It seems like SGX is intertwined with the Intel Management Engine, Chapter 4 in Joanna Rutkowska's "Intel x86 considered harmful"[1] (pp. 35) goes in-depth on the potential issues with Intel ME.
That same book has some light discussion on SGX (pp. 20) but it seems like, if you are concerned about ME eavesdropping, SGX wouldn't stop that (at least as of October 2015). If you are feeling paranoid but want an Intel chip, I would recommend you choose the pre-vPro/AMT systems (sandybridge or earlier, iirc). I tend to think Intel ME is a very real risk for some users and will remain so until users are more empowered to dictate it's operation and until there are good public audits of it's code, and most importantly, the ability to disable it. Hopefully in a couple years we will have access to good quality laptops running on RISC-V. [1]: http://blog.invisiblethings.org/papers/2015/x86_harmful.pdf -- 0x7D964D3361142ACF On Tue, Feb 23, 2016, at 15:34, Frank Steinmetzger wrote: > Hello list > > so I was about to treat myself to a new Thinkpad. After malware, backdoor > and BIOS rootkit stories at Lenovo’s (which to my knowledge were all > Windows-only problems) I already started looking elsewhere and even > considered bying a used model which existed before all this modern crap > came > along, but always came back yet for lack of better alternatives. > > Today the new Skylake lineup which I’ve been awaiting since January > finally > appeared in the Lenovo online shop. Conincidentally also today¹, I found > out > about the next thing since TPM, Secure Boot & Co: the SGX (Software Guard > Extension) instruction set which is part of all Skylake chips². > > The way I understood it is that it can be used to create private areas in > memory that are inaccessible to any other program, even the operating > system. Since it’s based on cryptographic signatures and Intel being the > sole supplier of licences and signature keys, there are those who fear > that > Intel will – over time – gain unparalleled control over what we can and > cannot run on our machines and that we will not be able to check what > runs > on our systems anymore. (Well, such fears are not really new to begin > with). > > > Infos are spare b/c it just hit the market a short wile ago, and I’m no > expert by far. Thus I seek guidance. With states and corporations > sniffing > at our every step as they are already, can I – in your considered opinion > – > still buy a Skylake device with good concience? > > Am I seeing things too bleak in the context of constant attacks on open > systems which – when puzzled together – give a horrible picture of our > future in a society that doesn’t care as long as Facebook works? > > Or don’t I have to worry about it because this will only play a role in > the > walled gardens of contemporary commercial consuming interfaces (formerly > known as operating systems, AKA Windows) or servers? > > > Ew, I wanted to ask a simple question. Instead, I needed 30 minutes to > write > half a short story. Sorry and thanks for your time. > > > ¹ German news article: > > http://www.heise.de/security/meldung/Kritik-an-Intels-Sicherheits-Architektur-Software-Guard-Extensions-3089439.html > ² https://en.wikipedia.org/wiki/Software_Guard_Extensions > -- > Gruß | Greetings | Qapla’ > Please do not share anything from, with or about me with any social > network. > > This message was written using only recycled electrons. > Email had 1 attachment: > + signature.asc > 1k (application/pgp-signature)
