Accessing external sources of trusted time from Intel® Software Guard Extensions enclaves that help prevent sealing rollback, or data replay, attacks
- Attempting to prevent sealing replay attacks using the Intel® Software Guard Extensions (Intel® SGX) SDK for Linux*
- The Intel SGX Software Development Kit (SDK) for Linux is missing the monotonic counter APIs: get_trusted_time() and get_trusted_counter().
In an Intel® Software Guard Extensions (Intel® SGX) enclave running on a Linux* server platform, there currently is no way to get a trusted time using Intel SGX APIs. Some Cloud Service Providers who require trusted time are using a remote or centralized trusted time source. For counters, some use the Trusted Platform Module (TPM).
- Refer to Trusted Platform Module Library Part 3: Commands to find information on the TPM2_GetTime and TPM2_ReadClock primitives.
- Call the external sources of trusted time from functions in the untrusted app.
- Implement OCALLs in the SGX enclave that call those functions in the untrusted app.
Support for Intel® Software Guard Extensions (Intel® SGX) Platform Services was removed from all Linux*-based platforms, including client platforms, beginning with Intel SGX SDK for Linux 2.9.
The Intel SGX API for monotonic counters is still part of the Intel® Software Guard Extensions (Intel® SGX) SDK for Windows* and is supported on Windows® 10 platforms through the Intel SGX Platform Software for Windows. The Intel SGX Platform Software for Windows is usually installed through Windows Update from the platform OEM.