SGX: when 20 patch versions aren't enough

By Jonathan Corbet
April 23, 2019

Intel's "Software Guard Extensions" (SGX) feature allows the creation of encrypted "enclaves" that cannot be accessed from the rest of the system. Normal code can call into an enclave, but only code running inside the enclave itself can access the data stored there. SGX is pitched as a way of protecting data from a hostile kernel; for example, an encryption key stored in an enclave should be secure even if the system as a whole is compromised. Support for SGX has been under development for over three years; LWN covered it in 2016. But, as can be seen from the response to the latest revision of the SGX patch set, all that work has still not answered an important question: what protects the kernel against a hostile enclave?

The proposed API for creating and controlling enclaves is complex, so one would expect it to come with comprehensive documentation. The actual API documentation turns out to be a little sparse, though. One starts by opening /dev/sgx/enclave; there are no privilege checks in the kernel, so the ability to open and act upon this file is determined solely by its permission bits. The SGX_IOC_ENCLAVE_CREATE ioctl() command will begin the process of setting up an enclave in the system. Each page of code or data must then be added with a separate SGC_IOC_ENCLAVE_ADD_PAGE call; the contents of those pages will be encrypted by the processor so that they will be unreadable outside of the enclave. When that process is complete, the enclave is completed with an SGX_IOC_ENCLAVE_INIT operation. At that point, the system loses its ability to manipulate the contents of the enclave; it can call into the enclave to ask for services, but cannot read or modify any of the data stored therein.

After 20 revisions of the patch set over three years, the authors of this work (which was posted by Jarkko Sakkinen) might well be forgiven for thinking that it must be about ready for merging. This posting evoked a new round of opposition, though, that seems clear to delay things for at least a couple more rounds.

The most vocal critic is Greg Wettstein, who has clearly been working with SGX and Intel's out-of-tree driver for some time. His complaints put off some developers with their tone and verbosity, and not all of them were seen as being entirely valid. He was, for example, unhappy that the user-space API has changed from previous versions of the patch set, breaking his current code. But, since this functionality has never been supported in a mainline kernel, there was little sympathy on offer. Some of his other observations, though, needed to be taken more seriously.

When SGX support was first proposed for Linux in 2016, one of its "features" was that only code that had been signed by Intel would be accepted into an enclave. This restriction was less than popular at the time by virtue of the fact that it essentially guaranteed that enclaves would be restricted to running binary blobs. It was made clear that, as long as Intel retained control over which code could run under SGX, support would not be merged into the kernel. Since then, Intel has added "flexible launch control" on some CPUs, which removes this restriction. Now, it seems, things may be a little bit too open.

The core of Wettstein's main complaint is that it is now possible for anybody who can open /dev/sgx/enclave to create and launch an enclave. In theory, that ability would do little for an attacker, since there is little that can actually be done inside an enclave. Any code running inside is restricted to what is available in the enclave itself; there is no ability to call outside code, to make system calls, or even access to facilities like timers. But, as Wettstein pointed out, it has been demonstrated [PDF] that code running within an enclave is able to carry out a number of cache-based, information-exfiltration attacks, even against code running in other enclaves.

Many of these attacks, of course, can be run by code outside of an enclave as well. But running inside of an enclave changes the picture significantly, since the host system has no way to know what that code is doing. Code hiding within an enclave cannot be monitored, profiled, or examined; for an attacker, an enclave is a convenient shadow in which to lurk while trying to exploit various types of information-disclosure vulnerabilities. The fact that one might normally expect the permissions on /dev/sgx/enclave to restrict access to root does little to improve this scenario: remember that the whole purpose of SGX is to defend against a compromised host.

Wettstein's message included a proposed solution, in the form of an interface to the SGX launch control mechanism. The system administrator could configure, at system-initialization time, a set of keys that would be recognized as valid for the signing of enclave contents; only properly signed enclaves could then be launched. Once the set of keys has been established, it can be rendered immutable. A sufficiently advanced attack against the kernel could perhaps circumvent this restriction, but it raises the bar considerably.

