control disabled. I'll post an
> update when I have an answer.
It was our interpretation from the SDM that the identity modulus
signature MSR's are 'trap-door' registers. If flexible launch control
(FLC) is enabled the platform has one opportunity to write a new
signature value, after which the registers are locked from
modification until the next platform reset.
>From a security architecture perspective it seemed that an FLC based
SGX implementation would use a modified version of TBOOT to securely
write that register once per platform boot/reset. The architecture
that is being discussed where there is a need to continually check
whether or not the correct root signing key is loaded sounds a bit
clunky at best.
At worst it has potential security implications since it is the
reponsibility of the enclave launch control infrastructure to control
which enclaves are allowed to have the PROVISION_KEY attribute bit
set.
Have a good weekend.
Dr. Greg
As always,
Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC.
4206 N. 19th Ave. Specializing in information infra-structure
Fargo, ND 58102 development.
PH: 701-281-1686
FAX: 701-281-3949 EMAIL: greg@xxxxxxxxxxxx
------------------------------------------------------------------------------
"Extensive interviews show that not one alcoholic has ever actually seen
a pink elephant."
-- Yale University
Center of Alcohol Studies
