SGX support in BIOS

Post Reply
fvolk
Posts: 453
Joined: Sun Jun 05, 2016 11:04 pm
languages_spoken: english
ODROIDs: C2, C4, H2
Has thanked: 0
Been thanked: 41 times
Contact:

SGX support in BIOS

Post by fvolk »

The J4105 CPU on the H2 should possibly be able to support SGX according to Intel: https://ark.intel.com/content/www/us/en ... 0-ghz.html

Testing this with https://github.com/ayeks/SGX-hardware reports:
sgx available: 1
sgx 1 supported: 0
sgx 2 supported: 0
...which means according to the docs of the utility that the CPU is capable, but BIOS support is missing.
Searching in the "CPU configuration" of the H2 BIOS, there is no option to enable/disable SGX?

The H2 would be a very nice&cheap node for executing security code, is it possible to add the missing SGX enablement code to the next H2 BIOS release?
(and afair 4K streams from Netflix etc. require also SGX for security, but someone else surely knows more about this?)

User avatar
odroid
Site Admin
Posts: 34922
Joined: Fri Feb 22, 2013 11:14 pm
languages_spoken: English, Korean, Japanese
ODROIDs: ODROID
Has thanked: 957 times
Been thanked: 773 times
Contact:

Re: SGX support in BIOS

Post by odroid »

We need to learn what it is first.

I don't think Netflix 4K is related to the SGX since Windows + Edge browser can play Netflix 4K videos.

fvolk
Posts: 453
Joined: Sun Jun 05, 2016 11:04 pm
languages_spoken: english
ODROIDs: C2, C4, H2
Has thanked: 0
Been thanked: 41 times
Contact:

Re: SGX support in BIOS

Post by fvolk »

SGX protects an application's secrets from the rest of the system.
So in video playback it protects the decryption stuff from evil piracy - in theory.
Therefore SGX is sometimes required for very high resolution playback, e.g see
https://www.cyberlink.com/support/faq-c ... o?id=19144
What are the minimum system requirements for Ultra HD Blu-ray movie playback?
To support Ultra HD Blu-ray movie disc playback on the PC, several new technologies are required.
[...]
CPU
[...]
Intel 7th generation (Kaby Lake) Core i processors and above that support the Intel Software Guard Extensions (Intel SGX) technology.

fvolk
Posts: 453
Joined: Sun Jun 05, 2016 11:04 pm
languages_spoken: english
ODROIDs: C2, C4, H2
Has thanked: 0
Been thanked: 41 times
Contact:

Re: SGX support in BIOS

Post by fvolk »

odroid wrote: We need to learn what it is first.
Any news? :-)

User avatar
odroid
Site Admin
Posts: 34922
Joined: Fri Feb 22, 2013 11:14 pm
languages_spoken: English, Korean, Japanese
ODROIDs: ODROID
Has thanked: 957 times
Been thanked: 773 times
Contact:

Re: SGX support in BIOS

Post by odroid »

We tested Netflix 4K video output on the latest Edge browser and it worked fine.
viewtopic.php?f=178&t=36533#p271042

fvolk
Posts: 453
Joined: Sun Jun 05, 2016 11:04 pm
languages_spoken: english
ODROIDs: C2, C4, H2
Has thanked: 0
Been thanked: 41 times
Contact:

Re: SGX support in BIOS

Post by fvolk »

I'm sorry that I suggested the Netflix example without testing it with current software myself.
Nevertheless there is software that needs SGX for security reasons (see e.g. my other link).

So I guess that this enablement in BIOS would require an investment from you and as long as there is no (or more) interest by customers you will not do it, a rational financial decision?

User avatar
odroid
Site Admin
Posts: 34922
Joined: Fri Feb 22, 2013 11:14 pm
languages_spoken: English, Korean, Japanese
ODROIDs: ODROID
Has thanked: 957 times
Been thanked: 773 times
Contact:

Re: SGX support in BIOS

Post by odroid »

There is no such option in the BIOS build manual. (or we could not find it).
Anyway, do you have an example of Blue-ray video service site we can try here?
Is there any specific video player software which requires the SGX stuff?
Should we buy the PowerDVD 19Ultra and try it?

fvolk
Posts: 453
Joined: Sun Jun 05, 2016 11:04 pm
languages_spoken: english
ODROIDs: C2, C4, H2
Has thanked: 0
Been thanked: 41 times
Contact:

Re: SGX support in BIOS

Post by fvolk »

Mh.... maybe the Intel Ark link is right...
Intel® Software Guard Extensions (Intel® SGX): Yes with Intel® ME
...you probably also need more from the ME support.

No, you don't need to purchase.
UHD video is just one mainstream application,
I would want to evaluate it for something else security related and a H2 as a small+cheap SGX capable node would be a nice fit there.
Sorry, cannot tell publicly about that project :-/

Thanks for investigating.

domih
Posts: 285
Joined: Mon Feb 11, 2019 4:48 pm
languages_spoken: English, French
ODROIDs: UX4, HC2, N2, H2, C4, H2+
Location: San Francisco Bay Area
Has thanked: 92 times
Been thanked: 108 times
Contact:

Re: SGX support in BIOS

Post by domih »

@odroid:

If one day, you want to go ahead with this in a future board revision, read:

https://plundervolt.com/
https://www.bing.com/search?q=Intel+Iss ... '+SGX+Flaw

Anyway as Ark Intel says "Yes with Intel® ME" and you do not use an Intel chipset on the H2 board so that pretty much closes the case. Note that Intel ME also had a troubled history with security exploits (https://en.wikipedia.org/wiki/Intel_Man ... rabilities.) I truly believe it still has zero day exploits unknown to the "normal people", myself included, to the great joy of the NSA, GCHQ, FSB, our Chinese friends and other governmental organizations with enough money to search for zero days and/or to buy them from security companies specialized in finding them.

No SGX + no ME = less attack surface.

fvolk
Posts: 453
Joined: Sun Jun 05, 2016 11:04 pm
languages_spoken: english
ODROIDs: C2, C4, H2
Has thanked: 0
Been thanked: 41 times
Contact:

Re: SGX support in BIOS

Post by fvolk »

ah, it's that CCC time of the year again... :-)

Overall to remember is, if certain technologies or approaches are attackable under certain specific circumstances that does not make them instantly dispensable as a whole. For example, first attacks on SHA1 have been demonstrated, but its still in productive use in Git and other scenarios.
And if one has physical access to a machine (e.g. the owner itself), or is motivated (a computer science student with free time), with a few dollars of hardware components many of the security concepts for the PC platform can be attacked.

I just think the H2 formfactor would have been nice for playing with SGX. Whether I would also use a H2 in a real deployment has to evaluated later, separately.

Post Reply

Return to “General Topics”

Who is online

Users browsing this forum: No registered users and 2 guests