https://open.spotify.com/embed/track/0ZJTO8mUu15DTYnFzTA8hs?utm_source=generator

SGX综述：Intel SGX Explained

SGX 攻击：https://oaklandsok.github.io/papers/schaik2024.pdf SoK

TrustZone：SoK: Understanding the Prevailing Security Vulnerabilities in TrustZone-assisted TEE Systems SP’20

TDX: https://arxiv.org/abs/2303.15540 Intel TDX Demystified: A Top-Down Approach

AMD SEV + SNP: https://www.amd.com/content/dam/amd/en/documents/epyc-business-docs/solution-briefs/amd-secure-encrypted-virtualization-solution-brief.pdf

AMD 相关攻击：

• https://dl.acm.org/doi/pdf/10.1145/3460120.3485253
• https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9833768
• https://dl.acm.org/doi/pdf/10.1145/3319535.3354216
• https://www.usenix.org/system/files/sec21-li-mengyuan.pdf
• https://arxiv.org/pdf/2404.03526 and https://www.usenix.org/system/files/sec24fall-prepub-1939-schluter.pdf

remote attestation：https://datatracker.ietf.org/wg/rats/about/

TEE notion: **Cloud Computing Security: Foundations and Research Directions Hardware-Enabled Security**

Intel Trust Authority

This is an alternative solution to Microsoft Azure Attestation services. Intel Trust Authority is Software as a Service that remotely attests to the authenticity and integrity of your confidential computing environment and related workloads, regardless of workload location. In its first generation, Intel Trust Authority attests to Trusted Execution Environments (TEEs) that are based on Intel® Software Guard Extensions (Intel® SGX) and Intel® Trust Domain Extensions (Intel® TDX). This attestation process provides assurance to any relying party that the TEE and any data and workloads within it have not been compromised. It is cloud agnostic and designed to work across on-premises, hybrid, and multi-cloud environments.

Trusted Platform Module

Be aware of the existence of the TPM on most of the modern computers. This model serves for a different purpose as TEE does because TPM usually has only fixed functionality that can only perform some pre-defined cryptographic operations, while TEE allows developers to execute arbitrary code inside it and maintains the confidentiality and integrity of the code and data involved during the computation phase. There are even some TPM implementations inside a TEE.

What TEEs are now lacking is runtime measurement. All current TEEs support only static, initial image measurement. The bootloader, kernel, applications are not measured after the image has been loaded. TPMs, on the other hand, provide PCRs that can be used to store the measurement of each boot components. A vTPM is chained back to TEE so it can be used to perform runtime measurement. For example, PCR values from the vTPM can be used to ensure the integrity of the TD's UEFI BIOS, boot loader and kernel image.

Intel’s Trusted Domain eXtension (TDX)

Since Intel SGX faces lines of different side-channel attacks (e.g., the branch-shadowing attack), and its internal designs are flawed (e.g., it leaks access patterns), Intel is going to replace it with more state-of-the-art and more secure one called Trusted Domain eXtension (TDX for short) in the hope of achieving the security guarantees that ARM TrustZone could provide.

The overall architecture of Intel’s TDX design.

The fundamental reason why SGX is insecure: SGX does not isolate a hardware-enclave that forbids all observations from the OS. An inherent flaw of SGX is that SGX shared the memory with the OS and even if the memory is encrypted, the memory bus is not protected against adversary. How do multiple enclaves communicate with each other and how do differently implemented TEEs communicate with each other are still left as big problems we need to solve.

What is TDX? In short, TDX is Virtual Machine that built atop Intel’s virtual machine extensions instruction-set-architecture extensions, multi-key, total-value-memory-encryption, and a CPU-attested, software module. The building blocks for TDS include: 1) SGX, 2) Virtualization Technology (VT), 3) Total Memory Encryption (TME), and 4) Multi-Key Total Memory Encryption (MKTME).