fabric-private-chaincode icon indicating copy to clipboard operation
fabric-private-chaincode copied to clipboard
verified publisher icon hyperledger

Enable LVI mitigation for SGX

Open g2flyer opened this issue 5 years ago • 2 comments

Is your feature request related to a problem? Please describe.

To harden the enclaves, it would be good to protect them against LVI attacks.

Describe the solution you'd like

Follow the steps in Section "Enable CVE-2020-0551 Mitigation" of the "Enclave Development Basics" Chapter (page 86ff in the Intel® Software Guard Extensions (Intel® SGX) SDK for Linux* OS -- Developer Reference ) [Note: this relies for ubuntu 18.04 on the upstream binutils For docker, we install intel's version distributed as part of the SDK in /opt/intel/sgxsdk.extras/external/toolset/ubuntu18.04 ...]

g2flyer avatar Aug 05 '20 23:08 g2flyer

Note: if you have a platform vulnerable to LVI, attestation verification will currently fail with isvEnclaveQuoteStatus=SW_HARDENING_NEEDED in the IAS verification report (e.g., you will encounter this error when you run on Azure Gen2 VMs.)

g2flyer avatar Nov 04 '20 18:11 g2flyer

Note: if you have a platform vulnerable to LVI, attestation verification will currently fail with isvEnclaveQuoteStatus=SW_HARDENING_NEEDED in the IAS verification report (e.g., you will encounter this error when you run on Azure Gen2 VMs.)

#610 tackels this

mbrandenburger avatar Aug 06 '21 07:08 mbrandenburger