#2153 Discussion on SGX packaging
Closed: Accepted 2 days ago by zbyszek. Opened 2 months ago by npmccallum.

Intel's SGX feature is hopefully nearing merger in the Linux kernel. In addition to this, we need to package the userspace components to make this security feature available for consumption.

The good news is that everything is appropriately licensed. The bad news is that at least a small handful of the components need Intel-signed binaries relating to Intel's root of trust.

I would like to discuss these issues with FESCo and hopefully come up with a plan for how to enable this in Fedora.


Could you provide more details or links?

I don't have all the details yet. But here's what I know so far. At least three components need to be signed by Intel:

  • Provisioning Enclave (PvE)
  • Provisioning Certification Enclave (PcE)
  • Quoting Enclave (QE)

The first two are used for obtaining an EPID identifier from Intel which attests that the hardware is in fact genuine Intel SGX hardware. The third is used to sign an attestation report with an Intel provided key.

The code for all three is available under a BSD license here: https://github.com/intel/linux-sgx/tree/master/psw/ae

@npmccallum I'm wondering whether we couldn't ship the PvE, PcE and QE under the "firmware" clause of the Fedora Packaging Guidelines (https://fedoraproject.org/wiki/Packaging:LicensingGuidelines#Binary_Firmware) in an linux-sgx-firmware package?
Given that, if I recall correctly, they just get uploaded to the SGX enclave and not executed in the standard operating system space, and they are available under an appropriate license.

@puiterwijk That was basically what I was thinking as well. However, I think we probably need to have a meeting to flesh out the details. It would be good to have Intel represented at the meeting too.

Is there anything FESCo should do here? I don't feel like I can really help you with this personally. Maybe ask on fedora's devel mailing list instead?

@npmccallum @puiterwijk If the main question is whether FESCo would be okay with you shipping the signed binary components under the "firmware" clause, then I'd be fine with:

Proposal: FESCo permits the use of pre-signed Intel SGX components under the firmware clause of the Licensing Guidelines, provided that Fedora Legal concurs.

@sgallagh This is precisely what I was looking for. Thanks!

This was +3 after 7 days and is thus approved by policy.

Metadata Update from @sgallagh:
- Issue tagged with: pending announcement

14 days ago

Metadata Update from @zbyszek:
- Issue close_status updated to: Accepted
- Issue status updated to: Closed (was: Open)

2 days ago

Metadata Update from @zbyszek:
- Issue untagged with: pending announcement

2 days ago

Login to comment on this ticket.

Metadata