Aren't you vulnerable to this regardless of whether wether you're using this tool? The vulnerability in question relies on untrusted code being able to lower voltages to very low levels, causing the cpu to malfunction. Using this tool or having it installed isn't a relevant factor. If you have untrusted code running on your PC, it's already game over, and any malicious tool can use the same api this tool uses to control voltages.
Not exactly. The promise of SGX and secure hardware enclaves is that the code that executes there should run with access to protected encrypted memory pages (enforced by the CPU VMM), and the state of the enclave can be remotely attested. Basically, it's designed to run a secure application in an untrusted computing environment as long as you trust the hardware to implement the features correctly.
SGX is actually deprecated on client devices like PCs, so it is rather difficult to use it in anti-consumer ways now (and as mentioned in a sibling thread, makes this rather irrelevant to the topic of undervolting your own PC).
In my experience (working in the field at Anjuna), SGX and other Confidential Computing are quietly used on the server-side in enterprises a lot. It's a part of defense-in-depth, often to protect critical secrets and cryptographic keys, or the systems that manage them.
> We were able to corrupt the integrity of Intel SGX on Intel Core processors by controling the voltage when executing enclave computations
> If you are not using SGX, no actions are required. If you are using SGX, it suffices to apply the microcode update provided by Intel to mitigate Plundervolt.
It's not nothing, but that seems minor to irrelevant to most people.
In all likelihood this tool does not work for most users, specifically in response to this vulnerability. If you're on the latest microcode, undervolting is no longer possible due to Intel's mitigation: https://www.intel.com/content/www/us/en/security-center/advi...
Which is a pity because my i7 Lenovo laptop is acoustically and thermally some kind of jet turbine in a case, because I was foolish enough to believe a review, and I really wish I could undervolt it so it can make it to lunchtime on a charge.
Wow, I never considered a power attack from software of an untrusted OS. Ring -1 and SGX and the like lead to some very harsh security environments for modern processors. IMO if you want cryptographic security, you should probably use an external component that you control, but that isn't always possible and is never the cheaper option.
gruez|1 year ago
Bognar|1 year ago
That last part being the rub.
dannyw|1 year ago
I haven’t came across a use case of SGX that benefits me.
mscrivo|1 year ago
bobbiechen|1 year ago
In my experience (working in the field at Anjuna), SGX and other Confidential Computing are quietly used on the server-side in enterprises a lot. It's a part of defense-in-depth, often to protect critical secrets and cryptographic keys, or the systems that manage them.
AshamedCaptain|1 year ago
yjftsjthsd-h|1 year ago
> If you are not using SGX, no actions are required. If you are using SGX, it suffices to apply the microcode update provided by Intel to mitigate Plundervolt.
It's not nothing, but that seems minor to irrelevant to most people.
rany_|1 year ago
gravescale|1 year ago
aftbit|1 year ago
tedunangst|1 year ago