A Memory Encryption Engine Suitable for General Purpose Processorsfleeting
- External reference: @cryptoeprint:2016:204
The whitepaper at the origin of the mee.
About the security of SGX
(sgx) run software in a trustworthy manner and to handle secrets.
adversary has full control of the system, and the software running on it at any privilege level, and can read or modify the contents of the DRAM
assumption that the security perimeter includes only the internals of the CPU package, and in particular, leaves the DRAM untrusted.
only components that SGX trusts are the CPU internals
SGX requires memory protection […] requires that the confidentiality of CPU-DRAM traffic (within the relevant regions) is protected.
in order to trust an enclave’s cryptographic identity, its intended execution flow, and the attestation protocol, the DRAM (at least part of) must be tamper resistant
Or the attacker could change the attested memory just after the security checks are done. This is why
replay prevention is critical
The role of the MEE
supported by an autonomous hardware unit called the Memory Encryption Engine (MEE), whose role is to protect the confidentiality, integrity, and freshness of the CPU-DRAM traffic over some memory range
(this document) explains how this hardware (MEE) component of SGX works
The design of the MEE
some on-die SRAM array that serves as the root of the tree.
How it works
MEE operates as an extension of the MC (NDR: memory controller), taking over the cache-DRAM traffic that points to what is called the “Protected” data region. An additional portion of the memory, called the “seized” region, accommodates the MEE’s integrity tree.
Read/write requests to the protected region are routed by the MC to the MEE that encrypts (decrypts) the data before sending (fetching) it to (from) the DRAM
range of physical addresses that is fixed to some size at boot time (the default size is 128MB), in a trustworthy way.
I understand that the Protected data region is the so called processor reserved memory.
About the integrity tree.
Trusting only the internally stored root of the tree, that cannot be modified by an adversary, is sufficient. […] successful forgery needs to pass the MAC tag check with an unmodified nonce for at least one location on the tree.
The MEE integrity tree uses a stateful MAC with nonces
A simplified tree model […] the MEE data structure.
requires the encryption scheme to use a non repeating location-time tweak. The MEE uses a compound nonce where the spatial coordinate of a unit is its address, and its temporal coordinate is a dedicated per-unit counter
About the cryptography
The MEE encryption scheme is a “tweaked” AES Counter Mode
Against replay attack
The preemptive check is crucial […] This allows a successful replay (NDR: attack)
Non-repeating compound nonces. The tree updating must assure that nonces do not repeat. […] The MEE uses a […] “compound nonce” construction.[…] a) a unique “spatial coordinate” (address) of the data unit; b) a per-unit counter which is a “temporal coordinate”.
The MEE uses a compound nonce where the spatial coordinate of a unit is its address, and its temporal coordinate is a dedicated per-unit counter.
equal plaintext blocks that are encrypted to different addresses and/or at different points in time, should not translate to equal ciphertext blocks.
Two dimensional nonce (spatial and temporal) to make sure the encrypted data is always different.
the MEE imposes performance degradation that varies from 2.2% to 14%, with an average of 5.5%
cryptographic measurement (SHA-256 digest)
Is it the same measurement as the one in the enclave measurement?