RE: [PATCH v9 6/6] x86/sgx: Enable automatic SVN updates for SGX enclaves

From: Reshetova, Elena
Date: Thu Jul 24 2025 - 08:49:23 EST

Next message: Adrian Hunter: "[PATCH V5 2/3] x86/tdx: Tidy reset_pamt functions"
Previous message: Adrian Hunter: "[PATCH V5 1/3] x86/tdx: Eliminate duplicate code in tdx_clear_page()"
In reply to: Huang, Kai: "Re: [PATCH v9 6/6] x86/sgx: Enable automatic SVN updates for SGX enclaves"
Next in thread: Huang, Kai: "Re: [PATCH v9 6/6] x86/sgx: Enable automatic SVN updates for SGX enclaves"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----Original Message-----
> From: Huang, Kai <kai.huang@xxxxxxxxx>
> Sent: Thursday, July 24, 2025 2:13 PM
> To: Reshetova, Elena <elena.reshetova@xxxxxxxxx>; Hansen, Dave
> <dave.hansen@xxxxxxxxx>
> Cc: seanjc@xxxxxxxxxx; mingo@xxxxxxxxxx; Scarlata, Vincent R
> <vincent.r.scarlata@xxxxxxxxx>; x86@xxxxxxxxxx; jarkko@xxxxxxxxxx;
> Annapurve, Vishal <vannapurve@xxxxxxxxxx>; linux-kernel@xxxxxxxxxxxxxxx;
> Mallick, Asit K <asit.k.mallick@xxxxxxxxx>; Aktas, Erdem
> <erdemaktas@xxxxxxxxxx>; Cai, Chong <chongc@xxxxxxxxxx>; Bondarevska,
> Nataliia <bondarn@xxxxxxxxxx>; linux-sgx@xxxxxxxxxxxxxxx; Raynor, Scott
> <scott.raynor@xxxxxxxxx>
> Subject: Re: [PATCH v9 6/6] x86/sgx: Enable automatic SVN updates for SGX
> enclaves
>
> On Thu, 2025-07-24 at 11:02 +0300, Reshetova, Elena wrote:
> > == Background ==
> >
> > ENCLS[EUPDATESVN] is a new SGX instruction [1] which allows enclave
> > attestation to include information about updated microcode SVN without a
> > reboot. Before an EUPDATESVN operation can be successful, all SGX memory
> > (aka. EPC) must be marked as “unused” in the SGX hardware metadata
> > (aka.EPCM). This requirement ensures that no compromised enclave can
> > survive the EUPDATESVN procedure and provides an opportunity to generate
> > new cryptographic assets.
> >
> > == Patch Contents ==
>
> Nit: you can use "Solution" instead of "Patch Contents".

Sure.

>
> >
> > Attempt to execute ENCLS[EUPDATESVN] every time the first file descriptor
> > is obtained via sgx_(vepc_)open(). In the most common case the microcode
> > SVN is already up-to-date, and the operation succeeds without updating SVN.
>
> (Sorry I forgot to say this in the previous versions):
>
> If I read the pseudo code correctly, when the SVN is already up-to-date,
> the EUPDATESVN doesn't update SVN but it re-generates crypto assets
> anyway.
>
> This is no harm per the pseudo code, since the "crypto assets" is actually
> the CR_BASE_KEY which is only used by EWB/ELDU flow per the SDM.
>
> In other words, it doesn't impact other enclave visible keys (those from
> EGETKEY) such as sealing key.
>
> I think this is important. Because if enclave visible keys such as
> sealing key are lost on EUPDATESVN when SVN is already up-to-date (which
> is the most common case), it will bring significant visible impact to
> enclave. E.g., one enclave could find its secret encrypted by sealing key
> could never be retrieved after it restarts.
>
> Assuming I didn't miss anything, can we also mention this in the
> changelog?

Yes, you are right, anything like above behaviour would be a nightmare
in practice. So would smth like this work as an additional text:

"Note that in cases when SVN is already up-to-date and EUPDATESVN
is executed, it does not affect enclaves' visible keys obtained via EGETKEY
instruction."

?

Best Regards,
Elena.

Next message: Adrian Hunter: "[PATCH V5 2/3] x86/tdx: Tidy reset_pamt functions"
Previous message: Adrian Hunter: "[PATCH V5 1/3] x86/tdx: Eliminate duplicate code in tdx_clear_page()"
In reply to: Huang, Kai: "Re: [PATCH v9 6/6] x86/sgx: Enable automatic SVN updates for SGX enclaves"
Next in thread: Huang, Kai: "Re: [PATCH v9 6/6] x86/sgx: Enable automatic SVN updates for SGX enclaves"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]