# TALUS: Reinforcing TEE Confidentiality with Cryptographic Coprocessors

Dhiman Chakraborty, Michael Schwarz, and Sven Bugiel

CISPA Helmholtz Center for Information Security, Saarbruecken, Germany {dhiman.chakraborty,michael.schwarz,bugiel}@cispa.de

Abstract. Platforms are nowadays typically equipped with trusted execution environments (TEEs), such as Intel SGX or ARM TrustZone. However, recent microarchitectural attacks on TEEs repeatedly broke their confidentiality guarantees, including the leakage of long-term cryptographic secrets. These systems are typically also equipped with a cryptographic coprocessor, such as a TPM or Google Titan. These coprocessors offer a unique set of security features focused on safeguarding cryptographic secrets. Still, despite their simultaneous availability, the integration between these technologies is practically nonexistent, which prevents them from benefitting from each other's strengths.

In this paper, we propose TALUS, a general design and a set of three main requirements for a secure symbiosis between TEEs and cryptographic coprocessors. We implement a proof-of-concept of TALUS based on Intel SGX and a hardware TPM. We show that with TALUS, the long-term secrets used in the SGX life cycle can be moved to the TPM. We demonstrate that our design is robust even in the presence of transient execution attacks, preventing an entire class of attacks due to the reduced attack surface on the shared hardware.

## 1 Introduction

The need for stronger protection of data and computations has led to the advent of secure enclaves, CPU-provided isolated Trusted Execution Environments (TEE) that secure general-purpose computations. Prevalent technologies are Intel SGX [40, 32, 24], ARM TrustZone [5], or Keystone [58] and MI6 [9] for RISC-V.

The security offered by these secure enclaves for code and data isolation depends on several high value cryptographic credentials (e.g., Launch and Provisioning Key for Intel SGX, AMD PSP infrastructure key for AMD SEV, manufacturer root keys for ARM TrustZone). Enclave programs, in turn, depend on credentials derived from those long-term secrets, e.g., for secure storage of enclave data. Unfortunately, enclave technology shares hardware, e.g., CPU cores, between trusted and untrusted code, opening an attack surface. Especially for Intel SGX, this attack surface has been exploited in microarchitectural attacks [67], some of which leak confidential data from CPU buffers [12, 82, 84, 94, 8].

Our key observation is that virtually all platforms today are additionally equipped with specialized cryptographic or security-oriented coprocessors that protect cryptographic credentials, access control secure storage, or monotonically count. For instance, Trusted Platform Modules (TPM) [91] are available on effectively all desktop and server machines, and more solutions become available, such as Google's Titan, Microsoft's Cerberus, or AMD's PSP [102]. In contrast to general purpose application processors with security extensions for TEEs, those coprocessors have been designed for the primary goal to safeguard cryptographic credentials and secret data. Integration between secure enclaves and cryptographic coprocessors creates a stronger security solution in which enclaves can use the complementary coprocessor features. Concrete use-cases would benefit from this integration, e.g., impeding microarchitectural attacks against enclaves based on TPM features. Unfortunately, such an integration is currently, if it exists, very limited. We ask the following fundamental questions: Which security quarantees does the combination of CPU-provided TEEs with secure coprocessors provide that each of the technologies cannot provide on their own? What are the requirements to combine the advantages of both technologies without introducing new security problems or large performance overheads?

To answer these questions, we introduce a hardware/software co-design, TALUS, to combine CPU-provided TEEs with cryptographic coprocessors. Enclave code can directly invoke the coprocessor only via the CPU firmware and bus connections to make use of the coprocessor's facilities, such as counters or key management. We identify three core requirements to realize our idea: a secure communication channel between processors and coprocessors, vertical access control to distinguish between enclave and non-enclave code, and horizontal access control to distinguish between different enclaves. To understand how SGX can be integrated with an on-board hardware TPM, we built a proof-of-concept integration between Intel SGX and a hardware TPM on commodity hardware. We show that a combination of Intel SGX (emulated through KVM-SGX [49] and QEMU-SGX [50]) with hardware TPM is feasible with firmware changes and demonstrate through different use cases the security benefits of this symbiosis.

We show that TPM fills a gap in the trusted-computing features of SGX that is due to a lack of replay-protected secure non-volatile memory. Several previously published defenses for attacks against SGX provide their full strength only if such building blocks are available [85, 75, 20]. Furthermore, preventing recent microarchitectural attacks against TEEs [100, 12, 82, 84], including undervolting [79, 74, 54] is only effective if an enclave can store a persistent state to limit the number of attack attempts. In addition to the possibility of preventing attacks against enclaves, we demonstrate that all high-value secrets used during the lifetime of enclaves can be safely stored in the TPM without ever reaching a shared hardware element. We can actively mitigate existing attacks and harden an enclave against potential future attacks by reducing the amount of high-value secrets stored in the enclave. Our proof-of-concept implementation shows that the expected overhead of an average 21.6% is amortized in typical use cases, as only rarely used operations suffer from a slowdown of several milliseconds.

