Windows 10: Windows memory integrity + Intel sgx

humbird · Sep 6, 2018

Winver 1803 ( build 17134.254)

Sorry for this long post but wanted to provide as much info as I can. Hopeful I am posting in the right area.
When I try to enable memory integrity in windows
security I get the below message event ID 157.I am a complete noob in this area.
When I turn it back off I do not see this warning.
Seems the more I read about it the less I understand what to do.

Event ID157 Hypervisor did not enable mitigations for cve-3646 for
virtual machines because hyperthreading is enabled and the hypervisor
core scheduler is not enabled. To enable mitigations for CVE-2018-3646
for virtual machines enable core scheduler by running "bcdedit/set
hypervisorschedulertype core" from an elevated command prompt and reboot.

Intel SGX is enabled .Have had a recent BIOS update for mitigations.
Also in system information it says hyperthreading is enabled

My hypervisor scheduler type is "root (0x4)" info obtained from event ID 2
in event viewer.

Here is system information in admin view.

OS Name Microsoft Windows 10 Home
Version 10.0.17134 Build 17134
Other OS Description Not Available
OS Manufacturer Microsoft Corporation
System Name LAPTOP-RP9S2D20
System Manufacturer HUAWEI
System Model MACH-WX9
System Type x64-based PC
System SKU C128
Processor Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz, 1800 Mhz, 4 Core(s), 8 Logical Processor(s)
BIOS Version/Date HUAWEI 1.17, 7/28/2018
SMBIOS Version 3.0
Embedded Controller Version 1.17
BIOS Mode UEFI
BaseBoard Manufacturer HUAWEI
BaseBoard Model Not Available
BaseBoard Name Base Board
Platform Role Mobile
Secure Boot State On
PCR7 Configuration Binding Possible
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume1
Locale United States
Hardware Abstraction Layer Version = "10.0.17134.1"
User Name LAPTOP-RP9S2D20\humbi
Time Zone Pacific Daylight Time
Installed Physical Memory (RAM) 8.00 GB
Total Physical Memory 7.88 GB
Available Physical Memory 5.68 GB
Total Virtual Memory 9.13 GB
Available Virtual Memory 6.78 GB
Page File Space 1.25 GB
Page File C:\pagefile.sys
Kernel DMA Protection Off
Virtualization-based security Not enabled
Device Encryption Support Reasons for failed automatic device encryption: Hardware Security Test Interface failed and device is not InstantGo, WinRE is not configured
Hyper-V - VM Monitor Mode Extensions Yes
Hyper-V - Second Level Address Translation Extensions Yes
Hyper-V - Virtualization Enabled in Firmware Yes
Hyper-V - Data Execution Protection Yes

I am not sure of the syntax for what I should enable.

"bcdedit/sethypervisorschedulertype core"
(mine is root 0x4}
I know how to run a command from admin command prompt ,
just not sure of the specific command and can I do it with hyperthreading enabled and intels SGX enabled (for my fingerprint reader)
Should I just leave memory isolation off?
Thank you for any help.

:)

Brink · Sep 7, 2018

Intel SGX SDK and Intel SGX Platform Software Updates

[table][tr]Intel ID: INTEL-SA-00135 [/tr] [tr][td]Product family:[/td] [td]Intel® SGX SDK and Intel® SGX Platform Software[/td] [/tr] [tr][td]Impact of vulnerability:[/td] [td]Information Disclosure[/td] [/tr] [tr][td]Severity rating:[/td] [td]Moderate[/td] [/tr] [tr][td]Original release:[/td] [td]05/10/2018[/td] [/tr] [tr][td]Last revised:[/td] [td]05/10/2018[/td] [/tr] [/table]

Summary:
Intel® Software Guard Extensions Software Development Kit (SDK) and Platform Software (PSW) utilize the Intel® Integrated Performance Primitives Cryptography Library. Vulnerabilities in this cryptography library have been reported that may enable a local attacker running malware utilizing software based side channel methods to gather data concerning certain cryptographic keys.

