Implications of Upcoming Total Memory Encryption (TME)

apache / incubator-teaclave-sgx-sdk

Apache Teaclave (incubating) SGX SDK helps developers to write Intel SGX applications in the Rust programming language, and also known as Rust SGX SDK.

https://teaclave.apache.org

Apache License 2.0

1.16k stars 259 forks source link

Implications of Upcoming Total Memory Encryption (TME) #333

Open LeibnizCapital opened 3 years ago

LeibnizCapital commented 3 years ago

What's the impact of TME release on this SDK?

dingelish commented 3 years ago

according to what i've known, no major changes in this sdk. things should work smoothly except the attestation procedure.

dingelish commented 3 years ago

here are some other contexts i have:

TME is total memory encryption, another memory encryption technology apart from Intel SGX Memory Encryption Engine.
Differences between TME and SGX MEE: SGX MEE guarantees memory integrity by maintaining a merkle tree. meanwhile the depth of the merkle tree limits the size of EPC; TME does not guarantee memory integrity (1st generation of TME) so EPC size limit is significantly higher than SGX MEE.
Intel SGX v2 (upcoming in icelake+whitley) uses MKTME, Multi-Key TME
Intel TDX, as a competitor of AME SEV, uses MKTME as well: https://software.intel.com/content/www/us/en/develop/articles/intel-trust-domain-extensions.html

PiDelport commented 2 years ago

According to https://www.kernel.org/doc/html/v5.11/x86/sgx.html#encryption-engines:

In CPUs prior to Ice Lake, the Memory Encryption Engine (MEE) is used to encrypt pages leaving the CPU caches. MEE uses a n-ary Merkle tree with root in SRAM to maintain integrity of the encrypted data. This provides integrity and anti-replay protection but does not scale to large memory sizes because the time required to update the Merkle tree grows logarithmically in relation to the memory size.

CPUs starting from Icelake use Total Memory Encryption (TME) in the place of MEE. TME-based SGX implementations do not have an integrity Merkle tree, which means integrity and replay-attacks are not mitigated. B, it includes additional changes to prevent cipher text from being returned and SW memory aliases from being Created.

Is this accurate?

If I understand it correctly, this would compromise the security properties of SGX dramatically, and make it unsuitable for many current applications, wouldn't it?

jknight commented 2 years ago

It looks like we need to be very careful about processor selection if we want SGX MEE and not TME. I'm reading these specs as saying "if it has TME then it isn't using MEE".

Maybe there's a BIOS setting to set Ice Lake chips to use MEE with a smaller Enclave Page Size (ie 0.5 GB) ?
Xeon E series all seem to have SGX MEE.

Intel® Xeon® E-2386G Processor Rocket Lake

Q3'21
Intel® Software Guard Extensions (Intel® SGX): Yes with Intel® SPS
[Doesn't mention TME so must be MEE]
Maximum Enclave Page Cache (EPC) Size for Intel® SGX: 0.5 GB

Intel® Xeon® Gold 6312U Ice Lake

Q2'21
Intel® Software Guard Extensions (Intel® SGX): Yes with Intel® SPS
Intel® Total Memory Encryption: Yes [so not MEE]
Maximum Enclave Page Cache (EPC) Size for Intel® SGX: 64 GB