In summary, we make the following contributions:

- 1. We introduce *TALUS*, a hardware/software co-design to combine CPU-provided TEEs with cryptographic coprocessors.
- 2. We show that *TALUS* provides extended features, like rollback protected TPM NV-storage for persistent counters to limit execution control attacks against enclaves.
- 3. We demonstrate that *TALUS* significantly reduces the attack surface for microarchitectural attacks.
- 4. We analyze *TALUS* for real use cases, showing that its performance overhead is amortized in many use cases while providing strong security guarantees.

# 2 Background

#### 2.1 Intel Software Guard eXtension (SGX)

SGX is an extension to the x86 instruction set that allows a user-space process to create and manage a protected isolated memory region called an *enclave* within its own address space, even protected from OS and hypervisor access [66, 39]. SGX assumes that the CPU, including its microcode, is the only trusted element in the system. Enclave data are stored encrypted in DRAM and unencrypted in the CPU caches and registers. An external party can verify an enclave by (remote) attestation of the enclave code and meta-data [86, 10].

Intel supplies two infrastructure enclaves, the launch enclave (LE) and quoting enclave (QE), on which SGX is heavily dependent. The LE is responsible for handling and launching user-space enclaves with a token called EINITTOKEN that is generated using i) the measurement of the static content of the enclave (MRENCLAVE) and ii) the enclave-author validation (MRSIGNER). The LE requires a 128-bit Launch Key (LK) to derive the EINITTOKEN. The QE is designed to validate local attestation reports by enclaves generated with an asymmetric private key that a remote verifier can verify. Both the LE and the QE are entrusted with long-term high-value cryptographic credentials.

#### 2.2 Trusted Platform Module (TPM)

TPM by the Trusted Computing Group is the most widely deployed trusted computing technology on commodity platforms used by, e.g., Microsoft Windows management instrumentation, Intel Trusted eXecution Technology (TXT) [46], Microsoft Bitlocker [69], or Google Chrome [28]. A TPM contains a small nonvolatile memory block, a set of platform configuration registers (PCR), an onboard processor to execute TPM code in isolation from the other hardware, coprocessing for standard cryptographic algorithms, a secure clock, and a random number generator. TPMs can reliably report internal data to a third-party verifier, i.e., remote attestation based on a pre-installed endorsement key. Typically, a TPM is available as a hardware chip soldered to the mainboard, traditionally connected via the Low Pin Count (LPC) bus or on newer platforms via the SPI bus, making it only available through memory-mapped I/O (MMIO) registers protected by the chipset. Intel also implements a firmware TPM called Platform Trust Technology (Intel-PTT) [38] housed inside Intel CSME [42].

# 3 Requirements Analysis

In this section, we define three fundamental requirements for a secure integration of CPU-provided Trusted Execution Environments with onboard secure coprocessors: secure communication channel, horizontal access control, and vertical access control. We systematically compare how SGX and TPM meet those requirements and how well these two technologies can be integrated, as demonstrated later by our proof-of-concept implementation. In Appendix B, we have extended this comparison further to other secure coprocessors and TEEs.

Communication Channel (CC). For a secure integration between the security coprocessor and the application processor (AP), the communication channel between them must be secured from eavesdropping even in case of physical attacks, e.g., bus sniffing (CC1), and there should not be any dependencies on buffers vulnerable to microarchitectural attacks that can leak sensitive data transferred via the channel (CC2). TPM and SGX fulfill CC1 since TPM and Intel CPUs support end-to-end encryption of the communication between them [91, 25, 46]. However, this channel does not avoid insecure buffers, and decrypted data on the CPU side might still pass through such buffers. As demonstrated by recent attacks, none of the TEEs, including SGX, is free of insecure buffers. Therefore, SGX inherently fulfills not CC2, and we show in Section 5 how we overcome this limitation in combination with TPM.

Horizontal Access Control (HC). TEEs can host multiple tenants. For example, SGX supports multiple (parallel) enclaves. Horizontal access control ensures that the AP and the coprocessor can distinguish between requests from mutually untrusted tenants inside a TEE. For instance, one enclave should not be able to access another enclave's data within the coprocessor. A trusted entity, such as an AP, must create access or identity tokens that can identify TEE tenants. The tokens must be securely communicated to the coprocessor. The coprocessor must also understand those tokens to control access to managed data and secrets. Hardware TPM and firmware TPM employ extended authorization policies (EAP) that can use these access tokens for access control to TPM-managed objects, like TPM-internal storage and keys. All AP-based TEEs can fulfill this requirement because they can uniquely identify the different enclave codes they host. They can provide this information on calls to the coprocessor. For example, in SGX, this would be the code measurement of the enclave by the CPU.

Vertical Access Control (VC). AP-based TEE technologies and the coprocessor should support access control based on different security levels (e.g., application, OS, or hardware) to prevent non-enclave code from accessing enclave-owned entities in the coprocessor. The access token to distinguish between different security levels needs to be generated and handled by a secure piece of code and be securely communicated to the coprocessor. Hardware and firmware TPM offer *Locality* to distinguish between TPM commands originating from different security levels. Still, the locality of a command must be communicated to the

TPM by the CPU or firmware. Furthermore, SGX registers when it executes in enclave mode, but this security level is only used CPU-internally and not for Locality.

