Software Guard Extensions on Specific Skylake CPUs Only

Through the staggered release of Intel’s 6^th Generation Core processors, known as Skylake, we reported in our architecture deep dive that Intel would be introducing a raft of known features, including Software Guard Extensions (SGX) among others. These extensions would allow programs to allocate a set of DRAM, resources and a runtime environment (known as an enclave) specifically for that software alone, such that other programs could not access its functions or violate its memory area through 0-day intrusions. At the time we were under the impression that the SGX extensions would be enabled across all Skylake CPUs (or at least a specific subset, similar to TXT) from day one, but some sleuthing from Tech Report has determined this is not the case.

As described in a Product Change Notification, which is basically a PDF released via the website and to major partners involved, only certain upcoming versions of Skylake processors will have SGX capabilities enabled. Rather than changing the commonly used nomenclature in order to identify these processors (Core i7, i5 etc), the ones with SGX enabled will have a different S-Spec code. This code is a series of letters and numbers printed on the processor (and the box it came in) to indentify the processor for Intel’s internal database. So while the outer-ring name might not change (e.g. i7-6700K), the S-Spec can change for a number of reasons (stepping, updates or source) and this will not be readily apparent to the end-user unless they get a chance to see the code before purchasing the product.  The S-Spec change should be seamless, meaning no BIOS or microcode updates required for existing systems, which makes it harder to confirm without opening an SGX enabled detection tool or if it appears in the instruction list for SGX.

Normally with this sort of change we would expect a difference in the stepping of the processor, e.g. a move from C-0 to C-1 or something similar, but Intel has not done this here. As a result it could be speculated that an issue with the first few batches of processors rendered this part of the silicon non completely viable or consistent, and tweaks to the process (rather than creating new masks) has brought the issue under control for manufacturing. 

Many users have noted that sourcing Skylake processors is still rather difficult outside the two overclockable versions and their non-K counterparts, and this might have something to do with it, if Intel was waiting for the full extension set to be enabled. It might not be considered that big of a deal, despite the fact that SGX has been part of Intel’s software mantra since at least 2013. We would imagine that specific enterprise software packages from vendors would be expecting these extensions to go live with certified systems since the launch of Skylake, meaning there might be some confusion if two identical named processors are not separated by the S-Spec code. As far as we know from Intel, we are also expecting a relevant update to current operating systems to allow SGX to work.

In the document, the new SGX enabled S-Spec codes are provided on the right.

To that extent, Intel has said in the PDF which specific processors will have the change, which covers the Skylake Core i7, i5 and Xeon E3 v5 parts in both OEM and boxed processors. These new parts will be available to customers from October 26th, and in systems by November 30th, without the need for requalification. For non-business and non-enterprise use, we imagine that sets of parts will be in the chain for a good while, although one would imagine that Intel would solely be creating the SGX enabled parts from now on.

Source: via Tech Report