Through the staggered release of Intel’s 6th Generation Core processors, known as Skylake, we reported in our architecture deep dive that Intel would be introducing a raft of known features, including Software Guard Extensions (SGX) among others. These extensions would allow programs to allocate a set of DRAM, resources and a runtime environment (known as an enclave) specifically for that software alone, such that other programs could not access its functions or violate its memory area through 0-day intrusions. At the time we were under the impression that the SGX extensions would be enabled across all Skylake CPUs (or at least a specific subset, similar to TXT) from day one, but some sleuthing from Tech Report has determined this is not the case.

As described in a Product Change Notification, which is basically a PDF released via the website and to major partners involved, only certain upcoming versions of Skylake processors will have SGX capabilities enabled. Rather than changing the commonly used nomenclature in order to identify these processors (Core i7, i5 etc), the ones with SGX enabled will have a different S-Spec code. This code is a series of letters and numbers printed on the processor (and the box it came in) to indentify the processor for Intel’s internal database. So while the outer-ring name might not change (e.g. i7-6700K), the S-Spec can change for a number of reasons (stepping, updates or source) and this will not be readily apparent to the end-user unless they get a chance to see the code before purchasing the product.  The S-Spec change should be seamless, meaning no BIOS or microcode updates required for existing systems, which makes it harder to confirm without opening an SGX enabled detection tool or if it appears in the instruction list for SGX.

Normally with this sort of change we would expect a difference in the stepping of the processor, e.g. a move from C-0 to C-1 or something similar, but Intel has not done this here. As a result it could be speculated that an issue with the first few batches of processors rendered this part of the silicon non completely viable or consistent, and tweaks to the process (rather than creating new masks) has brought the issue under control for manufacturing. 

Many users have noted that sourcing Skylake processors is still rather difficult outside the two overclockable versions and their non-K counterparts, and this might have something to do with it, if Intel was waiting for the full extension set to be enabled. It might not be considered that big of a deal, despite the fact that SGX has been part of Intel’s software mantra since at least 2013. We would imagine that specific enterprise software packages from vendors would be expecting these extensions to go live with certified systems since the launch of Skylake, meaning there might be some confusion if two identical named processors are not separated by the S-Spec code. As far as we know from Intel, we are also expecting a relevant update to current operating systems to allow SGX to work.

In the document, the new SGX enabled S-Spec codes are provided on the right.

To that extent, Intel has said in the PDF which specific processors will have the change, which covers the Skylake Core i7, i5 and Xeon E3 v5 parts in both OEM and boxed processors. These new parts will be available to customers from October 26th, and in systems by November 30th, without the need for requalification. For non-business and non-enterprise use, we imagine that sets of parts will be in the chain for a good while, although one would imagine that Intel would solely be creating the SGX enabled parts from now on.

Source: via Tech Report

Comments Locked


View All Comments

  • yannigr2 - Tuesday, October 6, 2015 - link

    If this was an AMD problem, how many articles out there would be attacking AMD? I am not talking about reposting about it like it is a simple weather report, but attacking directly AMD.
  • r3loaded - Tuesday, October 6, 2015 - link

    So is SGX essentially equivalent to ARM TrustZone? Do we have any software examples that use or are able to use this technology?
  • mctylr - Wednesday, October 7, 2015 - link

    Yes, SGX is similar to ARM's TrustZone (in the general sense), it provides an additional level of hardware (enforced) privilege separation, somewhat akin to hierarchical protection domains (protection rings). The difference from x86 "protected mode" (supervisor mode) is that it extends to protect memory - code and data, as well as execution from what I understand.

    I believe the commonly cited examples of applications to utilize SGX are anti-malware / anti-virus software, digital rights management (DRM), and cryptographic components or subsystems.
  • asmian - Wednesday, October 7, 2015 - link

    You listed the stuff that's good. Don't forget that malware, viruses, rootkits and the NSA will be all over this and rubbing their hands at the ability to hide themselves from debuggers and white-hat detection. The real surveillance nightmare begins here.
  • JoeMonco - Thursday, October 8, 2015 - link

    It's not going to be very useful to malware or the NSA when this will only be a feature in a small minority of CPUs. It's not as if you can force a target to install the exact Skylake chip you need.
  • OsCeZrCd - Thursday, October 15, 2015 - link

    I am a bit afraid of this feature. Looks like a virus could use it to circumvent my Kaspersky.
  • asmian - Wednesday, January 20, 2016 - link

    Exactly. And viruses avoiding AV scanners is the least of it. This would prevent AV companies from being able to disassemble or debug new malware of all forms as there will be no access possible to their memory space. The benefits for some niche applications are surely not outweighed by having apps of any kind that cannot be trusted by users as they can never be independently verified as to what exactly they are doing.

    There is an extremely prescient commentary on all this linked to the Qubes OS project from Joanna Rutkowska - this is NOT tinfoil-hattery by any means:
  • Andy Kay - Tuesday, May 31, 2016 - link

    You guys are getting me worried. I'm no techie, but I recently purchased a notebook with a Skylake chipset, described as "manufacturer refurbished". I soon had cause to re-install Windows, and it told me that Intel SGX would be removed and would have to be re-installed when Windows was back up. I had no idea what SGX was, hence finding my way here. Is it possible that my notebook has some code on it that may be used maliciously, that may have already done its dirty-work, and that would have survived the Windows re-installation?
  • 29a - Tuesday, June 12, 2018 - link


Log in

Don't have an account? Sign up now