On Fri, Dec 7, 2018 at 3:45 PM Sakkinen, Jarkko
[off-list ref] wrote:

On Fri, 2018-12-07 at 13:59 -0800, Jarkko Sakkinen wrote:

quoted

On Fri, 2018-12-07 at 14:57 +0300, Kirill A. Shutemov wrote:

quoted

quoted

What is the threat model anyway for AMD and Intel technologies?

For me it looks like that you can read, write and even replay
encrypted pages both in SME and TME.

What replay attack are you talking about? MKTME uses AES-XTS with physical
address tweak. So the data is tied to the place in physical address space
and
replacing one encrypted page with another encrypted page from different
address will produce garbage on decryption.

Just trying to understand how this works.

So you use physical address like a nonce/version for the page and
thus prevent replay? Was not aware of this.

The brutal fact is that a physical address is an astronomical stretch
from a random value or increasing counter. Thus, it is fair to say that
MKTME provides only naive measures against replay attacks...

And this is potentially a big deal, since there are much simpler
replay attacks that can compromise the system.  For example, if I can
replay the contents of a page table, I can write to freed memory.

--Andy