SGX support in BIOS

[fvolk]

The J4105 CPU on the H2 should possibly be able to support SGX according to Intel: https://ark.intel.com/content/www/us/en ... 0-ghz.html

Testing this with https://github.com/ayeks/SGX-hardware reports:

sgx available: 1
sgx 1 supported: 0
sgx 2 supported: 0

...which means according to the docs of the utility that the CPU is capable, but BIOS support is missing.
Searching in the "CPU configuration" of the H2 BIOS, there is no option to enable/disable SGX?

The H2 would be a very nice&cheap node for executing security code, is it possible to add the missing SGX enablement code to the next H2 BIOS release?
(and afair 4K streams from Netflix etc. require also SGX for security, but someone else surely knows more about this?)

[odroid]

We need to learn what it is first.

I don't think Netflix 4K is related to the SGX since Windows + Edge browser can play Netflix 4K videos.

[fvolk]

SGX protects an application's secrets from the rest of the system.
So in video playback it protects the decryption stuff from evil piracy - in theory.
Therefore SGX is sometimes required for very high resolution playback, e.g see
https://www.cyberlink.com/support/faq-c ... o?id=19144

What are the minimum system requirements for Ultra HD Blu-ray movie playback?
To support Ultra HD Blu-ray movie disc playback on the PC, several new technologies are required.
[...]
CPU
[...]
Intel 7th generation (Kaby Lake) Core i processors and above that support the Intel Software Guard Extensions (Intel SGX) technology.

[fvolk]

We need to learn what it is first.

Any news?

[odroid]

We tested Netflix 4K video output on the latest Edge browser and it worked fine.
viewtopic.php?f=178&t=36533#p271042

[fvolk]

I'm sorry that I suggested the Netflix example without testing it with current software myself.
Nevertheless there is software that needs SGX for security reasons (see e.g. my other link).

So I guess that this enablement in BIOS would require an investment from you and as long as there is no (or more) interest by customers you will not do it, a rational financial decision?

[odroid]

There is no such option in the BIOS build manual. (or we could not find it).
Anyway, do you have an example of Blue-ray video service site we can try here?
Is there any specific video player software which requires the SGX stuff?
Should we buy the PowerDVD 19Ultra and try it?

[fvolk]

Mh.... maybe the Intel Ark link is right...

Intel® Software Guard Extensions (Intel® SGX): Yes with Intel® ME

...you probably also need more from the ME support.

No, you don't need to purchase.
UHD video is just one mainstream application,
I would want to evaluate it for something else security related and a H2 as a small+cheap SGX capable node would be a nice fit there.
Sorry, cannot tell publicly about that project :-/

Thanks for investigating.

[domih]

@odroid:

If one day, you want to go ahead with this in a future board revision, read:

https://plundervolt.com/
https://www.bing.com/search?q=Intel+Iss ... '+SGX+Flaw

Anyway as Ark Intel says "Yes with Intel® ME" and you do not use an Intel chipset on the H2 board so that pretty much closes the case. Note that Intel ME also had a troubled history with security exploits (https://en.wikipedia.org/wiki/Intel_Man ... rabilities.) I truly believe it still has zero day exploits unknown to the "normal people", myself included, to the great joy of the NSA, GCHQ, FSB, our Chinese friends and other governmental organizations with enough money to search for zero days and/or to buy them from security companies specialized in finding them.

No SGX + no ME = less attack surface.

[fvolk]

ah, it's that CCC time of the year again...

Overall to remember is, if certain technologies or approaches are attackable under certain specific circumstances that does not make them instantly dispensable as a whole. For example, first attacks on SHA1 have been demonstrated, but its still in productive use in Git and other scenarios.
And if one has physical access to a machine (e.g. the owner itself), or is motivated (a computer science student with free time), with a few dollars of hardware components many of the security concepts for the PC platform can be attacked.

I just think the H2 formfactor would have been nice for playing with SGX. Whether I would also use a H2 in a real deployment has to evaluated later, separately.