In accordance with the recent public security advisory INTEL-SA-00106 published for the Intel® Integrated Performance Primitives Cryptography Library, new versions of the Intel® SGX SDK and Intel® SGX PSW have been released.

Affected Products:
Intel® SGX SDK and Intel® Platform Software for Windows before version 2.01.
Intel® SGX SDK and Intel® Platform Software for Linux before version 2.1.3.

Recommendations:
Intel recommends that developers recompile applications using the latest Intel® SGX SDK and update to the latest Intel® SGX Platform Software.

Intel® SGX SDK and Intel® Platform Software for Windows version 2.01.
· https://registrationcenter.intel.com...productid=2614

Intel® SGX SDK and Intel® Platform Software for Linux version 2.1.3.
· https://01.org/intel-software-guard-...ions/downloads

Acknowledgements:
Intel thanks Fergus Dall, Gabrielle De Micheli, Thomas Eisenbarth, Daniel Genkin, Nadia Heninger, Ahmad Moghimi, and Yuval Yarom for reporting this issue.

Revision History

[table][tr]Revision Date Description [/tr] [tr][td]1.0[/td] [td]May 10, 2018[/td] [td]Initial Release[/td] [/tr] [/table]
Click to expand...

Source: INTEL-SA-00135

Bree · Sep 7, 2018

sgx what is it?

This is a couple of years old, but it gives you an idea of what SGX is...

This is a list of hardware which supports Intel SGX - Software Guard Extensions
Click to expand...

ayeks/SGX-hardware

This PowerDVD thread may also be of interest...
https://forum.redfox.bz/threads/new-...rdvd-17.72076/

Cliff S · Sep 7, 2018

Which SGX setting to choose in BIOS

I had noticed that even though I had Software Guard Extensions(SGX) set to "Software Controlled" in BIOS, that it wasn't showing up in Device Manager.
Then it came to me, that on my last system build(an MSI mainboard with a 6700K) that MSI had included the driver in the downloads support for the board, and also through their MSI driver & software updater.
ASUS though doesn't offer it.
I suppose this is because my ASUS board is a Gaming board and my MSI was a Professional(workstation) board, and ASUS thinks that gamers have no use for this security option*Sad

Tip I has able to download the driver though through the Microsoft Update Catalog: Microsoft Update Catalog
Select:
Intel Corporation - SoftwareComponent - 12/22/2017 12:00:00 AM - 1.9.101.41172
Last Modified: 12/22/2017
Size: 22.5 MB

Use something like 7 Zip and extract all files from the .cab folder, then double click the installer.

Information

Note SGX is only available for Intel CPUs from 7th gen Core Kaby Lake and above.
What is SGX:

Intel® Software Guard Extensions (Intel® SGX) is an Intel technology for application developers seeking to protect select code and data from disclosure or modification. Intel® SGX makes such protections possible through the use of enclaves. Enclaves are protected areas of execution. Application code can be put into an enclave via special instructions and software made available to developers via the Intel® SGX SDK.
Click to expand...

Intel® Software Guard Extensions SDK | Intel® Software

Why is the software controlled setting better than enabled in BIOS for consumers as opposed to business:

BIOS Support

BIOS support is required for Intel SGX to provide the capability to enable and configure the Intel SGX feature in the system.
The system owner must opt in to Intel SGX by enabling it via the BIOS. This requires a BIOS from the OEM that explicitly supports Intel SGX. The support provided by the BIOS can vary OEM to OEM and even across an OEM’s product lines.
There are three possible BIOS settings.
Click to expand...

Enabled
Intel Software Guard Extensions (Intel® SGX) is enabled and available for use in applications.

Software Controlled
Intel SGX can be enabled by software applications, but it is not available until this occurs (called the “software opt-in”). Enabling Intel SGX via software opt-in may require a system reboot.

Disabled
Intel SGX is explicitly disabled and it cannot be enabled through software applications. This setting can only be changed in the BIOS setup screen.

