Why Intel Deprecated SGX?
a year ago
- #Hardware
- #Intel SGX
- #Security
- Intel SGX is being deprecated in new processors, except for high-end Xeon CPUs for servers.
- SGX was introduced in 2015 with the 6th generation Skylake processors to address trust issues in cloud environments.
- SGX's complexity involves hardware (MEE), microcode, and firmware (Intel CSME infrastructure).
- SGX uses Intel EPID for attestation, which is complex and involves multiple CSME code modules.
- The attestation process involves secrets stored in e-fuses and keys generated by Intel's Key Generation Facility.
- SGX's implementation relies on a complex KDF process and keys stored in encrypted eFUSE.
- SGX's threat model initially included cloud service vendors and system administrators but missed kernel privilege attacks.
- Issues with SGX include over-design, lack of transparency, and potential use to protect malware.
- SGX's Linux kernel integration was delayed due to unresolved issues and was merged in Linux kernel v5.11 in Feb 2021.
- Despite its issues, SGX remains an effective security mechanism for server markets.