Intel Preparing Linux Support To Handle Live Microcode Updates Affecting SGX

While there have already been a number of vulnerabilities exhibited for Intel's Software Guard Extensions (SGX) from Prime+Probe to Plundervolt, Spectre-like attacks, SGAxe, and others, it looks like they expect more still to come in the future. Intel engineers are working on the ability for SGX to gracefully handle live CPU microcode updates without a reboot, which these days is increasingly driven for security mitigations and system administrators wanting to apply said updates right away while foregoing downtime.

A "request for comments" patch series being worked on for the Linux kernel is for being able to handle microcode updates affecting SGX on running systems. With more users hot-patching their kernels and applying microcode updates without rebooting the system, Intel has been sorting out a way to also allow these live microcode updates in the context of SGX. Intel's SGX hasn't allowed real-time microcode updates due to its attestation handling and the microcode versions being recorded as part of the attestation metric until the next system reboot.

Carrying out a CPU microcode update on a running system will break the SGX attestation with SGX enclaves stuck attesting to the old version until rebooted while new enclaves are presumed to be compromised due to the different version. Intel is introducing a new SGX instruction "EUPDATESVN" for allowing the enclave attestation to include information about updated microcode without a reboot.

EUPDATESVN is a new SGX instruction which allows enclave attestation to include information about updated microcode without a reboot.

Whenever a microcode update affects SGX, the SGX attestation architecture assumes that all running enclaves and cryptographic assets (like internal SGX encryption keys) have been compromised. To mitigate the impact of this presumed compromise, EUPDATESVN success requires that all SGX memory to be marked as "unused" and its contents destroyed. This requirement ensures that no compromised enclave can survive the EUPDATESVN procedure and provides an opportunity to generate new cryptographic assets.

This series implements the infrastructure needed to track and tear down bare-metal enclaves and then run EUPDATESVN, it will be called by the late microcode load path after the microcode update.

This is a very slow operation. It is, of course, exceedingly disruptive to enclaves but should be infrequent as microcode updates are released on the order of every few months. Also, this is not the first piece of the SGX architecture which will destroy all enclave contents.

A follow-on series will add Virtual EPC (KVM guest) support.

For those using Intel SGX and interested in the live microcode updates functionality being worked on, learn more via this RFC patch series for the Linux kernel.