Note: Your BIOS may only have the Enabled and Disabled options, or it may not have these options if it only supports the Software Controlled option (or if it doesn’t support Intel SGX at all). Check with your device manufacturer to determine whether or not Intel SGX is supported on your system.
When Intel SGX is set to Enabled in the BIOS, Intel SGX has been enabled, and Intel SGX instructions and resources are available to applications.
When Intel SGX is set to Software Controlled, Intel SGX is initially disabled until it is enabled via a software application

What is the point of the Software Controlled state?

(When set to enabled in BIOS)Intel SGX reserves up to 128 MB of system RAM as Processor Reserved Memory (PRM), which is used to hold the Enclave Page Cache (EPC). While its exact size is determined by the BIOS settings, it is important to note that enabling Intel SGX consumes a portion of the system’s resources, effectively making them unavailable to other applications.

(When set to Software Controlled in BIOS)The Software Controlled setting in the BIOS allows OEMs to ship systems with support for Intel SGX in a ready state, where it can be activated via software (this is the software opt-in). This is a compromise between having Intel SGX fully enabled by default and potentially consuming system resources even when no Intel SGX software is present on the system and having it turned off completely. Allowing the activation to occur via software eliminates the need for end users to boot their systems into their BIOS setup screens and manually enable Intel SGX via that interface, a potentially daunting task for nontechnical users.

Software enabling is a one-way operation: Intel SGX cannot be disabled via software. The only ways to disable Intel SGX once it has been enabled are to do so via the BIOS:

Explicitly set Intel SGX to Disabled if the BIOS provides this option.
Or:
Flash a new BIOS image to the device, which resets Intel SGX support in the BIOS to the default state (either Disabled or Software Controlled, depending on the BIOS provider).
Click to expand...

Properly Detecting Intel® Software Guard Extensions (Intel® SGX) in Your Applications | Intel® Software

What does SGX do:

Application code executing within an Intel SGX enclave:
Click to expand...

Benefits from new Intel SGX instructions introduced with 7th Generation Intel® Core™ processor platforms and Intel® Xeon® processor E3 v5 for data center servers.

Relies on a driver from Intel or the operating system for access to Intel SGX instructions and resource management

Executes within the context of its parent application, thereby benefiting from the full power of the Intel® processor

Reduces the trusted computing base of its parent application to the smallest possible footprint

Remains protected even when the BIOS, VMM, operating system, and drivers are compromised, implying that an attacker with full execution control over the platform can be kept at bay

Benefits from memory protections that thwart memory bus snooping, memory tampering and “cold boot” attacks on images retained in RAM

Uses hardware-based mechanisms to respond to remote attestation challenges that validate its integrity

Works in concert with other enclaves owned or trusted by the parent application

Can be developed using standard development tools, thereby reducing the learning curve impact on application developers

Supports initial data center use (such as protected transport layer security (TLS) keystore management) as well as proof of concept and development work for future data center platforms and solutions. This includes encrypted database operations, trusted big data computing, network functions virtualization (NFV), and secure monitoring, blockchain, and other important data center security uses that leverage added data protection while in use.

Click to expand...

Intel SGX Homepage | Intel® Software

I hope this might help other security conscious users here.
But remember, this is only for 7th gen Intel processors and above!

Windows 10: Windows memory integrity + Intel sgx

Windows memory integrity + Intel sgx

Windows memory integrity + Intel sgx

Windows memory integrity + Intel sgx

Windows memory integrity + Intel sgx - Similar Threads - memory integrity Intel

Windows Memory integrity

Memory Integrity

Potential security vulnerabilities in Intel SGX SDK

Intel SGX Platform Software and Intel SGX SDK Advisory - Jan. 8

Windows memory integration

Intel SGX Event Items

memory integrity

Windows memory integration

Intel SGX SDK and Intel SGX Platform Software Updates

Users found this page by searching for:

bcdedit /set hypervisorschedulertype core

hypervisorschedulertype sgx

The hypervisor did not enable mitigations for CVE-2018-3646 for virtual machines because HyperThreading is enabled and the hypervisor core scheduler is not enabled. To enable mitigations for CVE-2018-3646 for virtual machines enable the core schedul