TALUS: Integrating Intel SGX and Hardware TPM. The main issue of vanilla SGX is the lack of confidentiality- and integrity-protected tamperresistant storage. As we are unaware of any non-volatile memory inside a CPU, we do not see how SGX can be improved by only updating the firmware and without adding new components (like a TPM) to the TCB. Vanilla SGX can use PTT for certain trusted computing use cases. However, PTT is housed inside the CSME [42] and connected through the DMI interface without any security around the communication channel. Moreover, although CSME employs its own OS with its own security ring, completely segregated from the platform security, the command buffer for PTT is configured by untrusted software, such as the OS, and PTT recently suffered from access control errors [43, 44] that completely undermine its security and are currently unfixable in production devices. Additionally, secrets typically flow through the memory hierarchy on the CPU where untrusted code can run in parallel, observing side effects of the secret processing, e.g., when unsealing data from disk. Furthermore, in SGX, support for counters depends on the Platform Service Enclave and Intel ME, which are often not available in SGX production deployments and have already been deprecated [47]. Moreover, these counters can be reset by reinstalling the SGX platform software [63]. As SGX stores counters inside the BIOS flash storage, they do not persist across system resets [63]. The unavailability of integrity-protected, tamper-resistant storage does not allow SGX to store a secure counter, which limits the possibility of enclaves to enforce a number of enclave executions, as exploited in interrupt-based attacks [12].

Based on our requirements analysis, we found that the combination of SGX with hardware TPM is highly amenable for integration and allows to fill those gaps in SGX with TPM functionality. Due to the historical relationships between Intel CPUs and TPM, they can create an encrypted channel between them. Additionally, SGX can identify (i.e., measure) enclave code while TPM can use this identity in its access control policies. Therefore, our proof-of-concept implementation for our TALUS design is based on SGX and a **hardware** TPM.

## 4 High-level TALUS Overview

Figure 5 illustrates the high-level overview of *TALUS*. Our systematization (Section 3) underlines the intuition that the TPM, when integrated as a coprocessor with SGX, can provide desirable features to secure enclaves, such as physically isolated processing of cryptographic secrets, a secure clock, or persistent counters. The basic idea is to retrofit SGX with a *direct* communication channel to the TPM chip *without* going through the host OS. With such a communication channel, enclaves can leverage the TPM facilities as building blocks, e.g., to implement secure monotonic counters (cf. Section 5). This section provides more

details on the security benefits, requirements, and challenges of integrating SGX enclaves with a TPM.

#### 4.1 Threat Model

The threat model for *TALUS* is the union of the coprocessor and enclave threat model. Only the coprocessor (including firmware) and the processor (including microcode) are trusted. We assume that the coprocessor does not suffer from implementation [72] or platform integration flaws [34]. Similarly, we assume that the enclaves are not malicious [68] and are free of classical software vulnerabilities [98, 59, 95, 21]. Microarchitectural attacks [93], such as classical side channels and transient execution attacks, are in scope. We allow physical attacks in line with the TPM and SGX specifications, e.g., bus tapping, bus sniffing, or similar physical layer attacks [7, 53, 56]. We exclude physical attacks outside of a reasonable attacker model for SGX and consumer-grade hardware, such as bus snooping on high-speed or address buses [57], against which SGX also fails to defend.

#### 4.2 Design of TALUS

Integrating a coprocessor (e.g., TPM) with a secure enclave technology, such as SGX, poses both security (SC) and functional (FC) challenges. In this section, we detail the challenges and how we design *TALUS* to solve these challenges.

SC1. Secure Communication Channel. CPU and coprocessor must exchange data securely. Ideally, the coprocessor is physically integrated with the CPU package (e.g., similar to AMD PSP), and the communication channel is physically secured against eavesdropping. If the coprocessor is an additional hardware element, a secure connection via the usually insecure bus is required. For TPM and SGX, TPM is connected to the CPU via the unprotected LPC or SPI bus. Thus, *TALUS* relies on symmetric authenticated cryptography to establish a secure channel between the coprocessor and the CPU while ensuring confidentiality and integrity despite an untrusted OS and a physical attacker.

SC2. Authorization of Commands. A coprocessor, such as TPM, is often shared between various entities on the system, such as firmware, OS, and user-space applications. Further, the enclave technology might support multiple mutually-untrusted tenants. Thus, the coprocessor has to manage the credentials for different enclaves (differentiated using, e.g., MRSIGNER, MRENCLAVE, PRODID and SVN). Moreover, the coprocessor is also used by non-enclave code, e.g., the OS, firmware, or user-space application. Consequently, it is crucial to have authorization of coprocessor commands to control access to coprocessor entities (like keys or NVM) to ensure that every enclave and non-enclave code only ever has access to its own coprocessor entities. TALUS with SGX and TPM ensures authorization using locality and EAP. Authorization to TPM entities between different actors in the system, e.g., OS, third-party software, or hardware, is based on the TPM locality. Different enclaves running on the same system authorize via their identities through TPM EAP (cf. Figure 5).

