5

Question Background

This morning, by accident I have found, that there is basically a backdoor in a dormant state in my Dell laptop: Computrace, which comes from Absolute Software - link to their Web, link to Wikipedia.

Actual Question

Since I read some UEFI/BIOS setting can't be changed once set already, I wonder if such practice is also the case in Intel SGX technology (SGX Intel, SGX Wikipedia), which I probably would like to disable too since I've seen from this Linux shell script that SGX is Enabled in my system configuration and then proved by looking into UEFI/BIOS, where it's currently set to Software Controlled, I would like to ask if having SGX enabled or software-controlled is a bad practice, or worse - Could Intel SGX be dangerous under Linux?

Personal Background

I'm a security amateur at home. I'm primarily interested in VPN topics, and I don't even know what SGX really does yet.

LinuxSecurityFreak
  • 1,562
  • 2
  • 18
  • 32
  • What is your threat model? – forest Mar 24 '19 at 09:33
  • 1
    @forest I'm not sure what your question means. You might want to put it in layman's terms for me. Thank you. – LinuxSecurityFreak Mar 24 '19 at 13:09
  • A threat model is an abstract model of a person's adversaries, the assets the adversaries are attempting to compromise, and various other salient factors. For example, SGX, as Steffen Ullrich says, makes it possible for malware to hide its exact computations, but it does not allow someone to escalate privileges. – forest Mar 25 '19 at 00:20
  • In general, unless your threat model is _really, really specific_ E.g. If you are a reverse engineer who expects to be infected with malware performing secret computations _and_ which does not run privileged _and_ while you have no access to log the infection vector (network, etc) _then_ SGX might not be a great idea because you wouldn't be able to analyze the malware (but you would know it exists and know what overt actions it takes on your computer). Otherwise, you have absolutely nothing to worry about and SGX is harmless. – forest Mar 25 '19 at 00:22

1 Answers1

5

SGX can be used to protect critical operations (like cryptography using secret keys) against inspection from outside the SGX enclave. It can also be used by an attacker already on the system to hide his activities against inspection. Thus, unsurprisingly there is no absolutely good or absolutely bad - it depends a lot on your specific (and unknown to us) environment and risk profile.

And the same is true for Computrace too. The control it allows a remote party can be used for good and bad, where the intention is actually to be used for good: track down stolen notebooks. And to make this possible it is actually necessary that it can not be simply disabled by an attacker.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 1
    It may be useful to note that the _existence_ of the enclave can't be hidden, so you can still know if malicious software is trying to hide its exact activities, even if you don't know _what_ those activities are. – forest Mar 24 '19 at 09:35
  • @Vlastimil: not traveling with the laptop and no access for other people does not describe in any way what you are actually doing with this laptop - it only describes a few things you don't do with it. Insofar it is not useful in deciding if SGX might be useful for you or not. In general: if you do something on the system which involves secrets it might be useful - if the specific software actually uses SGX to protect these secrets. – Steffen Ullrich Mar 24 '19 at 10:07
  • *"I might have 100% misunderstood the point of SGX..."* - since you don't explain how you understood SGX in the first place I cannot tell you if your understanding is correct or wrong. – Steffen Ullrich Mar 24 '19 at 10:55