This proposal doesn't appear likely to get far; see, for example, Andy Lutomirski's criticism of both the code and the policies that it implements. If the sort of launch control envisioned by Wettstein is to be implemented, Lutomirski said, it should be based more firmly in the kernel. He thought that this feature, should it ever be implemented, could be added after the initial SGX support goes upstream. When pressed by Wettstein, though, Lutomirski did agree that a related problem exists:

There are many, many Linux systems that enforce a policy that *all* executable text needs to come from a verified source. On these systems, you can't mmap some writable memory, write to it, and then change it to executable. (Obviously, JITs either don't work or need special permissions on these systems.)

Unless I'm missing it, the current SGX API is entirely incompatible with this model -- the host process supplies text *bytes* to the kernel, and the kernel merrily loads those bytes into executable enclave memory. Whoops!

The restriction mentioned here is typically enforced by a Linux security module (LSM) such as SELinux. With an appropriate policy loaded, the LSM will prohibit the enabling of execute permission on any memory that has ever been mapped writable. With that restriction in place, executable code can only come from the filesystem, which can be verified using a number of mechanisms built into the kernel. The SGX API bypasses all of this, though, allowing a process to run any code it wants as long as it is inside an enclave.

This problem is seen as being a bit of a show-stopper; changing SGX so that it plays well with security modules could require API changes, so it really needs to happen before the code goes upstream. Lutomirski proposed a solution where, rather than passing individual pages into an enclave, user space would pass a descriptor for a file containing the enclave data; security modules and the integrity subsystem would then be given a chance to examine the situation and allow or deny the operation. Unsurprisingly, some of the developers involved were less than happy about making more changes, but the development community is likely to stand firm on this one.

That last point was driven home by Linus Torvalds, who noted that Intel's transactional memory feature turned out to be more useful to attackers than to anybody else. SGX, he said, might turn out in a similar way, so "the patches to enable it should make damn sure that the upsides actually outweigh the downsides". At a minimum, making LSM support work properly would seem to be an important part of providing the assurance that Torvalds is asking for.

Thus, it would seem, even 20 revisions are not going to be enough for the SGX feature. Security technologies are not easy to get right in the best of times; mechanisms that have to play well with other security features are certain to be even harder. It seems likely that, as processors — and the security-related mechanisms they provide — become more complex, the discussions around how they are to be supported in the kernel will become more difficult.

Index entries for this article
Kernel	Security/Memory encryption
Security	Encryption/Memory

SGX: when 20 patch versions aren't enough

Posted Apr 24, 2019 1:01 UTC (Wed) by amarao (guest, #87073) [Link] (7 responses)

I can understand why there is a need for enclave data concealment, but I can't understand why a code should not be open for inspection? Make it read-only, and half concern are gone.

SGX: when 20 patch versions aren't enough

Posted Apr 24, 2019 6:39 UTC (Wed) by smurf (subscriber, #17840) [Link] (4 responses)

The whole enclave is encrypted. There's no way to read the bytes in there, code or data doesn't matter.

SGX: when 20 patch versions aren't enough

Posted Apr 24, 2019 9:45 UTC (Wed) by grawity (subscriber, #80596) [Link] (3 responses)

Um, but that was already the question: why is the entire enclave encrypted, as opposed to just the "data" pages being encrypted. "It's encrypted because it's encrypted" doesn't quite answer it. (The article notes that encryption is done at enclave startup time – the original code blob is merely signed, but not encrypted yet.)

Not that it would help much, if at all. You'd quickly find malware putting a bytecode interpreter in the "code" part, and all the interesting stuff being stored as "data".

SGX: when 20 patch versions aren't enough

Posted Apr 24, 2019 13:29 UTC (Wed) by mageta (subscriber, #89696) [Link]

As far as I know - in reference to this paper: https://arxiv.org/abs/1902.03256 (pretty nice paper, shows that SGX enclaves can in fact do more than information retrieval: "WithSGX-ROP, we bypassed ASLR, stack canaries, and address sanitizer, to run ROPgadgets in the host context enabling practical enclave malware.") - the prime exploiter of SGX at this points are DRM systems, or systems that try to protect intellectual property in general. For me it is obvious why these users are interested to do away with any access what so ever, in order to limit the amount of reverse engineering the user can do on them.

