Re: [PATCH 0/6] Intel Secure Guard Extensions

From: One Thousand Gnomes
Date: Tue Apr 26 2016 - 17:00:34 EST

Next message: Ben Hutchings: "Re: [PATCH 1/3] module: Invalidate signatures on force-loaded modules"
Previous message: Eric Dumazet: "[PATCH] mm: tighten fault_in_pages_writeable()"
In reply to: Pavel Machek: "Re: [PATCH 0/6] Intel Secure Guard Extensions"
Next in thread: Pavel Machek: "Re: [PATCH 0/6] Intel Secure Guard Extensions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> But... that will mean that my ssh will need to be SGX-aware, and that
> I will not be able to switch to AMD machine in future. ... or to other
> Intel machine for that matter, right?

I'm not privy to AMD's CPU design plans.

However I think for the ssl/ssh case you'd use the same interfaces
currently available for plugging in TPMs and dongles. It's a solved
problem in the crypto libraries.

> What new syscalls would be needed for ssh to get all this support?

I don't see why you'd need new syscalls.

> Ookay... I guess I can get a fake Replay Protected Memory block, which
> will confirm that write happened and not do anything from China, but

It's not quite that simple because there are keys and a counter involved
but I am sure doable.

> And, again, it means that quite complex new kernel-user interface will
> be needed, right?

Why ? For user space we have perfectly good existing system calls, for
kernel space we have existing interfaces to the crypto and key layers for
modules to use.

Alan

Next message: Ben Hutchings: "Re: [PATCH 1/3] module: Invalidate signatures on force-loaded modules"
Previous message: Eric Dumazet: "[PATCH] mm: tighten fault_in_pages_writeable()"
In reply to: Pavel Machek: "Re: [PATCH 0/6] Intel Secure Guard Extensions"
Next in thread: Pavel Machek: "Re: [PATCH 0/6] Intel Secure Guard Extensions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]