Intel encryption technology SGX: Root key read out, attack unlikely
One expert overcame all the safeguards against reading the central SGX key from an Intel CPU, but in practical terms this is of little significance.
Intel processor on mainboard
(Image: c’t Magazin)
Mark Ermolov from the Russian IT security company Positive Technologies reports via X that he has overcome a central protection component of Intel's Software Guard Extensions (SGX). After several years of tinkering, he has now succeeded in reading the Root Provisioning Key (RPK) from an Intel processor. Together with the Root Sealing Key (RSK), this forms the SGX Root of Trust (RoT). According to Ermolov, the RSK is also "compromised".
This initially sounds like a high security risk for Intel SGX, especially as the technology forms the basis for confidential computing on cloud servers with Intel Xeon processors. There, SGX enclaves serve as specially protected Trusted Execution Environments (TEEs) for processing sensitive data. Intel recommends the technology for electronic patient records (ePA), for example.
Videos by heise
Gap plugged long ago
However, Intel rebuffs this and cites understandable arguments. Mark Ermolov had only read out the SGX-RPK on a low-cost processor from the Celeron J/N series that had been discontinued several years ago. He also had physical access to the system and exploited several security vulnerabilities for which, according to Intel, patches have been available since 2017. The access demonstrated by Ermolov is therefore not relevant for current confidential computing servers.
Years of hacking
Ermolov has been working for around seven years on penetrating what are actually protected areas of Intel processors. In the process, he has already discovered a whole series of security gaps, some of which Intel has also closed.
In addition, Ermolov has put the spotlight on documented but previously little-known functions of Intel processors. These include the internal debugging system Trace Hub (Intel TH), which also includes a logic analyzer (Visualization of Internal Signals Architecture, VISA). The TH can be used via the USB 3.x controller integrated in Intel SoCs – but, as you would expect, only in the processor's debugging mode. This is actually only accessible to hardware developers who have concluded corresponding contracts with Intel. Ermolov has also overcome this protection with the Gemini Lake Celerons.
(Image:Â Microsoft (France))
Key hierarchy
Intel itself no longer provides any documentation on the Root Provisioning Key (RPK). The graphic above comes from a four-year-old document from Microsoft France.
Ultimately, the Provisioning Certification Key (PCK) derived from the RPK and the RSK is particularly important for SGX. Intel signs this in order to enable remote attestation for SGX-TEEs, but also the revocation of compromised keys.
According to older SGX documentation, Intel generates the RPK individually for each SGX-capable processor, "burns" it into an unchangeable memory area of the processor (E-Fuses/OTP memory) and stores it in a hardware security module (HSM) in a protected data center. The RSK is also individual for each SGX CPU and stored in E-Fuses/OTP, but Intel does not store it.
Russian company under US embargo
Mark Ermolov (at X: @markel) is a "Senior Software Engineer" at the Russian company Positive Technologies (PTI), according to his LinkedIn profile. This company has been on a US government embargo list since mid-2021. According to a report by US journalist Kim Zetter, PTI is accused of supporting Russian intelligence services in cyberattacks.
(ciw)
