An improvement to Intel SGX slated for Linux 6.18 is supporting the EUPDATESVN found on Intel CPUs since the Ice Lake generation. EUPDATESVN allows for updating the security SVN version after run-time patching for addressing any Intel SGX vulnerabilities to avoid having to carry out a platform reboot.
This automatic SVN updates for Software Guard Extensions (SGX) enclaves with EUPDATESVN on Ice Lake CPUs and newer is intended to avoid having the hassles/challenges of downtime in needing to otherwise reboot the platform when needing to update the software for SGX vulnerabilities.
The prior patch series for this work explains:
“In case an SGX vulnerability is discovered and TCB recovery for SGX is triggered, Intel specifies a process that must be followed for a given vulnerability. Steps to mitigate can vary based on vulnerability type, affected components, etc. In some cases, a vulnerability can be mitigated via a runtime recovery flow by shutting down all running SGX enclaves, clearing enclave page cache (EPC), applying a microcode patch that does not require a reboot (via late microcode loading) and restarting all SGX enclaves.
Problem statement
————————-
Even when the above-described runtime recovery flow to mitigate the SGX vulnerability is followed, the SGX attestation evidence will still reflect the security SVN version being equal to the previous state of security SVN (containing vulnerability) that created and managed the enclave until the runtime recovery event. This limitation currently can be only overcome via a platform reboot, which negates all the benefits from the rebootless late microcode loading and not required in this case for functional or security purposes.Proposed solution
—————–SGX architecture introduced a new instruction called EUPDATESVN to Ice Lake. It allows updating security SVN version, given that EPC is completely empty. The latter is required for security reasons in order to reason that enclave security posture is as secure as the security SVN version of the TCB that created it.
This series enables opportunistic execution of EUPDATESVN upon first EPC page allocation for a first enclave to be run on the platform.”
These patches are now queued into tip/tip.git’s x86/sgx branch. With the patches now in a TIP branch, they should be submitted for the upcoming Linux 6.19 merge window.
Yes, Intel Xeon Ice Lake processors are approaching five years of age and these Linux kernel patches for EUPDATSVN usage have been a long time coming. They’ve been worked on by multiple different Intel Linux developers over time and went through 17 rounds of patch review before working them into this form for now being able to make it into the mainline Linux kernel if all goes well for Linux 6.19.
