1.0 Production Release Release Notes 24 August 2017
Version History/Revision History Date Revision Description August 2017 1.0 Limited Production Release March 2017 0.61 Limited External Distribution Intended Audience This release is intended for specific customers only. Customer Support Please contact intelsecuritydevapi_support@intel.com. 2
Contents: 1 Introduction 4 2 Features 5 3 Known Issues 6 4 Related Documentation 7 5 Release Content 8 6 Hardware and Software Compatibility 9 7 Acronyms and Terms 10 8 Legal Information 11 3
1 Introduction This document provides system requirements, issues and limitations, and legal information for Intel Security Dev API. Intel Security Dev API is an API library that makes it easy for application developers to use hardware security technologies available on Internet of Things (IoT) devices. The Intel Security Dev API SDK contains the API library and associated tools you need to use hardware security in your applications. To learn more about this product, please visit https://software.intel.com/en-us/security-dev-api or consult the information in the Related Documentation section. 4
2 Features Intel Software Guard Extensions (Intel SGX) Secure Data: Protect data on the local device with predefined or custom protection policies. Secure Transport: Protect data in transit, establish secure bidirectional TLS communication channels, and use whitelisting to restrict communication to specific domains Trusted Platform Module (TPM) RSA Signing: Securely provision RSA private keys onto TPMs and use the keys for signing. 5
3 Known Issues 1. Intel Security Dev API must be installed as root, and all scripts must be run as root, or a normal user must be given permission to access /opt/* 2. Although multiple RSA private keys can be provisioned using the Provisioning Tool, the config file used by the application will only use the last key listed in the config file for signing. a. Workaround: Update the config file with other keys manually, as needed. 3. Secure Data objects that were created by the trusted application (TA) during the TA initialization stage may not be accessible by the TA later. a. Cause: A trusted application is only considered loaded and ready (that is, part of the policy context), after load_ta() is successful. b. Workaround: Create Secure Data objects in the context of ta_invoke(), and not during TA initialization. 4. When using the trusted application simulation/debug configuration, use of very large buffers of data (such as TA debug print, or via the TA debug option in Eclipse) may result in a crash of the application. a. Cause: This limitation is due to the small buffer size of the Intel SGX TEE. Note: This only happens in debug/simulation configuration. b. Workaround: Partition TA print messages and partition data used for TA debugging. 5. When calling isec_load_ta_ex() in C/C++ or TALaunchControl.load in Java, the value of the OPTIONAL parameter ta_key_id must be NULL. Any other value will result in an internal error. a. Cause: The Encrypted Trusted Application feature is not supported in this version. b. Workaround: None 6. An attacker may be able to create a replay attack by exploiting power events/transitions. a. Cause: Hardware monotonic counters are not supported in version 1.0 of the Intel SGX SDK. b. Workaround: None 7. Policy API works properly and returns success before and independent of init() and/or shutdown() state. a. Cause: Legacy design decision to implement policy as helper API in the main application scope. This will be changed for version 1.1. b. Workaround: None 8. Enclave re-sign is not supported in Signing Tool. a. Cause: Intel SGX SDK signing tool does not support re-signing. b. Workaround:None 9. When using the isec_provisioning tool (with data=<value> ), use of exponent values for the TPM provisioned key is limited. The supported value for exponent field is 2^16+1. a. Cause: Limited support for exponent values in version 1.0. b. Workaround: Use only the following value for RSA key exponent 65537 (2^16+1). 6
4 Related Documentation The SDK is installed to the following directories: SDK root directory: Documentation: Samples: /opt/intel/isecsdk /opt/intel/isecsdk/docs /opt/intel/isecsdk/samplecode The following are online resources: Get Started Guide C/C++ Developer Guide Java Developer Guide 7
5 Release Content Intel Software Guard Extensions for Linux v1.7 Intel Security Dev API v1.0 External Dependencies Item Description Java OpenJDK 1.7 Development Tools g++ multilib gcc multilib lib32z1-dev libprotobuf-dev:i386 IDE Eclipse IDE for Java Developers (Mars.2 Release 4.5.2) 8
6 Hardware and Software Compatibility Item Hardware for Intel SGX Deployment Hardware for TPM Deployment Operating System Description Intel processor-based platform with Intel Software Guard Extensions (Intel SGX) present and enabled in the BIOS Intel processor-based platform with Intel Software Guard Extensions (Intel SGX) present and enabled in the BIOS and Trusted Platform Mode 2.0 support (either hardware or firmware) Ubuntu 14.04.4 LTS 64-bit (Desktop Version) Programming Language C/C++ or Java for the main application component Java for the trusted application component Please note that the hardware requirements above are for deployment, not development: You can develop code using the Intel Security Dev API on machines that lack SGX support. (This is called Simulation Mode and is explained in the Get Started Guide.) 9
7 Acronyms and Terms The following acronyms and terms are used in this document (arranged in alphabetic order): Acronym/Term Description API IDE SDK TEE Application Program Interface Integrated Development Environment Software Development Kit Trusted Execution Environment. Platform-provided execution container that protects the confidentiality and integrity of the execution. 10
8 Legal Information You may not use or facilitate the use of this document in connection with any infringement or other legal analysis concerning Intel products described herein. You agree to grant Intel a non-exclusive, royalty-free license to any patent claim thereafter drafted which includes subject matter disclosed herein. No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document. All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product specifications and roadmaps. The products described may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. No computer system can be absolutely secure. Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries. *Other names and brands may be claimed as the property of others. Copyright 2017, Intel Corporation. All rights reserved. 11