In regards to the thought that the images are only signed, not encrypted: there is some thoughts on how attackers/drm-providers might load code into an enclave at run-time: http://theinvisiblethings.blogspot.com/2013/09/thoughts-o.... This way you can not inspect the code at all, even if you can inspect the original image/blob.

SGX: when 20 patch versions aren't enough

Posted Apr 24, 2019 14:34 UTC (Wed) by smurf (subscriber, #17840) [Link]

Define "data". Constant data are stored in code pages. Like a hardcoded encryption key (those can't always be avoided). Game over if anybody can read that.

SGX: when 20 patch versions aren't enough

Posted Apr 24, 2019 16:57 UTC (Wed) by flussence (guest, #85566) [Link]

It's encrypted because it's *designed* first and foremost to run malware - specifically corporate DRM.

SGX: when 20 patch versions aren't enough

Posted Apr 24, 2019 17:01 UTC (Wed) by luto (guest, #39314) [Link]

The code is open for inspection, or at least the initial code is. SGX only provides confidentiality after the enclave starts running.

SGX: when 20 patch versions aren't enough

Posted Apr 24, 2019 20:16 UTC (Wed) by mm7323 (subscriber, #87386) [Link]

It could be as simple as some bit of hardware that does the encryption and decryption for the enclave page access follows von Neumann architecture and so makes no distinction between code and data and it all ends up encrypted. Just a guess though.

SGX: when 20 patch versions aren't enough

Posted Apr 24, 2019 14:43 UTC (Wed) by quotemstr (subscriber, #45331) [Link] (1 responses)

I've never liked measures that try to limit PROT_EXEC to signed code. What's the point? Executing processor instructions isn't the only way to write code! Whatever machine code can do, I can write a little interpreted to do. PROT_EXEC restrictions prevent nothing! As far as I'm concerned, banning PROT_EXEC is useless security theater that makes computers slower for no reason. (I'm okay with W^X so long as a W->X transition is possible.)

SGX: when 20 patch versions aren't enough

Posted Jul 26, 2019 3:13 UTC (Fri) by immibis (subscriber, #105511) [Link]

That measure would be part of a defense-in-depth scenario for an embedded system for example. Not something you need to be concerned about coming to your desktop.

SGX: when 20 patch versions aren't enough

Posted Apr 24, 2019 14:55 UTC (Wed) by XTerminator (subscriber, #59581) [Link] (17 responses)

I can't wrap my head around the whole principle of the thing, why would a hostile kernel even allow you to create an enclave and how could anyone think to trust a hostile kernel? The data you load into the enclave is accessible to the hostile kernel. Only the copy of the data inside the enclave is encrypted.

SGX: when 20 patch versions aren't enough

Posted Apr 24, 2019 17:58 UTC (Wed) by mageta (subscriber, #89696) [Link]

If we talk about DRM or the like, virtually any kernel is "hostile", and they might still wanna load the binary, because it is the gateway to stuff you bought/rented. It is enough for the code/data in the enclave to be encrypted - via remote attestation of the initial image and then dynamic load of further load/data via a remote site (might be encrypted), the "hostile" kernel can not influence or even know what is done in the enclave.

SGX: when 20 patch versions aren't enough

Posted Apr 24, 2019 18:04 UTC (Wed) by rgmoore (✭ supporter ✭, #75) [Link] (15 responses)

I can't wrap my head around the whole principle of the thing, why would a hostile kernel even allow you to create an enclave and how could anyone think to trust a hostile kernel?

The point isn't that the kernel is hostile to the person who owns the computer, but that it might be hostile to the process running in the enclave. The classic example that everyone loves to point out is DRM, where the whole point of using DRM is to prevent the owner of the system from being able to access the data. In that case, the DRM process has to consider the OS to be at least potentially hostile.