SC3. Avoiding Shared Hardware. It is often necessary to securely (SC1) send secret data, e.g., session keys, to the CPU while reducing the amount of shared hardware involved in the communication. Recent transient-execution attacks showed that a software-only attacker can read stale entries in various internal CPU buffers [12, 84, 82, 13, 80]. Thus, TALUS provides strict isolation of coprocessor-released data, ensuring that data does not pass (in plaintext) through shared hardware elements with (known) vulnerabilities. TALUS implements the entire communication using only CPU registers as storage.

Besides those security challenges, we identify the following functional challenges (FC) that influence TALUS.

FC1. Functionality Mapping. Enclave functionalities require a corresponding faithful command mapping offered by the coprocessor, e.g., to generate and use keys with the same authorization policies. The coprocessor driver logic for these commands can be implemented in CPU microcode [48] without requiring hardware changes. The microcode changes have to support only minimal amounts of ephemeral storage for policy sessions and session handles, both of which can be stored in the insecure BIOS flash.

FC2. Attestation. Enclaves depend on attestation to convince (remote) parties that they are communicating with the intended enclave. If the coprocessor supports attestation and management of attestation secrets, the attestation can be outsourced to the coprocessor. Thus, attestation secrets are never stored in shared hardware. A TPM supports remote attestation of TPM internal data. However, this poses the challenge of faithfully integrating the TPM attestation protocols with SGX. TALUS achieves this by extending TPM PCR21 with a measurement of an SGX secret (e.g., measurement of the QE). PCR21 is protected using EAP to ensure that only the microcode can access it, and the PCR21 measurement is attested through TPM-based attestation to a remote verifier.

FC3. Asynchronous Execution. When outsourcing cryptographic commands to a potentially much slower coprocessor, we face the problem that the coprocessor execution is asynchronous to the enclave execution. For example, the enclave might be interrupted before the coprocessor finishes executing an issued command by the enclave. Thus, TALUS ensures proper scheduling between enclave execution and coprocessor execution to handle asynchronous execution by storing secrets in the special-purpose registers and encrypting them during interrupts, preventing the register content from leaking through unprotected buffers. Interrupts already require a significant amount of microcode execution in the CPU, e.g., SGX stores registers in the SSA and resets the register values to non-secret values. Hence, adding encryption is feasible in microcode.

#### 5 TALUS Implementation

This section briefly introduces the implementation details of a proof-of-concept of *TALUS* based on SGX and a hardware TPM. An in-depth discussion is available in Appendix A. We show the functionality and all the security guarantees using the Intel SGX emulator [62] and a hardware TPM, allowing us to implement

the entire design of *TALUS*. For the performance evaluation, we instead use a hardware SGX enclave in combination with the same hardware TPM, with the limitation that the communication channel is not protected against a malicious OS. All evaluations are performed on an Intel i7-7820X running Ubuntu 16.04.04 with kernel 5.0.0. As the TPM, we use an Infineon SLB 9670 that supports TPM 2.0 (HTPM). The size of the enclave used for performance evaluation is 52 kB.

#### 5.1 Connecting SGX and TPM

Channel between SGX and TPM (SC1). Typically, the OS provides the TPM as an MMIO device to the system and user-space software. However, TALUS cannot rely on the untrusted OS for communication. For our proof-of-concept implementation, we rely on the end-to-end encrypted programmed I/O channel between the CPU and the hardware TPM. To prevent untrusted system software from interfering with the channel, we distinguish between MMIO and DMA requests. The channel is controlled by Intel TXT using an access control mechanism called Locality offered by the TPM through TPM Locality Address Mapping [46]. TPM localities indicate the source of the command within the platform. Locality 0 is full public access, locality 1 is the OS, and higher localities (up to locality 4) correspond to the highest privilege levels, i.e., hardware and microcode, including SGX. In TALUS, localities ensure the vertical access control to the TPM (e.g., software, OS), while command authorization (cf. Section A.2) ensures the horizontal access control (i.e., different enclaves).

The channel directly stores data in the CPU registers. Cole and Prakash [22] showed that, in addition to general-purpose registers, sensitive data can also be stored in the Intel MPX bnd registers. As Linux or GCC no longer supports Intel MPX [78], these registers can be used by an enclave without conflicting with any other existing software.

Interrupt Handling (FC3). On an interrupt, SGX performs an Asynchronous Enclave Exit (AEX) to save the enclave execution state in the State Save Area (SSA) before invoking the OS exception handling. Although architecturally secure, RIDL [82], ZombieLoad [84], and ÆPIC [8] showed that storing registers in the SSA leaves copies of the values in internal CPU buffers from where they can be leaked. Forcing SGX to dump registers to the SSA is always possible, as an attacker can inject interrupts at any time during enclave execution [96].

TALUS does not allow the registers (BNDO-BND3) holding potentially secret data to be saved directly to the SSA. In our proof-of-concept implementation, we encrypt the registers on EEXIT, EREMOVE, or AEX before storing them. We use AES in counter mode, with the SGX sealing key as the encryption key and the number of asynchronous exits as the counter. Using the number of asynchronous exits as a counter has the advantage that an attacker has only one shot at leaking the (encrypted) secret, and the attacker cannot even detect if the secret has changed between two interrupts [60].

