-
Notifications
You must be signed in to change notification settings - Fork 539
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sgx_get_trusted_time #161
Comments
The trusted time is provided by the CSE/ME which is trusted HW. It's based upon the PRTC within the CSE/ME. This time does not guarantee wall-clock time, but rather delivers a robust source of relative time that would allow an enclave to provision wall-clock time via an offset if necessary. Regarding the code logic here, the call flow in pse_op enclave is: There is a secure session between PSE and CSE/ME so the messages are encrypted when passed to untrusted domain. The whole message flow looks like below: |
Hi Thanks a bunch for such nice and detailed response. I really appreciate that.
Is that right? Thanks again for your great support |
Hi, |
trusted_time is uint64_t in seconds relative, so you example can work but not a common usage scenario.
Reset CSE/ME will reset the nonce. Of course, Enclaves signed by different key get different nonce. |
Hi, |
Intel published a white paper on SGX Platform Service (Monotonic Counter and Trusted Time): https://software.intel.com/sites/default/files/managed/1b/a2/Intel-SGX-Platform-Services.pdf |
This seems a very good resource. I did not notice that before. |
This seems like an interesting discussion. |
Hi fatimanwar, your understanding of the time source epoch is correct. |
I recently figured out that in the sgx_get_trusted_time API execution flow which is, App Enclave <->AESM(untrusted)<-> PSE enclave(trusted) <-> AESM <->CSE/ME(trusted) even if all the data is encrypted, there is a chance that a malicious Operating System can delay the packet through the IPC communication between App Enclave and AESM. If a packet can be delayed, then the encrypted time value inside the packet will no longer make sense. So my question is, Is it possible for an OS to delay the packet between AESM and App enclave? If yes, then sgx_get_trusted_time can no longer be trusted. Kindly correct me if I am wrong? |
@fatimanwar, your understanding about the IPC delay is correct. A single reading of sgx_get_trusted_time does not provide a trusted wall clock time stamp. The IPC can be delayed, and the returned time stamp is in reference to a fixed (until time_epoch reset) but arbitrary starting value. The intended usage is to use two readings of this API to enforce an expiration policy, for example access to a downloaded ERMed document expiring after 3 days and the user must go online to reverify access right. The system is design to guarantee that the difference between the two readings is larger than the time passed between the Instance the first call RETURNs and the instance the second call is INVOKEed, no matter how much delay is introduced to each call. This security property provides what’s needed to enforce the expiration policy. An implementation can record the reading of the first call AFTER the first call RETURNs, where the 3 day expiration counter starts ticking. When the enclave needs to check expiration, say before decrypting the ERMed doc for viewing, it INVOKEs the API again. If the time between the first call RETURNing and the second call INVOKing is more than 3 days, the difference between the value returned in the second call and the value recorded for the first call is guaranteed to be more than 3 days. Therefore, an attacker can’t trick the system to decrypt the doc after the expiration period of 3 days, with the counting starting when the first call RETURNs. |
@bodzhang thanks for your detailed response and I understand the use case for the sgx_get_trusted_time API. Also, would the OS be able to pull off a replay attack for this scenario? Say the OS would always return the same value (previously recorded) for every invocation of sgx_get_trusted_time API hence not enforcing an expiration policy ever? |
@fatimanwar, the secure channel between the CSME and PSE, and the secure channel between PSE and the Application Enclave, both have protection against replay attack using the captured message. Any replayed message will be detected and not considered a valid response, and might cause the PSE to reset the secure channel. PSE will not send trusted time response to Application Enclave's trusted time query request in this situation, unless the attack attempt is transient and the secure channel and legit message exchange resumed. The sgx_get_trusted_time() API will return error if the attack is persistent. |
Thanks. I have one question about the channel between AESM and CSME. From what I understood through forums and discussions, the AESM & CSME communicates through MEI driver which is a PCI memory mapped based peripheral. What I would like to know if this PCI memory used is protected and cannot be accessed by operating system in any way? Is there a chance of any kind of DMA attacks? |
@bodzhang I'm also curious about replay attacks. What does "the captured message" in your previous comment mean exactly? From what I read in the white paper:
It's not clear that messages sent in a secure session are associated nonces. Is that implicit? Can you clarify? Thanks. |
@bl4ck5un, the encrypted and integrity protected (using the "session" key established by the "PSE-CSME ephemeral session establishment flow") messages between PSE and CSME are transmitted through the OS layer, and thus can be captured/replayed by an attacker. The messages include sequence number to detect replay attacks. See psda_service.cpp->invoke_psda_service() for details. @fatimanwar, sorry for not addressing your question earlier. ME/CSME has its own runtime memory, not accessible by the host. The MEI interface supports data exchange between the host and the CSME through specific memory mapped access. https://www.amazon.com/Platform-Embedded-Security-Technology-Revealed/dp/143026571X/ might have detailed information you need. I do like to warn that the SGX related statement in the book is a bit ambiguous. SGX Technology itself does not depend on ME/CSME, only the SGX Platform Service, which is a SW service implemented in the Intel's SGX SW stack. |
@bodzhang Great. The sequence number is what I'm looking for. Thanks. |
Hi
Thanks for your efforts in maintaining the repo. I would like to ask about sgx_get_trusted_time I see it keeps going until it reaches pse_read_timer
What is the idea behind it? How can you guarantee security? Is it a trusted Hw or what?
Regards
The text was updated successfully, but these errors were encountered: