Talk:Software Guard Extensions

Untitled
Whoever added this section https://en.wikipedia.org/wiki/Software_Guard_Extensions#Plundervolt only put a link in there. I think this is bad editing practice because it does not convey any information. We could at least cite some paragraphs from the link here.

--Zenulabidin2k (talk) 11:51, 20 March 2020 (UTC)

It seems like this page could be improved, because, although it provides details on feature presence and support, and cites some software which uses the feature, it does not provide any description at all of how the feature actually enables an application to protect a memory range.

If nobody has an issue, I'll try to read some literature on the details of the feature and try and add at least a paragraph. Thanks.

Andy (talk) 13:51, 15 September 2018 (UTC)

SGX dropped in new processors
Apparently Intel is dropping SGX in new processors. GA-RT-22 (talk) 17:08, 14 January 2022 (UTC)
 * Intel's dropping of SGX prevents Ultra HD Blu-Ray playback on PCs
 * Why can’t I play Ultra HD Blu-ray movies on my new Intel CPU

It would be very interesting to know the reasoning behind dropping it. - Rustamabd (talk) 21:58, 28 January 2022 (UTC)

@Rustamabd: Intel only deprecated SGX in Intel client processors (e.g., Intel Core brand). SGX is still available in Intel's Xeon Scalable brand processors, starting with the 3rd Gen. See https://community.intel.com/t5/Blogs/Products-and-Solutions/Security/Rising-to-the-Challenge-Data-Security-with-Intel-Confidential/post/1353141. #IamIntel — Preceding unsigned comment added by MFJpdxOR (talk • contribs) 22:46, 11 April 2022 (UTC)


 * Does that mean it would be possible to play UHD Blu-ray discs on PCs with those processors? —danhash (talk) 23:21, 12 December 2023 (UTC)

Conflict of Interest Edit Request
Hello, I am an Intel employee so I have a conflict of interest. The Software Guard Extensions page is missing some key pieces of information that viewers would likely find helpful, but due to my conflict of interest, I submit these as Edit requests, not direct edits.

The page makes this statement: "These design goals were not met; numerous attacks were found, leading Intel to stop offering SGX in newer processors.[3]"
 * What I think should be changed (include citations):

The current wording makes a claim about facts ("design goals were not met") without a citation. This claim is not what Intel publicly said was the reason for the deprecation of SGX in PC platforms. The current sentence also fails to distinguish between Intel Core brand processors for PCs and Intel Xeon Scalable brand processors for servers. Intel deprecated SGX in Intel Core but not in Intel Xeon Scalable.
 * Why it should be changed:

SUGGESTED EDIT & CITATION

Remove this sentence: "These design goals were not met; numerous attacks were found, leading Intel to stop offering SGX in newer processors.[3]" Replace with this sentence: "Intel deprecated SGX from client PC platforms starting with 11th Gen Core processors (code-named “Tiger Lake”) but continues to offer SGX on Intel Xeon Scalable processors, starting with the 3rd Generation (code-named “Ice Lake-SP”)."

Supporting citation: https://community.intel.com/t5/Blogs/Products-and-Solutions/Security/Rising-to-the-Challenge-Data-Security-with-Intel-Confidential/post/1353141 (see section called The Road Ahead - Intel SGX and TDX)

The current page makes this statement: "Applications running inside of SGX must be written to be side channel resistant as SGX does not protect against side channel measurement or observation.[5]"
 * What I think should be changed (include citations):

The current wording implies that applications running inside SGX enclaves should UNIQUELY be side channel resistant when ALL x86 code should be written to be side channel resistant.
 * Why it should be changed:

SUGGESTED EDIT & CITATION

Please add precision to this sentence: "Applications running inside of SGX must be written to be side channel resistant as SGX does not protect against side channel measurement or observation.[5]" Change to: "Like all x86 code, applications running inside of SGX should be written to be side channel resistant as SGX does not protect against side channel measurement or observation. [5] Intel has issued general purpose guidance for side-channel protection." [citation below]

Citation: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/securing-workloads-against-side-channel-methods.html

Missing relevant information in the Details section
 * What I think should be changed (include citations):

The current Details section is missing the introduction date for SGX in Intel servers. The distinction between client and server processors is important since Intel ultimately deprecated SGX in clients but not in servers, a piece of information important to readers.
 * Why it should be changed:

SUGGESTED EDIT & CITATION

Add this sentence to the Details section: "SGX was introduced in the Intel Xeon-E product line in 2017 [first citation below], and the Intel Xeon Scalable product line in 2021 with the 3rd Gen Xeon Scalable, code-named “Ice Lake-SP”." [second citation below]"

Citation 1: https://www.anandtech.com/show/11232/intel-launches-xeon-e3-1200-v6-family

Citation 2: https://www.zdnet.com/article/intel-launches-third-gen-intel-xeon-scalable-processor-for-data-centers/

The page makes this statement: "Both in the 11th and 12th generations of Intel Core processors, SGX is listed as "Deprecated" and thereby not supported anymore. [3][13][14]"
 * What I think should be changed (include citations):

The current sentence fails to distinguish between Intel Core brand processors for PCs and Intel Xeon Scalable brand processors for servers. Intel deprecated SGX in Intel Core processors for PC but not in Intel Xeon Scalable for servers. This is important information for readers.
 * Why it should be changed:

SUGGESTED EDIT & CITATION

Provide clarity between client and server in this sentence: "Both in the 11th and 12th generations of Intel Core processors, SGX is listed as "Deprecated" and thereby not supported anymore. [3][13][14]" Add an edit and sentence as follows: "Both in the 11th and 12th generations of Intel Core processors, SGX is listed as "Deprecated" and thereby not supported in PC client processors anymore. [3][13][14]  SGX continues to be supported on Intel Xeon Scalable processors." [citation below]