As computations with secrets often require multiple general-purpose or SIMD registers [73, 26], it is also beneficial to prevent other registers from spilling se-



(a) TPM communication from user space enclaves for SGX operations.

(b) TALUS EGETKEY key derivation mechanism

Fig. 1: Design and implementation of TALUS

crets into the SSA. Similarly to protecting enclaves from traditional side-channel attacks, we see that responsibility with the enclave developer. Without *TALUS*, a developer cannot write code so that secrets are not leaked through transient-execution attacks. If TSX is available, it is possible to protect intermediate results from spilling into the architectural domain by relying on a compiler extension [33]. However, since TSX is deprecated, transient execution can be used as a (less efficient) alternative, as shown in recent work [97, 84, 103].

#### 5.2 Porting SGX Functionality to TPM

In this section, we demonstrate that SGX functionality can be mapped to the TPM using command authorization.

TPM Command Mapping (FC1). Figure 1.a shows the TALUS workflow to use the TPM as the backend for the SGX SDK functions that handle keys. Other operations, such as reading a persistent counter from the TPM, follow the same idea. For persistent secure storage of the wrapped keys, an enclave can rely on the OS to store the data on the hard disk. Creating and using counters is similar to key handling. As TPM counters are implemented in the TPM's NVM, creating a new counter equals creating a new dedicated NVM space with TPM\_NVDefineSpace and returning a handle to the enclave. Via this handle, the enclave can read or increment the TPM-managed counter. To retrieve the time, TPM's GetTime or Readclock can be used. TPM provides a secure clock signal with the granularity of 30 ns (LPC bus bandwidth is 33 MHz).

For key handling, TPM offers adequate secrets and functionalities to achieve the same bindings of keys as SGX (cf. Figure 1.b). For example, TPM's TPM2\_OWNERSHIP can replace the SGX OWNERSHIP or the CPU can share the CPUSVN with the TPM that can be used as KDF input (Figure 1.b). TPM-generated keys can be bound to the specific TPMs through TPM secret seeds (i.e., TPM2\_CreatePrimary or TPM2\_Create for non-migratable keys). To bind generated keys in TALUS to both CPU and TPM, SGX sends a secret derived from SEAL\_FUSES to the TPM as input to the TPM key generation. Other enclave-related information are available in the SECS created by SGX for every enclave. More details on the command mapping between SGX and TPM are available in Appendix A.1.

Enclave Authorization (SC2). TALUS uses TPM's extended authorization policies (EAP) to ensure that one enclave cannot have unauthorized access to another enclave's TPM entities. EAP policies are set during the creation of a TPM entity, such as a key. The CPU in TALUS dictates the EAP of newly created TPM entities. It handles the policy sessions with the TPM, supplying the necessary information for authorization from the key-derivation material. With EAP, we can represent the same policies reflected in the key-derivation material selection in default SGX. For example, if a key is created with MRSIGNER selected but not MRENCLAVE, i.e., it can be derived by all enclaves of the same developer, we represent this in an EAP that requires the enclave's MRSIGNER value. When using the key, the CPU supplies the current enclave's MRSIGNER value to the TPM policy session. Only if it matches the value set in the EAP at key creation time can that enclave use the key.

### 5.3 Limitations of the TALUS Implementation

Our proof-of-concept implementation demonstrates that TPM and SGX are very amenable for integration, leading to improved enclave security (cf. Section 6). Our security discussion motivates further research into more secure integration of coprocessors with CPUs. In our proof-of-concept implementation, the CPU uses an end-to-end encrypted channel with pre-shared keys to the TPM (TPM\_TakeOwnership). Hence, we rely on a non-compromised chipset to, e.g., prevent cuckoo attacks [76]. A coprocessor physically integrated into the CPU, such as Microsoft Pluton [70], can remove the dependency on the chipset for a secure, authenticated connection. While we did not attempt such a tighter integration for the proof-of-concept in this paper, we provide functional objectives and requirements for a secure integration between a coprocessor and an enclave. More details are available in Appendix A.3.

## 6 Case Studies

In this section, we present two case studies using *TALUS*. We demonstrate how *TALUS* protects the enclave life cycle by storing all long-term secrets in the TPM. We also show how to strengthen mitigations against microarchitectural attacks by reducing the amount of data to protect and limiting enclave restarts.

#### 6.1 TALUS-backed Enclave Management

Enclave Creation. Figure 2.a shows the two-step process of TPM-backed enclave creation: (i) allocating enclave pages in EPC and addition of code and data to those pages, and (ii) measuring page contents (MRENCLAVE) and verification of the measurement against a signed reference value. With TALUS, the TPM creates and verifies MRSIGNER and MRENCLAVE. These operations require hashing of MRSIGNER using TPM commands like TPM2\_HashSequenceStart,



- (a) TPM communication from user space enclaves for SGX operations.
- (b) TALUS EGETKEY key derivation mechanism

Fig. 2: Enclave-related use-cases for TALUS

TPM2\_HashSequenceUpdate and lastly TPM2\_HashSequenceComplete. The TPM returns the hash of the measured enclave pages, *i.e.*, MRENCLAVE. SGX verifies the measurement of the enclave code (using the command TPM2\_VerifySignature) with the reference value signed by the creator of the enclave using the creator's public key. If the values are the same, the enclave creation is successful.

