> -----Original Message----- > From: Huang, Kai <[email protected]> > Sent: Friday, July 25, 2025 12:43 AM > To: Reshetova, Elena <[email protected]>; Hansen, Dave > <[email protected]> > Cc: [email protected]; [email protected]; Scarlata, Vincent R > <[email protected]>; [email protected]; [email protected]; > Annapurve, Vishal <[email protected]>; [email protected]; > Mallick, Asit K <[email protected]>; Aktas, Erdem > <[email protected]>; Cai, Chong <[email protected]>; Bondarevska, > Nataliia <[email protected]>; [email protected]; Raynor, Scott > <[email protected]> > Subject: Re: [PATCH v9 6/6] x86/sgx: Enable automatic SVN updates for SGX > enclaves > > On Thu, 2025-07-24 at 21:14 +0000, Huang, Kai wrote: > > > > > > > > > > > > > > > > > Attempt to execute ENCLS[EUPDATESVN] every time the first file > descriptor > > > > > is obtained via sgx_(vepc_)open(). In the most common case the > microcode > > > > > SVN is already up-to-date, and the operation succeeds without updating > SVN. > > > > > > > > (Sorry I forgot to say this in the previous versions): > > > > > > > > If I read the pseudo code correctly, when the SVN is already up-to-date, > > > > the EUPDATESVN doesn't update SVN but it re-generates crypto assets > > > > anyway. > > > > > > > > This is no harm per the pseudo code, since the "crypto assets" is > > > > actually > > > > the CR_BASE_KEY which is only used by EWB/ELDU flow per the SDM. > > > > > > > > In other words, it doesn't impact other enclave visible keys (those from > > > > EGETKEY) such as sealing key. > > > > > > > > I think this is important. Because if enclave visible keys such as > > > > sealing key are lost on EUPDATESVN when SVN is already up-to-date > (which > > > > is the most common case), it will bring significant visible impact to > > > > enclave. E.g., one enclave could find its secret encrypted by sealing > > > > key > > > > could never be retrieved after it restarts. > > > > > > > > Assuming I didn't miss anything, can we also mention this in the > > > > changelog? > > > > > > Yes, you are right, anything like above behaviour would be a nightmare > > > in practice. So would smth like this work as an additional text: > > > > > > "Note that in cases when SVN is already up-to-date and EUPDATESVN > > > is executed, it does not affect enclaves' visible keys obtained via > > > EGETKEY > > > instruction." > > > > > > ? > > > > > > > Yes works for me. Thanks. > > Side topic, just out of curiosity, do you know why Intel decided to re- > generate CR_BASE_KEY even SVN is found to be up-to-date?
This design pre-dates me, but as far as I understand it was due to some internal design constraints present in Ice Lake Server, where this was first introduced. Best Regards, Elena.