Citation: https://community.intel.com/t5/Blogs/Products-and-Solutions/Security/Rising-to-the-Challenge-Data-Security-with-Intel-Confidential/post/1353141

Under the "Attacks" section, the current page lists a number of potential attacks on SGX but does not reference the mitigations issued by Intel, which would be valuable for readers to know.
 * What I think should be changed (include citations):

On the current page, readers are not provided with information about if/how the listed vulnerabilities or attacks were mitigated. This is important information for anyone trying to secure their systems.
 * Why it should be changed:

SUGGESTED EDITS & CITATION

Under "Prime+Probe Attack", please add this at the end of the attack description: "Intel issued guidance for programmers for side channel attack prevention." [two citations below]

Citations (one of two): https://download.01.org/intel-sgx/linux-1.7/docs/Intel_SGX_Developer_Guide.pdf

Citations (two of two): https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/securing-workloads-against-side-channel-methods.html

Under "Spectre-like Attack", please add this at the end of the attack description: "A number of Spectre-type speculative execution attacks that impacted SGX were addressed by Intel with guidance for developers[Citation 1 below] on speculative execution issues, as well as releasing security advisories and mitigations to address issues as they arise. SGX programmers guidance[Citation 2 below] also includes advice to programmers on how to defensively program against Spectre v1 attacks."

Citation 1: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/refined-speculative-execution-terminology.html

Citation 2: https://download.01.org/intel-sgx/linux-1.7/docs/Intel_SGX_Developer_Guide.pdf

Under "Enclave Attack", please add this to the end of the attack description: "Additionally the attack relies upon the Transactional Memory Extensions (TSX) to work and Intel removed the TSX instructions, for other reasons, from processors in the field by patch and from future processors thus rendering this attack moot." [citation below]

Citation: https://en.wikipedia.org/wiki/Transactional_Synchronization_Extensions

Under "MicroScope Replay Attack", please add this to the end of attack description: "This work was funded in part by grants from the National Science Foundation and Intel's Strategic Research Alliance."

Citation: https://dl.acm.org/doi/pdf/10.1145/3307650.3322228  (see Acknowledgements, page 13)

Under "Plundervolt", please add this to the end of the attack description: "In December 2019, Intel issued a firmware mitigation to address this vulnerability, detailed in Intel Security Advisory 00289"

Citation: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00289.html

Under "LVI", please replace the current citation #26 with this link to the updated Intel document. The current citation #26 is out-of-date.

Citation: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/load-value-injection.html

Under "LVI", please add this to the end of the attack description: "In March 2020, Intel issued a mitigation to address this vulnerability, detailed in Intel Security Advisory INTEL-SA-0334."

Citation: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00334.html

Thanks to the editors for your consideration. MFJpdxOR (talk) 17:44, 12 April 2022 (UTC)
 * Your sources are nearly all primary, Wikipedia requires independent sources. Theroadislong (talk) 20:47, 12 August 2022 (UTC)
 * , Looking at the article, primary sourcing seems to be an overall issue as half the sourcing comes from intel. Slywriter (talk) 20:57, 12 August 2022 (UTC)
 * I am going to close this edit request as declined. Most of the citations are to primary sources, which are not usually recommended on Wikipedia. Therefore, multiple editors have been hesitant to add the information themselves. If someone wants to review these documents at a later date for their possible inclusion, they are welcome to do so. Z1720 (talk) 22:53, 6 October 2022 (UTC)

Conflict of Interest Edit Request - Missing Security Vulnerability Mitigations
Hello editors,

I have a conflict of interest so I won't edit the Intel Software Guard Extensions page directly. The page has a section called "Demonstrations of SGX's Vulnerability." Security vulnerabilities are important for readers, but equally important are the patches and mitigations that close those vulnerabilities. In a previous request, the editors asked that I steer away from citing information on the Intel website over questions of objectivity. The edit requests below only point to non-Intel sources. Hope that works OK, and thank you for your consideration.

Suggested additions and citations:

Spectre-like attack: Please add, "A security advisory and mitigation for this attack, also called an L1 Terminal Fault, was originally issued on August 14, 2018 and updated May 11, 2021." Citation https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3615

Micro-Scope Replay attack: Please add, "In July 2022, Intel submitted a Linux patch called AEX-Notify to allow the SGX enclave programmer to write a handler for these types of events." Citation https://lore.kernel.org/lkml/YsuMK0JIYqqjtVdk@kernel.org/T/

Plundervolt: Please add, "A security advisory and mitigation for this attack was originally issued on August 14, 2018 and updated on March 20, 2020." Citation https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11157

LVI: Please add, "A security advisory and mitigation for this attack was originally issued on March 10, 2020 and updated on May 11, 2021." Citation https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0551

SGAxe: Please add, "A security advisory and mitigation for this attack, also called a Processor Data Leakage or Cache Eviction, was originally issued January 27, 2020 and updated May 11, 2021.  Citation  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0549 134.134.137.82 (talk) 18:43, 22 August 2022 (UTC)
 * Yes check.svg Done I did this for you. Edhaves (talk) 17:07, 17 October 2022 (UTC)

Add: Platypus attack
There's another source of attack on this. Platypus.

https://platypusattack.com/

> With SGX, Intel released a security feature to create isolated environments, so-called enclaves, that are secure even if the operating system is compromised. In our work, we combine PLATYPUS with precise execution control of SGX-Step. As a result, we overcome the hurdle of the limited measuring capabilities of Intel RAPL by repeatedly executing single instructions inside the SGX enclave. Using this technique, we recover RSA keys processed by mbed TLS from an SGX enclave. Keybounce (talk) 07:36, 12 December 2023 (UTC)