Intel's Software Guard Extensions broken? Don't panic

Today's news that Intel's Software Guard Extensions (SGX) security system is open to abuse may be overstated.

The issue, highlighted by Positive Technologies Russian researcher Mark Ermolov, would give an attacker full access to SGX's secure enclaves thanks to a coding slip-up. It looks like supposedly secure data could be accessible in end-of-life Gemini client and server systems, and possibly older but supported Xeons too.

"After years of research we finally extracted Intel SGX Fuse Key0, AKA Root Provisioning Key. Together with FK1 or Root Sealing Key (also compromised), it represents Root of Trust for SGX," Ermolov posted.

"They really tried hard to [protect] the key: the part of ucode works perfectly but they forgot to clear the internal buffer in the core IP holding all fuses (including FK0) acquired from Fuse Controller."

This could be seriously bad news. Key0 access would give complete access to any secured data in SGX, and while Intel has retired the system for client processors, there are still a lot of them in circulation – particularly in embedded systems.

However, Intel has pointed out that not only would an attacker need physical access to a machine to make this work, but that string of issues would have to have been left unfixed.

"What Positive Technologies seems to have found is expected based on previous mitigated vulnerabilities in DFX Aggregator logic, requiring physical access to Gemini Lake systems without Intel Firmware Version Control capability.

"An attacker must have physical access to an unmitigated system impacted by prior vulnerabilities (CVE-2017-5705, CVE-2017-5706, CVE-2017-5707, CVE-2019-0090) that allow Intel Unlock state to be achieved. Intel has provided mitigations for these prior vulnerabilities."

That said, there are a lot of Gemini processors out there. Obviously, it is not in the high-performance area - Gemini was retired last year by Intel. But they are still lurking around.

"Anything running on these processors used in an enclave, immediately look at stopping that for the affected platforms," Johns Hopkins boffin Pratyush Ranjan Tiwari told The Register. "It's totally possible all of these trusted enclaves can't be trusted at all."

The problem lies in the software used to lock down SGX, according to Tiwari. The bad coding would allow an attacker to grab the access rights to SGX-locked material, although it's not clear if this can be done remotely or would require local access.

SGX was introduced in 2015 with the Skylake processors range and was supposed to protect key code even from the manufacturer itself, but quickly ran into problems. It has been deprecated in later chips but is still around, and there are a lot of embedded systems that rely on it. ®