After deprecation, Intel's SGX technology is still messing with users' security

[Alfonso Maruccia]

Facepalm: Intel decided to abandon the in-chip DRM solution known as Software Guard Extensions (SGX) for its latest client CPUs, but the technology is still being used and developed on server and cloud processors belonging to the Xeon line. Bugs and security flaws are still there as well.

Just in time for Microsoft's Patch Tuesday for February 2023, Intel also released 31 new security advisories for its processor tech on February 14. Some of those advisories are about the SGX CPU extensions, with five different CVE-listed security vulnerabilities found in Xeon processors, Core processors, and in the official Software Development Kit (SDK).

Two of the aforementioned SGX vulnerabilities are related to a potential privilege escalation that could disclose sensible data, which is exactly the kind of security issues the SGX extensions were designed to defeat by employing encrypted memory areas known as "enclaves."

The CVE-2022-38090 vulnerability has been classified with a "medium" CVSS severity level, and according to Intel it could bring an "improper isolation of shared resources" in some CPUs when using SGX enclaves for a potential information disclosure via local access. The affected processors include the 9th and 10th Gen Core lines (the latest client CPUs to provide support for SGX applications), 3rd Gen Xeon Scalable and Xeon D server CPUs.

Furthermore, the CVE-2022-33196 vulnerability is about "incorrect default permissions" in some memory controller configurations, which could allow a privileged user to enable escalation of privilege via local access. This particular bug has a "high" severity rating, and it only affects server-class processors belonging to the 3rd Gen Xeon Scalable and Xeon D lines.

Other SGX-related bugs were found by security researchers in the SGX official SDK, where "improper conditions check" (CVE-2022-26509) and "insufficient control flow management" (CVE-2022-26841) could lead to a potential information disclosure via local access. These two vulnerabilities have a "low" security rating, and they have already been resolved with a new SDK software update for Windows and Linux platforms.

As for the CPU-related SGX bugs, Intel recommends installing the latest available firmware updates to avoid potential issues and strengthen system (or server) security. Firmware updates are also important for non-SGX-related vulnerabilities, as Intel's February security advisories provide fixes for a high-rated escalation of privileges bug in the Intel Server Platform Services (SPS) (CVE-2022-36348), a high-rated escalation of privilege flaw via adjacent network access on 3rd Gen Xeon Scalable processors and more.

Permalink to story.

https://www.techspot.com/news/97630-after-deprecation-intel-sgx-technology-messing-users-security.html

 

[Burty117]

So, is SGX no longer required to play 4K Blu-ray's on Windows PC's?

 

[Alfonso Maruccia]

So, is SGX no longer required to play 4K Blu-ray's on Windows PC's?

It is. You just need to remove the protection with a filtering driver like AnyDVD HD (plus a compatible "libre" Blu-ray driver). No protection = no need for SGX at all, on whatever processor or display resolution you have.

 

[Burty117]

It is. You just need to remove the protection with a filtering driver like AnyDVD HD (plus a compatible "libre" Blu-ray driver). No protection = no need for SGX at all, on whatever processor or display resolution you want.

Yeah that's how I've been doing it, imported a pioneer 4k drive from Japan that works perfectly.

My point really was, how can you depreciate a technology that is required for something as basic as reading a Blu-ray. I'm all for seeing SGX the boot as it was a rubbish idea from the beginning but surely 4k Blu-ray's should now just have to find a way of removing the SGX requirement?

 

[wiyosaya]

Yeah that's how I've been doing it, imported a pioneer 4k drive from Japan that works perfectly.

My point really was, how can you depreciate a technology that is required for something as basic as reading a Blu-ray. I'm all for seeing SGX the boot as it was a rubbish idea from the beginning but surely 4k Blu-ray's should now just have to find a way of removing the SGX requirement?

Both of you probably have a better understanding of it than I do, however, I contacted the makers of PowerDVD, and from what they said, it is the Blu-ray forum that set the requirement for SGX in that in order to be a licensed UHD Blu-ray playback software, the playback software, itself, (in this case PowerDVD) needed to use the SGX extensions. In fact, on the PowerDVD web site, as of Intel's announcement that they were canning SGX, PowerDVD's hardware requirements still listed the previous generation Intel hardware as required for UHD BR playback.

That said, as a software developer, it sounds to me like SGX is required if you want to make a Blu-ray forum Licensed UHD BR playback software - which, of course, Intel processors after SGX was canned by Intel will not have.

AMD has an equivalent unit in their processors. It would be up to the Blu-ray Forum to change the requirement for licensed software players to use the means in AMD processors.

As far as the Libre-firmware modified UHD Blu-ray drives, I am not sure of the exact mechanics of the mechanism in the stock firmware, however, the modified libre frimware allows direct access to the data on UHD discs without going through the same path that the stock drive firmware does. To me, it sounds like it is some sort of decryption mechanism built into "certified" firmware. So, since that is gone in libre firmware, software like AnyDVD HD can basically read the raw data from the drive on UHD disks, and thus, such modified drives are able to "play back" UHD discs without being kneecapped by the drive's official firmware. To me, this indicates that SGX has/had nothing to do with the reads from UHD drives, and it was only necessary in Blu-ray forum licensed UHD playback software like PowerDVD.

If my understanding is incorrect, please feel free to educate me.

Side-note: The SGX bug "Plunder-volt" caused SGX equipped procs to dump UHD Blu-ray keys if SGX equipped procs were undervolted.

 

[thewelshbrummie]

My point really was, how can you depreciate a technology that is required for something as basic as reading a Blu-ray.

From memory it was because it caused more problems than it solved thanks to exploits/vulnerabilities of SGX. That and so few people actually watch UHD discs on a computer, in part due to needing a 7th-10th gen Intel CPU and a suitable drive. Considering that most computers with optical drives never had standard Blu-Ray drives in the first place (my retail copy of GTA V came with 10x DVDs), I guess Intel decided it would be better for security to just remove the attack vector and tell anyone who wants to watch UHD discs on a computer to think of an alternative. And a $250 Xbox One S did that for less than the cost of a UHD drive and a copy of PowerDVD Ultra. And that's before we even touch streaming, which for a majority of people is probably the preferred option.

I have 2 PCs on 10th Gen Intel, 1x 10400 & 1x 10700K (on B560 & Z490 boards). While both computers support SGX and I could get UHD playback to work, I see little point in bothering... though it might just help keep my CPUs from depreciating as much as I would have otherwise expected.

 

[woofer]

Well, we just cannot "disclose sensible data", can we now?