Gentoo Archives: gentoo-user

From: "Max R.D. Parmer" <maxp@××××××××.is>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] [OT] Any thoughts on Intel Skylake SGX?
Date: Wed, 24 Feb 2016 00:28:15
Message-Id: 1456273683.2691325.529993930.1FFF1D35@webmail.messagingengine.com
In Reply to: [gentoo-user] [OT] Any thoughts on Intel Skylake SGX? by Frank Steinmetzger
1 It seems like SGX is intertwined with the Intel Management Engine,
2 Chapter 4 in Joanna Rutkowska's "Intel x86 considered harmful"[1] (pp.
3 35) goes in-depth on the potential issues with Intel ME.
4
5 That same book has some light discussion on SGX (pp. 20) but it seems
6 like, if you are concerned about ME eavesdropping, SGX wouldn't stop
7 that (at least as of October 2015).
8
9 If you are feeling paranoid but want an Intel chip, I would recommend
10 you choose the pre-vPro/AMT systems (sandybridge or earlier, iirc). I
11 tend to think Intel ME is a very real risk for some users and will
12 remain so until users are more empowered to dictate it's operation and
13 until there are good public audits of it's code, and most importantly,
14 the ability to disable it.
15
16 Hopefully in a couple years we will have access to good quality laptops
17 running on RISC-V.
18
19 [1]: http://blog.invisiblethings.org/papers/2015/x86_harmful.pdf
20 --
21 0x7D964D3361142ACF
22
23 On Tue, Feb 23, 2016, at 15:34, Frank Steinmetzger wrote:
24 > Hello list
25 >
26 > so I was about to treat myself to a new Thinkpad. After malware, backdoor
27 > and BIOS rootkit stories at Lenovo’s (which to my knowledge were all
28 > Windows-only problems) I already started looking elsewhere and even
29 > considered bying a used model which existed before all this modern crap
30 > came
31 > along, but always came back yet for lack of better alternatives.
32 >
33 > Today the new Skylake lineup which I’ve been awaiting since January
34 > finally
35 > appeared in the Lenovo online shop. Conincidentally also today¹, I found
36 > out
37 > about the next thing since TPM, Secure Boot & Co: the SGX (Software Guard
38 > Extension) instruction set which is part of all Skylake chips².
39 >
40 > The way I understood it is that it can be used to create private areas in
41 > memory that are inaccessible to any other program, even the operating
42 > system. Since it’s based on cryptographic signatures and Intel being the
43 > sole supplier of licences and signature keys, there are those who fear
44 > that
45 > Intel will – over time – gain unparalleled control over what we can and
46 > cannot run on our machines and that we will not be able to check what
47 > runs
48 > on our systems anymore. (Well, such fears are not really new to begin
49 > with).
50 >
51 >
52 > Infos are spare b/c it just hit the market a short wile ago, and I’m no
53 > expert by far. Thus I seek guidance. With states and corporations
54 > sniffing
55 > at our every step as they are already, can I – in your considered opinion
56 > –
57 > still buy a Skylake device with good concience?
58 >
59 > Am I seeing things too bleak in the context of constant attacks on open
60 > systems which – when puzzled together – give a horrible picture of our
61 > future in a society that doesn’t care as long as Facebook works?
62 >
63 > Or don’t I have to worry about it because this will only play a role in
64 > the
65 > walled gardens of contemporary commercial consuming interfaces (formerly
66 > known as operating systems, AKA Windows) or servers?
67 >
68 >
69 > Ew, I wanted to ask a simple question. Instead, I needed 30 minutes to
70 > write
71 > half a short story. Sorry and thanks for your time.
72 >
73 >
74 > ¹ German news article:
75 > http://www.heise.de/security/meldung/Kritik-an-Intels-Sicherheits-Architektur-Software-Guard-Extensions-3089439.html
76 > ² https://en.wikipedia.org/wiki/Software_Guard_Extensions
77 > --
78 > Gruß | Greetings | Qapla’
79 > Please do not share anything from, with or about me with any social
80 > network.
81 >
82 > This message was written using only recycled electrons.
83 > Email had 1 attachment:
84 > + signature.asc
85 > 1k (application/pgp-signature)

Replies

Subject Author
Re: [gentoo-user] [OT] Any thoughts on Intel Skylake SGX? Frank Steinmetzger <Warp_7@×××.de>