SGX: Enable basic Key Separation and Sharing Support

[bodzhang]

Intel's Icelake CPU (10nm Gen 10 Core) adds SGX Key Separation and Sharing (KSS) feature. The feature is enumerated in CPUID.(EAX=12H, ECX=1).EAX.KSS[7]. This feature introduces new fields in multiple SGX data structure. The Table/Section reference used below refers to Intel's Software Developers Manual

• ISVFAMILYID: ISV assigned 16-byte Product Family ID, at SW build time, in SIGSTRUCT(Table 37-19). It's reflected in REPORT(Table 37-21)

• ISVEXTPRODID: ISV assigned 16-byte extend Product ID, in addition to the ISV assigned 2-byte ISVPRODID, at SW build time, in SIGSTRUCT. It's reflected in REPORT.

• CONFIGID (Section 38.4.1.3): SGX runtime SW specified 32-byte configuration identifier, at Enclave creation time, in SECS (Table 37-2). It's reflected in REPORT and must be filled in TARGETINFO (Table 37-22). CONFIGID is intended to allow enclave creator to indicate what additional content may be accepted by the enclave post enclave initialization, whose exact usage depends on the enclave implementation.

• CONFIGSVN (Section 38.4.2.3): SGX runtime SW specified 2-byte security version number to pair with CONFIGID, at Enclave creation time, in SECS. It's reflected in REPORT and must be filled in TARGETINFO. CONFIGSVN can be used in case the CONFIGID does not fully reflect the identity of the additional content that may be accepted by the enclave post enclave initialization, for example, CONFIGID as the hash of the signing key for verifying the additional content.

• KEYREQUEST (Table 37-23) and KEYPOLICY (Table 37-25) are extended to allow selection of CONFIGSVN, ISVPRODID, CONFIGID, ISVFAMILYID, ISVEXTPROID, and exclusion of ISVPRODID as part of Enclave Seal or Provisioning Seal key derivation (Table 40-64).

• KSS bit in ATTRIBUTES (Table 37-3): If SECS.ATTRIBUTES.KSS is set, KSS feature is enabled. If KSS is disabled, ISVFAMILYID, ISVEXTPRODID, CONFIGID, CONFIGSVN in SIGSTRUCT and SECS must be all-zeros, KSS bit must not be set in ATTRIBUTES, and KEYREQUEST/KEYPOLICY must not specify mixing them into Enclave Seal or Provisioning Seal key derivation. KSS bit in SIGSTRUCT.ATTRIBUTES and SIGSTRUCT.ATTRIBUTEMASK decides whether the enclave requires the KSS feature. EINIT instruction makes sure SECS.ATTRIBUTES & SIGSTRUCT.ATTRIBUTEMASK = SIGSTRUCT.ATTRIBUTES & SIGSTRUCT.ATTRIBUTEMASK (EINIT instruction section). So setting SIGSTRUCT.ATTRIBUTES.KSS = SIGSTRUCT.ATTRIBUTEMASK.KSS=1 means the Enclave must be initialized with SECS.ATTRIBTUES.KSS=1

OE SDK can enable the basic KSS support, to allow the ISVs to leverage the ISVFAMILYID, ISVEXTPROID for more flexibility in Enclave identity management scheme, and lay the foundation for future support of loading dynamic code/data after enclave initialization through CONFIGID/CONFIGSVN, for example, loading Java Applet into a Java Runtime enclave, while reflecting the loaded Java Applet identity in the Enclave identity reported in the Enclave REPORT.

For the basic KSS support, changes are required in the following OE SDK components:

• SGX data structure definition to include KSS related fields.

• Development tool to allow ISV to specify ISVFAMILYID, ISVEXTPRODID, and whether KSS feature is required by the Enclave through the KSS bit in SIGSTRUCT.ATTRIBUTES and SIGSTRUCT.ATTRIBUTEMASK, in SIGSTRUCT.

• Enclave loader to detect whether the system support KSS, to parse the Enclave SIGSTRUCT.ATTRIBUTES and SIGSTRUCT.ATTRIBUTEMASK and decide whether to enable KSS (SECS.ATTRIBUTE.KSS bit), to set default CONFIGID/CONFIGSVN in SECS (before full support of loading dynamic code/data after enclave initialization, CONFIGID/CONFIGSVN should default to 0).

• The code that fills TARGETINFO to include CONFIGID/CONFIGSVN fields from REPORT.

• EGETKEY wrapper code to allow selection of CONFIGSVN, ISVPRODID, CONFIGID, ISVFAMILYID, ISVEXTPROID, and exclusion of ISVPRODID as part of Enclave Seal or Provisioning Seal key derivation.

• Any Enclave identity check policy sample code to include ISVFAMILYID, ISVEXTPROID, CONFIGID, CONFIGSVN in the policy

Intel's SGX SDK already has the basic KSS support and can be used as reference for the implementation in the OE SDK.

[radhikaj]

Fixed in #3799

[yentsanglee]

Fixed in #3985