Notes - MCS
Secure Execution Environments
Notes - MCS
Secure Execution Environments
  • Secure Execution Environments
  • Introduction
    • Trusted Computing Base (TCB)
    • TEE (Trusted Execution Environment)
    • Can you trust the operating system?
  • Security in Operating Systems
    • Operating system
    • Virtual machines and hypervisors
    • Computational model
    • Access control
    • Protection with capabilities
    • Unix file protection ACLs
    • Windows NTFS file protection
    • Unix file protection ACLs
    • Privilege elevation
    • Privilege reduction
    • Linux login
  • Virtualization on Intel Processors
    • Modes of Operation
    • Virtual memory
    • How to put assembly instructions inside C code
    • A more elaborate example
    • Useful assembly instructions
  • Intel Software Guard Extensions
    • What is SGX (Software Guard eXtensions)?
    • SGX Enclave Memory
    • Guidelines for designing applications using SGX
    • Performance Overhead
    • SDK compilation modes
    • Writing Enclave Functions
  • ARM TrustZone
    • SoC and IP
    • ARM TrustZone
    • Worlds
    • Architecture
    • TrustZone bootstrap
  • Linux Kernel Namespaces
    • Namespaces
    • Advantages
    • Process Namespace
    • Network namespace
    • Mount namespace
    • UTS namespace
    • User namespace
  • LXC Linux Containers
    • Container
    • LXC containers
  • AppArmor
    • Purpose
    • Enforcement
    • Benefits
    • Attack prevention
    • Enforcement policies
    • Enforcement modes
    • Logging and auditing
    • Profiles
  • TPM (Trusted Platform Module)
    • Trusted Platform Module (TPM)
    • History
    • Cryptographic Concepts
    • Use cases
    • TPM Software Stack (TSS)
    • TPM concepts
    • Entities
    • Key management
    • Restrict signatures
    • Sessions
    • Authorization roles
  • Bootstrap security
    • AEGIS
    • Trusted computing
    • Root of Trust Measurements
    • Trusted Computing Platform Alliance (TCPA)
    • TPM-based attestation
    • Trusted Platform identity credentials
    • UEFI (Unified Extensible Firmware Interface)
    • NSA Boot Security
    • UEFI secure boot & TPM measurements
    • Intel Trusted Execution Technology (TXT)
    • Smartcards
      • Java Cards
      • OpenCard Framework (OCF)
      • Cryptographic services
Powered by GitBook
On this page
  1. Virtualization on Intel Processors

Useful assembly instructions

The instruction rdtsc can be used to read the time stamp counter.

  • it is a non-serializing instruction (the processor may reorder its execution).

  • the value returned depends on the core where it was executed.

The instruction rdtscp can be used to read the time stamp counter and the core signature (usually the code ID number).

  • it is a serializing instruction.

  • the value returned depends on the core where it was executed.

  • asm volatile("rdtscp" : "=a" (rax),"=c" (rcx),"=d" (rdx));

  • as in the rdtsc instruction, the counter value is given by (rdx<<32)+rax.

  • the core signature is given by rcx; on GNU/Linux, its value is the core id that executed the instruction.

The instruction cpuid can be used to get information about the processor.

  • it is a serializing instruction.

  • this instruction unconditionally generates a trap (vmexit) in a virtualized environment.

  • it can be used when CPL is 3 (least privileged mode).

The instruction invd can be used to invalidate a cache line.

  • this instruction unconditionally generates a trap when executed in a virtualized environment.

  • it can be used only when CPL is 0 (kernel mode).

  • use it only on a memory region whose contents are irrelevant.

The instructions rdseed and rdrand are used to generate random numbers on recent Intel/AMD processors.

  • the virtual machine hypervisor can set things up so that these instructions generate a trap.

  • it can be used when CPL is 3 (least privileged mode).

The instructions in, out, rdtsc, rdmsrd, and rdpmcd can also be used to generate a trap in a virtualized environment (if the hypervisors want that to happen).

Last updated 1 year ago