Re: [PATCH 0/6] Intel Secure Guard Extensions

2016-05-13 Thread Andy Lutomirski
On May 13, 2016 2:42 AM, "Dr. Greg Wettstein" wrote: > > On Sun, May 08, 2016 at 06:32:10PM -0700, Andy Lutomirski wrote: > > Good morning, running behind on e-mail this week but wanted to get > some reflections out on Andy's well taken comments and concerns. > > > On May 8,

Re: [PATCH 0/6] Intel Secure Guard Extensions

2016-05-13 Thread Dr. Greg Wettstein
On Sun, May 08, 2016 at 06:32:10PM -0700, Andy Lutomirski wrote: Good morning, running behind on e-mail this week but wanted to get some reflections out on Andy's well taken comments and concerns. > On May 8, 2016 2:59 AM, "Dr. Greg Wettstein" wrote: > > > > > > This now

Re: [PATCH 0/6] Intel Secure Guard Extensions

2016-05-12 Thread Dr. Greg Wettstein
On Mon, May 09, 2016 at 08:27:04AM +0200, Thomas Gleixner wrote: Good morning. > > On Fri, 6 May 2016, Jarkko Sakkinen wrote: > > I fully understand if you (and others) want to keep this standpoint but > > what if we could get it to staging after I've revised it with suggested > > > This should

Re: [PATCH 0/6] Intel Secure Guard Extensions

2016-05-06 Thread Andy Lutomirski
On Fri, May 6, 2016 at 4:23 AM, Jarkko Sakkinen wrote: > On Wed, Apr 27, 2016 at 10:18:05AM +0200, Ingo Molnar wrote: >> >> * Andy Lutomirski wrote: >> >> > > What new syscalls would be needed for ssh to get all this support? >> > >> > This

Re: [PATCH 0/6] Intel Secure Guard Extensions

2016-05-06 Thread Jarkko Sakkinen
On Wed, Apr 27, 2016 at 10:18:05AM +0200, Ingo Molnar wrote: > > * Andy Lutomirski wrote: > > > > What new syscalls would be needed for ssh to get all this support? > > > > This patchset or similar, plus some user code and an enclave to use. > > > > Sadly, on current

Re: [PATCH 0/6] Intel Secure Guard Extensions

2016-05-06 Thread Pavel Machek
On Fri 2016-05-06 01:52:04, Jarkko Sakkinen wrote: > On Mon, May 02, 2016 at 11:37:52AM -0400, Austin S. Hemmelgarn wrote: > > On 2016-04-29 16:17, Jarkko Sakkinen wrote: > > >On Tue, Apr 26, 2016 at 09:00:10PM +0200, Pavel Machek wrote: > > >>On Mon 2016-04-25 20:34:07, Jarkko Sakkinen wrote: > >

Re: [PATCH 0/6] Intel Secure Guard Extensions

2016-05-05 Thread Jarkko Sakkinen
On Mon, May 02, 2016 at 11:37:52AM -0400, Austin S. Hemmelgarn wrote: > On 2016-04-29 16:17, Jarkko Sakkinen wrote: > >On Tue, Apr 26, 2016 at 09:00:10PM +0200, Pavel Machek wrote: > >>On Mon 2016-04-25 20:34:07, Jarkko Sakkinen wrote: > >>>Intel(R) SGX is a set of CPU instructions that can be

Re: [PATCH 0/6] Intel Secure Guard Extensions

2016-05-04 Thread Pavel Machek
Hi! > Good morning, I hope everyone's day is starting out well. :-). Rainy day here. > > > In the TL;DR department I would highly recommend that anyone > > > interested in all of this read MIT's 170+ page review of the > > > technology before jumping to any conclusions :-) > > > Would you

Re: [PATCH 0/6] Intel Secure Guard Extensions

2016-05-04 Thread Dr. Greg Wettstein
On Tue, May 03, 2016 at 05:38:40PM +0200, Pavel Machek wrote: > Hi! Good morning, I hope everyone's day is starting out well. > > I told my associates the first time I reviewed this technology that > > SGX has the ability to be a bit of a Pandora's box and it seems to be > > following that

Re: [PATCH 0/6] Intel Secure Guard Extensions

2016-05-03 Thread Dr. Greg Wettstein
On May 2, 11:37am, "Austin S. Hemmelgarn" wrote: } Subject: Re: [PATCH 0/6] Intel Secure Guard Extensions Good morning, I hope the day is starting out well for everyone. > On 2016-04-29 16:17, Jarkko Sakkinen wrote: > > On Tue, Apr 26, 2016 at 09:00:10PM +0200, Pavel Machek