Enclave Launch. A successfully created enclave is launched using the EINIT command. Vanilla SGX employs a complex launch-control mechanism involving the LE, which requires a launch key (LK) [24]. By default, the LK is derived using the same key derivation used for sealing keys, and transferred between the trusted runtime and LE via microarchitectural buffers. Transient-execution attacks [12,84] attacked these buffers to extract the launch key. TALUS replaces this unprotected buffer transfer by encapsulating the key inside the TPM and releasing it upon successful authorization. We implement the launch control using TPM (cf. Figure 2.b). The launch process starts when EINIT requests an enclave initialization (cf. Figure 2.b) from the LE. The LE issues an LK request to the TPM with the TPM2\_CreatePrimary command. Note that this process can also be ported to Intel DCAP.

The related enclave information from Enclave SECS is passed to the TPM. The TPM creates a key using the EINITTOKEN KDM as supplied by the CPU. SGX also resets TPM PCRs and extends the enclave information into those PCRs (e.g., PCR 11-13). The PCR extension is a well-known procedure used in, e.g., Flicker [64], other solutions for proof-of-execution [77], and measured boot mechanisms [46]. After the TPM returns a key handle, an EINITTOKEN generation request is issued, wrapped in an EAP session using the enclave identity information as policy. Therefore, the authorization succeeds only if the correct enclave information was extended into the PCRs. The TPM creates the EINITTOKEN, an HMAC of the enclave identity information, using the launch key loaded into the TPM. The EINITTOKEN is returned to EINIT ( ) from the LE. EINIT receives the EINITTOKEN and sends it to the TPM for verification ( ). After verification, the TPM returns an acknowledgment of success to EINIT ( ) to proceed, setting







(b) Performance comparison (in ms): enclave management of SGX against TALUS.

Fig. 3: 2 TALUS performance evaluation

the enclave's INIT attribute to true. This enables a ring 3 application to execute the enclave's code using SGX instructions. The used PCRs are reset to their predefined values, which is possible because the code runs at locality 4.

Performance of Enclave Management using *TALUS*. Figure 3.b shows the performance of the TPM-backed functions. Enclave creation, which includes allocating enclave pages, measuring page contents, and verifying the measurements, takes on average 624.16 ms with *TALUS* and a hardware TPM (QEMU-HTPM). Compared to vanilla SGX, which also takes 97.75 ms, this is only an overhead of 526.41 ms. Given that the creation of an enclave is a one-time event in the life cycle of an enclave and does not affect any operation at runtime, this overhead is likely amortized over the runtime of the enclave.

SGX Attestation (FC2). For SGX, attestation is implemented in the QE. SGX employs local attestation to prove an enclave's identity to the QE. The QE uses the attestation keys provisioned to the platform to attest the platform information and the attested enclave's MRENCLAVE. A TPM naturally supports attestation using attestation keys, however, only of TPM-internal data (e.g., PCR values or TPM entities). With TALUS, we adapt the mechanism implemented by Intel and AMD for DRTM/Late-launch, where the platform attests with the TPM a small piece of code measured by the CPU. DRTM uses PCR17 of the TPM for measurement attestation. The CPU can only reset PCR17 at locality 4. Hence, a verifier is assured that the attested measurement in PCR17 can only come from the CPU during DRTM. In TALUS, we designate PCR21 for SGX attestation and set an EAP on this PCR that allows only locality 4 to read. extend, and reset this PCR. The TPM can attest this policy to a remote verifier to ensure them about this policy. During SGX attestation, the microcode resets PCR21 and extends it with the measurement of the QE (i.e., MRENCLAVE of the QE) and the report generated by the QE. A remote verifier can use the attested PCR21 value to check for a trusted QE and the proper report, i.e., MRENCLAVE and optionally supplied data to the report. Note that the EPID attestation used by SGX [86] is an extended version of TPM's DAA and can be modeled entirely using DAA [10]. Simply extending the enclave MRENCLAVE into a PCR and attesting this PCR is insufficient without ensuring that the MRENCLAVE is correct and reported by a trusted entity.

Performance of Other Co-processor Functions We evaluate the runtime of Sign Enclave, Get Key, Quote, Load key, Get Time and Read Counter provided by



Fig. 4: The total runtime of the commands split into base execution time and the overhead added by QEMU.

TALUS. As a baseline, we measure the time it takes the hardware TPM (HTPM) to execute these primitives. Figure 3.a shows the average execution time over 1000 measurements and a 95 % confidence interval. Communication between the TPM and SGX adds a small average overhead between 0.49 ms (generating a 2048-bit RSA key) and 50.77 ms (enclave signing).

TALUS running with a hardware TPM adds an average overhead of 98.61 ms  $\pm$  1.95 ms. Note that the overall runtime overhead of an enclave depends on its workload, *i.e.*, how often these commands are executed.

