LVI Mitigation? #842
-
|
The Load Value Injection attack vector against Intel SGX successfully circumvents the security of SGX. Details from Intel here. The Intel SGX SDK describes using their mitigated toolchain to mitigate the LVI vulnerability. Searching this repo for "LVI", I didn't find any results. Does occlum support LVI mitigated SGX enclaves? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
LVI mitigation is used for those Enclaves running on old CPUs, so by default Occlum does not open the LVI mitigation flag. |
Beta Was this translation helpful? Give feedback.
LVI mitigation is used for those Enclaves running on old CPUs, so by default Occlum does not open the LVI mitigation flag.
But you are able to open the mitigation by changing the Occlum build script. The Occlum docker file is https://github.com/occlum/occlum/blob/master/tools/docker/Dockerfile.ubuntu20.04. Since Occlum depends on the Intel SGX SDK, user is able to reference the Intel SGX SDK LVI mitigation tool chain to open it.
BTW: If you are using Intel SGX2 with the latest BIOS, you may not need the LVI mitigation.