Re: [PATCH 0/6] Intel Secure Guard Extensions

2016-05-02 Thread Austin S. Hemmelgarn
On 2016-04-29 16:17, Jarkko Sakkinen wrote: On Tue, Apr 26, 2016 at 09:00:10PM +0200, Pavel Machek wrote: On Mon 2016-04-25 20:34:07, Jarkko Sakkinen wrote: Intel(R) SGX is a set of CPU instructions that can be used by applications to set aside private regions of code and data. The code

Re: [PATCH 0/6] Intel Secure Guard Extensions

2016-04-29 Thread Jarkko Sakkinen
On Tue, Apr 26, 2016 at 09:00:10PM +0200, Pavel Machek wrote: > On Mon 2016-04-25 20:34:07, Jarkko Sakkinen wrote: > > Intel(R) SGX is a set of CPU instructions that can be used by > > applications to set aside private regions of code and data. The code > > outside the enclave is disallowed to

Re: [PATCH 0/6] Intel Secure Guard Extensions

2016-04-29 Thread Jarkko Sakkinen
On Tue, Apr 26, 2016 at 09:00:10PM +0200, Pavel Machek wrote: > On Mon 2016-04-25 20:34:07, Jarkko Sakkinen wrote: > > Intel(R) SGX is a set of CPU instructions that can be used by > > applications to set aside private regions of code and data. The code > > outside the enclave is disallowed to

Re: [PATCH 0/6] Intel Secure Guard Extensions

2016-04-27 Thread Andy Lutomirski
On Apr 27, 2016 1:18 AM, "Ingo Molnar" wrote: > > > * Andy Lutomirski wrote: > > > > What new syscalls would be needed for ssh to get all this support? > > > > This patchset or similar, plus some user code and an enclave to use. > > > > Sadly, on current

Re: [PATCH 0/6] Intel Secure Guard Extensions

2016-04-27 Thread Ingo Molnar
* Andy Lutomirski wrote: > > What new syscalls would be needed for ssh to get all this support? > > This patchset or similar, plus some user code and an enclave to use. > > Sadly, on current CPUs, you also need Intel to bless the enclave. It looks > like > new CPUs

Re: [PATCH 0/6] Intel Secure Guard Extensions

2016-04-27 Thread Pavel Machek
Hi! > > > Preventing cold boot attacks is really just icing on the cake. The > > > real point of this is to allow you to run an "enclave". An SGX > > > enclave has unencrypted code but gets access to a key that only it can > > > access. It could use that key to unwrap your ssh private key and

Re: [PATCH 0/6] Intel Secure Guard Extensions

2016-04-26 Thread Pavel Machek
On Tue 2016-04-26 21:59:52, One Thousand Gnomes wrote: > > But... that will mean that my ssh will need to be SGX-aware, and that > > I will not be able to switch to AMD machine in future. ... or to other > > Intel machine for that matter, right? > > I'm not privy to AMD's CPU design plans. > >

Re: [PATCH 0/6] Intel Secure Guard Extensions

2016-04-26 Thread One Thousand Gnomes
> But... that will mean that my ssh will need to be SGX-aware, and that > I will not be able to switch to AMD machine in future. ... or to other > Intel machine for that matter, right? I'm not privy to AMD's CPU design plans. However I think for the ssl/ssh case you'd use the same interfaces

Re: [PATCH 0/6] Intel Secure Guard Extensions

2016-04-26 Thread One Thousand Gnomes
> Replay Protected Memory Block. It's a device that allows someone to > write to it and confirm that the write happened and the old contents > is no longer available. You could use it to implement an enclave that > checks a password for your disk but only allows you to try a certain > number of

Re: [PATCH 0/6] Intel Secure Guard Extensions

2016-04-26 Thread Andy Lutomirski
On Tue, Apr 26, 2016 at 12:41 PM, Pavel Machek wrote: > On Tue 2016-04-26 12:05:48, Andy Lutomirski wrote: >> On Tue, Apr 26, 2016 at 12:00 PM, Pavel Machek wrote: >> > On Mon 2016-04-25 20:34:07, Jarkko Sakkinen wrote: >> >> Intel(R) SGX is a set of CPU instructions

Re: [PATCH 0/6] Intel Secure Guard Extensions

2016-04-25 Thread Jarkko Sakkinen
On Mon, Apr 25, 2016 at 10:53:52AM -0700, Greg KH wrote: > On Mon, Apr 25, 2016 at 08:34:07PM +0300, Jarkko Sakkinen wrote: > > Intel(R) SGX is a set of CPU instructions that can be used by > > applications to set aside private regions of code and data. The code > > outside the enclave is

Re: [PATCH 0/6] Intel Secure Guard Extensions

2016-04-25 Thread Greg KH
On Mon, Apr 25, 2016 at 08:34:07PM +0300, Jarkko Sakkinen wrote: > Intel(R) SGX is a set of CPU instructions that can be used by > applications to set aside private regions of code and data. The code > outside the enclave is disallowed to access the memory inside the > enclave by the CPU access