A less worrying case is cloud computing. Some people might be reluctant to rely on cloud computing if they're worried that the cloud provider- or another customer who's using the same physical device- might be able to access their secret data. Having a mechanism that lets cloud users send all their information to the cloud encrypted, process it in a secure enclave that even the OS can't spy on, and send it home encrypted would be a really nice way of allaying that fear.

IOW, it's true that a hostile kernel would probably disable the enclave feature. That means offering the enclave feature is a plausible promise that the kernel isn't hostile, which is something you might want an assurance of if you're running on a system that you don't completely control.

SGX: when 20 patch versions aren't enough

Posted Apr 24, 2019 18:19 UTC (Wed) by sfeam (subscriber, #2841) [Link] (6 responses)

I don't understand why this scheme would be trusted by, say, a user reluctant to send sensitive data to a cloud server. Wouldn't a truly hostile kernel want to pretend it was providing a secure enclave, but then peek at the contents anyway? How can code running inside the enclave know for sure that the 'protections' are being honored by the host kernel?

SGX: when 20 patch versions aren't enough

Posted Apr 24, 2019 19:00 UTC (Wed) by excors (subscriber, #95769) [Link] (5 responses)

If I understand correctly, that's what the remote attestation is for. The secure chip could generate a message like "I'm running a binary with hash X, and I've generated a key pair with public key Y and shared the private key with X", then sign that message using a per-chip private key that's stored securely inside the chip and is signed by the chip's manufacturer. A hostile kernel can't fake that message because it doesn't have the keys. The user can verify all the signatures, then encrypt their data with Y, send it to the cloud server, and it can only be decrypted by the secure chip that's definitely running X.

The user has to trust the manufacturer of the secure chip to implement everything properly, to not leak the private keys, etc. But they don't have to trust the cloud provider at all, or any of the other chips in the server, so it's a significant improvement.

SGX: when 20 patch versions aren't enough

Posted Apr 24, 2019 19:36 UTC (Wed) by nix (subscriber, #2304) [Link] (4 responses)

In order to retain anonymity, these keys are shared by millions of machines at once... and then side-channel attacks made it possible to leak those keys. Oops!

SGX seems to me like a nearly impossible thing to get right. Intel's CPU architecture is just too complex to be side-channel free, which means you cannot expect things running on the main CPU, encrypted or not, to be exfiltration-proof, in either direction.

SGX: when 20 patch versions aren't enough

Posted Apr 25, 2019 0:16 UTC (Thu) by luto (guest, #39314) [Link] (3 responses)

Nope, the keys are per-CPU. Side channel leaks can break SGX, but so far they haven’t even come close to leaking the real key. And Intel has a way to prevent CPUs with out of date microcode from passing the attestation check.

What I don’t quite understand is how Intel
is handling L1TF. As I understand it, even microcode can’t work around it if Hyperthreading is on.

(With the newer, easier, and vastly simpler attestation mechanism, there is no privacy whatsoever.)

SGX: when 20 patch versions aren't enough

Posted Apr 25, 2019 20:42 UTC (Thu) by nix (subscriber, #2304) [Link] (2 responses)

The keys are per-CPU, but there is a pseudonymous attestation mode which uses keys shared by large numbers of CPUs. At least some of those keys have (allegedly?) been extracted through side-channel attacks (see e.g. FORESHADOW).

SGX: when 20 patch versions aren't enough

Posted Apr 25, 2019 21:01 UTC (Thu) by luto (guest, #39314) [Link] (1 responses)

Indeed. That entire mechanism is all software and a decent fraction of it runs in the cloud. The mechanism I'm talking about is newer and a bit closer to the raw hardware mechanism. It's described here:

https://software.intel.com/en-us/blogs/2018/12/09/an-upda...

SGX: when 20 patch versions aren't enough

Posted Apr 26, 2019 13:12 UTC (Fri) by nix (subscriber, #2304) [Link]

Ah, this was their post-attack fix: I didn't know one had been released yet, let alone that it was part of the same thing that included opening up enclave signing so it's actually useful to anyone other than very large corporations that can get their DRM malware signed by Intel.