Data Encryption using TALUS. We evaluate a real-world use case that encrypts data using AES without leaking the key, even in the presence of transient execution attacks (cf. Section 6.2). Our application uses a 128-bit AES key securely stored in the TPM, only fetched when encrypting user-provided data. To ensure no leakage of round keys via the SSA [84], we execute the round-key derivation and encryption within a hardware transaction [33]. The total runtime of encrypting 4 kB of data and cleaning up any secret state is 1.66 µs $\pm$ 0.001 µs, excluding fetching the key from the TPM. The overhead from TALUS, i.e., securely getting the key, is  $58.43 \, \text{ms} \pm 1.45 \, \text{ms}$ . As a baseline, we compare the runtime to a variant where the key is not fetched from the TPM but unsealed from the disk. This (insecure) variant has an average runtime of 199.21 µs $\pm$ 0.45 µs. Note that the one-time overhead is amortized if the enclave runtime increases, e.g., if larger amounts of data are encrypted.

Since only Intel can implement a native version of TALUS, and there is no cycle-accurate emulator that supports SGX, we can only provide an estimate for such a version. Figure 4 shows the overhead added by QEMU for the TALUS commands, adding an overhead between 5 ms to 10 ms (avg. of 6.82 ms). This overhead constitutes between 2.21 % to 38.77 % (avg. of 21.60 %). We assume that commands in a native TALUS implementation are around 20 % faster.

#### 6.2 Impeding Microarchitectural Attacks

SGX enclaves are a constant target of microarchitectural attacks [93, 67]. The property that enclaves can be started arbitrarily often makes it challenging to write side-channel-resilient code [67]. Furthermore, with transient-execution attacks such as Foreshadow [12], Spectre [55], RIDL [82], ZombieLoad [84], and

architectural vulnerabilities such as ÆPIC [8], attackers can leak sensitive data from internal CPU buffers despite side-channel-resilient code.

Preventing Transient-Execution Attacks. TPMs are assumed to be resilient against other forms of microarchitectural attacks since no untrusted code can access the hardware of a TPM. Further, by design, TPM does not release any secret keys managed by TPM to the outside, but only key handles. However, sometimes the TPM needs to release secret data to the enclave (e.g., a decrypted symmetric key). With TALUS, data is loaded directly into CPU registers. No transient-execution attack against CPU general-purpose registers has been demonstrated [14]. Note that Meltdown attacks were only shown against system registers [35, 14] and floating-point and the upper half of SIMD registers in specific scenarios [88, 71, 36]. Hence, as long as a secret is only stored in, e.g., an MPX register (BNDO-BND3), it cannot be leaked using a transient-execution attack. Otherwise, Meltdown mitigations, such as KPTI, would also be ineffective.

**Proof-of-concept Evaluation.** As a proof of concept, we reproduce the AES-NI encryption from ZombieLoad [84]. With *TALUS*, we can load the AES key from the TPM directly into the CPU registers without requiring a memory load. Hence, the attack vector used by Schwarz et al. [84] is mitigated. To mitigate the remaining attack vector, the storing and loading of the XMM registers in the SSA, we rely on Cloak [33] to not leak any intermediate results from the registers to memory. We verify that the plain AES key is never stored in memory by inspecting the memory. Further, we are certain that the key is not stored in any vulnerable microarchitectural element used for interacting with the memory, such as the store buffer or line-fill buffer, preventing leakage via transient-execution attacks. However, we cannot exclude the existence of unknown buffers that are on the data path in Cloak [33] and that might become vulnerable in the future.

Limiting Precise Execution Control & Strengthening Countermeasures. Due to the strong attacker model, SGX enclaves can be interrupted at an arbitrary point, allowing precise execution control [67]. With SGX-step [96], enclaves can be interrupted after every instruction, allowing to amplify side-channel leakage. Constant interruptions result in constantly storing and loading of the enclave state, resulting in more reliable transient-execution attacks [12, 84]. By design, TALUS does not store secrets stored in the MPX registers in plain memory, preventing leakage of these values (cf. Section 5.1). While TALUS cannot directly prevent precise execution control, its persistent storage can track how often an enclave was interrupted. Although enclaves can detect interrupts via overwritten values in the SSA [75, 19], they cannot store this information across enclave restarts. With TALUS, an enclave can track the number of interrupts across enclave restarts. Due to this persistent storage, an enclave can refuse to start if it suffers from an excessive number of interrupts.

Generally, *TALUS* allows enclaves to keep information across restarts, strengthening state-of-the-art countermeasures against microarchitectural attacks. T-SGX [85], Varys [75], or Déjà Vu [20] drastically reduce the observable leakage during one enclave run. However, since they cannot prevent arbitrary enclave

restarts, leakage is still possible [51]. Using secure counters of *TALUS* strengthens such countermeasures to prevent an enclave from starting if too many abnormal events have been observed during execution.

