-
Notifications
You must be signed in to change notification settings - Fork 548
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Will SGX be deprecated? #760
Comments
SGX will only be supported on new server platforms. New client systems don't have SGX support. |
@andyzyb How about TME? Any work need be done in SW side to adopt TME? |
To me (a security researcher who has followed the attacks against SGX in detail), it makes no sense to continue support for SGX on servers if it is being deprecated on desktops. Deprecating it on desktop chips is a clear signal that:
The security arguments don't differ between desktop and servers. Is retaining it for servers just a face-saving exercise? |
Personally, I am glad that new server platforms will have it. Signal makes use of it for private contact discovery, and doing this without SGX (or a similar technology) would be much more difficult. Also, SGX is a dependency of Intel’s Trusted Domain Extensions (TDX). |
Source: https://github.com/Maxul/Awesome-SGX-Open-Source/blob/master/SGX-vs-TDX.md Fact: Intel has deprecated SGX in the 11th, 12th generations of Core processors [1] [2]. Q1: Was SGX completely deprecated by Intel?A1: No. Only PC processors. Q2: Why will Intel TDX replace Intel SGX?Personally, I believe that Intel TDX is a good alternative to Intel SGX. TDX outperforms SGX for the following reasons:
Given the above comparison, I do not see any wins for SGX. TDX supports remote attestation and memory encryption just like SGX does. Worse, recent scalable SGX on Xeon3 abandons memory integrity, making TDX and SGX almost the same security level. When TDX is released, SGX will probably be doomed in the long run. Q3: Will Intel SGX be finally replaced by Intel TDX?A3: Probably not. For two reasons:
[1] https://cdrdv2.intel.com/v1/dl/getContent/634648 [2] https://cdrdv2.intel.com/v1/dl/getContent/655258 |
@ScottR-Intel , |
Intel vPro Business Client platforms starting with 11th Gen, support Total Memory Encryption to encrypt memory. Here is more information on this feature: https://www.intel.com/content/dam/www/central-libraries/us/en/documents/white-paper-intel-tme.pdf . This feature provides protection against hardware snooping/memory dumping attacks. Unfortunately we currently don’t have any technology on our client platforms against privileged software dumping memory . |
I check some of tigerlake CPUs, and find many tigerlake cpus don't support SGX, but some of them support TME (total memory encryption). Does it mean SGX will be deprecated?
The text was updated successfully, but these errors were encountered: