Intel SGX Driver Updated But Likely Too Late For Linux 4.15
Not to be confused with PowerVR SGX, the Intel SGX driver was revised with new patches published today but it doesn't look like it will land for Linux 4.15.
The Intel SGX driver is in reference to Software Guard Extensions. SGX instructions on modern Intel CPUs allow user code to allocate private memory regions (or "enclaves" within SGX speak) that are protected from higher privilege levels. SGX is useful in some secure computing scenarios, Digital Rights Management, and other areas where you are just looking to secure memory in a "reverse sandbox" type approach.
SGX has been supported since Intel Skylake, but there isn't yet a mainline Linux kernel driver. Today the sixth version of the Intel SGX Linux driver was published that addresses feedback from previous review, an updated API, etc.
The patch series further describes the work as:
The Intel SGX driver is in reference to Software Guard Extensions. SGX instructions on modern Intel CPUs allow user code to allocate private memory regions (or "enclaves" within SGX speak) that are protected from higher privilege levels. SGX is useful in some secure computing scenarios, Digital Rights Management, and other areas where you are just looking to secure memory in a "reverse sandbox" type approach.
SGX has been supported since Intel Skylake, but there isn't yet a mainline Linux kernel driver. Today the sixth version of the Intel SGX Linux driver was published that addresses feedback from previous review, an updated API, etc.
The patch series further describes the work as:
Intel SGX is a set of CPU instructions that can be used by applications to set aside private regions of code and data. The code outside the enclave is disallowed to access the memory inside the enclave by the CPU access control. In a way you can think that SGX provides inverted sandbox. It protects the application from a malicious host.With the Linux 4.15 kernel merge window having already started and this driver still being reviewed and not having gone in already into a -next tree, this Intel SGX support is likely going to have to wait until at least Linux 4.16 before seeing mainline. The Linux onboarding of this support has been going on now for almost two years.
There is a new hardware unit in the processor called Memory Encryption Engine (MEE) starting from the Skylake microacrhitecture. BIOS can define one or many MEE regions that can hold enclave data by configuring them with PRMRR registers.
The MEE automatically encrypts the data leaving the processor package to the MEE regions. The data is encrypted using a random key whose life-time is exactly one power cycle.
5 Comments