Intel SGX Async Exit Notification "AEX Notify" Lands In Linux 6.2
In addition to the in-development Linux 6.2 bringing TDX guest attestation support for use with new processors, another new hardware security feature being enabled with this next kernel release is Asynchronous Exit Notification for Software Guard Extensions (SGX).
The new SGX support code in the Linux 6.2 kernel allows for SGX-secured enclaves to use the Asynchronous Exit (AEX) Notification mechanism found with new Intel CPUs. The AEX Notify path allows for running a handler on exit events that in turn can mitigate issues like the SGX-Step vulnerability. AEX Notify support helps toughen the defenses around Intel's SGX against an entire class of attacks.
AEX Notify will be supported with upcoming Intel CPUs and may be available for select older processors via updated microcode.
With the now-merged x86/sgx code in Linux 6.2, the AEX Notify support is in place for both bare metal enclaves as well as use within KVM virtual machines (VMs) to better secure SGX enclaves on supported processors.
In addition to SGX AEX Notify and TDX guest attestation, other security improvements landing for Linux 6.2 also include Call Depth Tracking for lower-overhead mitigation of Retbleed with Skylake era processors, FineIBT as a control flow integrity option for CPUs with Indirect Branch Tracking (IBT) support, and a security enhancement in general is randomizing the per-CPU entry area.
The new SGX support code in the Linux 6.2 kernel allows for SGX-secured enclaves to use the Asynchronous Exit (AEX) Notification mechanism found with new Intel CPUs. The AEX Notify path allows for running a handler on exit events that in turn can mitigate issues like the SGX-Step vulnerability. AEX Notify support helps toughen the defenses around Intel's SGX against an entire class of attacks.
AEX Notify will be supported with upcoming Intel CPUs and may be available for select older processors via updated microcode.
With the now-merged x86/sgx code in Linux 6.2, the AEX Notify support is in place for both bare metal enclaves as well as use within KVM virtual machines (VMs) to better secure SGX enclaves on supported processors.
In addition to SGX AEX Notify and TDX guest attestation, other security improvements landing for Linux 6.2 also include Call Depth Tracking for lower-overhead mitigation of Retbleed with Skylake era processors, FineIBT as a control flow integrity option for CPUs with Indirect Branch Tracking (IBT) support, and a security enhancement in general is randomizing the per-CPU entry area.
Add A Comment