I'm not sure if this works on existing SGX-supporting processors with a microcode update, or only on new ones: the link to a list of supported processors in the page you link to is empty for me. (If it does work only on new ones, the omens are rather bad: if every attack means you have to buy new hardware to be able to use SGX securely again, it will be a *long* time before this becomes useful to the general public.)

SGX: when 20 patch versions aren't enough

Posted Apr 25, 2019 19:45 UTC (Thu) by ju3Ceemi (subscriber, #102464) [Link] (7 responses)

"That means offering the enclave feature is a plausible promise that the kernel isn't hostile, which is something you might want an assurance of if you're running on a system that you don't completely control."

As a naive person, I would think one can simply emulate the whole sgx stuff
If I own the kernel space, I can do whatever I want, even let you think you actually used sgx, while in fact, you did nothing

This whole "feature" is, to me, a huge conceptual non-sense

SGX: when 20 patch versions aren't enough

Posted Apr 25, 2019 20:52 UTC (Thu) by farnz (subscriber, #17727) [Link] (6 responses)

The bit you're missing is the hardware root of trust; I can get Intel's on-chip private key to sign a nonce that I then use to verify that it's my code running inside SGX. The kernel does not have that private key, so cannot generate the signature you need to get the code to execute.

SGX: when 20 patch versions aren't enough

Posted Apr 26, 2019 0:56 UTC (Fri) by rgmoore (✭ supporter ✭, #75) [Link] (1 responses)

It seems as if there ought to be a way to deal with this through something like a MITM attack. It would work something like:

Malicious admin sets up a real enclave with software that can have a nonce signed by the hardware key.
Malicious admin creates a system to make fake enclaves for their users.
User creates a fake enclave and asks the hardware to sign a nonce.
Malicious admin intercepts the nonce, sends it to his own enclave to have it signed, and returns the signed nonce to the fake enclave.
User believes his nonce being signed is proof that the system hasn't been compromised

I will admit I'm not a security professional, but what is the mechanism for preventing something like this?

SGX: when 20 patch versions aren't enough

Posted Apr 26, 2019 1:54 UTC (Fri) by excors (subscriber, #95769) [Link]

It doesn't sign just the nonce, it signs the nonce plus an identifier of the application running in the enclave, plus (I think) parts of a key exchange protocol. Those exchanged keys will get wiped whenever the application is replaced. The user can communicate using those keys, with a guarantee that those keys are known only by a single instance of their real application running in a real enclave, so they're communicating securely with their remotely-hosted application.

The only thing a MITM can do is redirect the request to another real enclave running the user's real application (because that's the only way to get a valid signature), then observe the encrypted traffic to that application (they can't decrypt it because the enclave is designed to keep those keys secret even when the attacker has physical access). And that's not really an attack, that's just free secure hosting for the user.

SGX: when 20 patch versions aren't enough

Posted Apr 26, 2019 10:36 UTC (Fri) by LtWorf (subscriber, #124958) [Link] (1 responses)

But I could also run the same code twice, inside the enclave and with a debugger, thus learning what it's doing. Or am I missing something?

SGX: when 20 patch versions aren't enough

Posted Apr 26, 2019 13:45 UTC (Fri) by smurf (subscriber, #17840) [Link]

Presumably the enclave isn't running in a vacuum but requires external data to process, which you can send to it by way of attestation-based encryption. Your debugger can't get an attest and thus doesn't have the key to decrypt the data.

SGX: when 20 patch versions aren't enough

Posted Apr 28, 2019 10:09 UTC (Sun) by ballombe (subscriber, #9523) [Link] (1 responses)

How do you get the public key ?

SGX: when 20 patch versions aren't enough

Posted Apr 28, 2019 13:27 UTC (Sun) by farnz (subscriber, #17727) [Link]

Your Intel FSE should be able to help you out :-(. There doesn't appear to be a generally available public key for SGX; those are things you get under NDA.