**Proof-of-concept Evaluation.** We implement the restart limitation in the sample enclave of T-SGX [85]. The enclave first increments a counter stored in the TPM and retrieves the current value. This value is the number of times the enclave has been started. Only if the current counter value is below an enclave-defined threshold the enclave continues to provision the secrets. The limit can be obtained from a remote server to increase the number of allowed executions over time gradually. Contrary to the number of enclave executions, storing this threshold in a sealed data blob is possible. A rollback attack would only decrease the number of remaining enclave executions, providing no advantages to an attacker. As the check only happens once at enclave startup, this is a one-time overhead. With T-SGX, the time it takes to create and launch the enclave is  $19.66 \, \text{ms} \pm 0.016 \, \text{ms} \ (n=1000)$ . Increasing, reading, and comparing the timer with TALUS takes on average  $17.45 \, \text{ms} \pm 0.23 \, \text{ms}$ .

## 7 Other Platforms

TALUS shows how a co-processor can be integrated with a TEE on x86. Other platforms, such as ARM and RISC-V, can also benefit from our requirement analysis. For example, ARM TrustZone supports co-processors such as Google Titan or Apple T2 but with limited use cases such as disk encryption, key generation or encryption. On RISC-V, Keystone Enclaves and RoCC (Rocket chip coprocessor) are available on the Boom core [15] and Rocket core [6]. Hence, also on RISC-V, integrating the co-processor with enclaves can provide better security guarantees. A detailed discussion on how other platform can benefit from a TALUS implementation is available in Appendix C.

## 8 Conclusion

We showed that secure enclaves, such as SGX, can benefit from secure coprocessors, such as a TPM, if they are securely integrated. With TALUS, we presented a design that supports secure side-channel-resilient communication between TEEs and cryptographic coprocessors. We presented a proof-of-concept implementation based on a hardware TPM and SGX, demonstrating how a TPM can protect the SGX infrastructure credentials during enclave building and launching, and how such a design impedes microarchitectural attacks on SGX. From our prototype, we derive crucial requirements for secure integration between TEEs and coprocessors. We believe that the identified and solved challenges leading to our design of TALUS are valuable for future systems, such as integrating Microsoft's Pluton with enclaves, and can be transferred to other combinations of enclave technology and coprocessors, such as AMD PSP or ARM TrustZone.

#### References

- 1. AMD: Uncover, understand, own regaining control over your amd cpu (2019)
- 2. Anwar, F.M., Garcia, L., Han, X., Srivastava, M.: Securing time in untrusted operating systems with timeseal. In: 2019 IEEE Real-Time Systems Symposium (RTSS) (2019)
- 3. Apple Inc.: Apple platform security secure enclave. https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/web (2021), accessed: 12/08/2021
- Apple Inc.: Apple t2 security chip security overview. https://www.apple.com/mideast/mac/docs/Apple\_T2\_Security\_Chip\_Overview.pdf (2021), accessed: 12/08/2021
- Arm Limited: The trustzone hardware architecture. https://developer.arm.com/documentation/100935/0100/The-TrustZone-hardware-architecture-?langen (2021), accessed: 01.05.2021
- Asanović, K., Avizienis, R., Bachrach, J., Beamer, S., Biancolin, D., Celio, C., Cook, H., Dabbelt, D., Hauser, J., Izraelevitz, A., Karandikar, S., Keller, B., Kim, D., Koenig, J., Lee, Y., Love, E., Maas, M., Magyar, A., Mao, H., Moreto, M., Ou, A., Patterson, D.A., Richards, B., Schmidt, C., Twigg, S., Vo, H., Waterman, A.: The rocket chip generator. Tech. rep., EECS Department, University of California, Berkeley (Apr 2016), http://www2.eecs.berkeley.edu/Pubs/TechRpts/ 2016/EECS-2016-17.html
- Boone, J.: Tpm genie: Attacking the hardware root of trust for less than \$50 (2018), accessed: 02/13/2019
- 8. Borrello, P., Kogler, A., Schwarzl, M., Lipp, M., Gruss, D., Schwarz, M.: ÆPIC Leak: Architecturally leaking uninitialized data from the microarchitecture. In: 31st USENIX Security Symposium (USENIX Security 22) (2022)
- 9. Bourgeat, T., Lebedev, I., Wright, A., Zhang, S., Arvind, Devadas, S.: Mi6: Secure enclaves in a speculative out-of-order processor. In: MICRO '52. Association for Computing Machinery (2019)
- Brickell, E., Li, J.: Enhanced privacy id: A direct anonymous attestation scheme with enhanced revocation capabilities. IEEE Transactions on Dependable and Secure Computing (2012)
- 11. Brickell, E., Camenisch, J., Chen, L.: Direct anonymous attestation. Cryptology ePrint Archive, Report 2004/205 (2004), https://eprint.iacr.org/2004/205
- Bulck, J.V., Minkin, M., Weisse, O., Genkin, D., Kasikci, B., Piessens, F., Silberstein, M., Wenisch, T.F., Yarom, Y., Strackx, R.: Foreshadow: Extracting the keys to the intel SGX kingdom with transient out-of-order execution. In: 27th USENIX Security Symposium (USENIX Security 18) (2018)
- Canella, C., Genkin, D., Giner, L., Gruss, D., Lipp, M., Minkin, M., Moghimi, D., Piessens, F., Schwarz, M., Sunar, B., Van Bulck, J., Yarom, Y.: Fallout: Leaking data on meltdown-resistant cpus. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS) (2019)
- 14. Canella, C., Van Bulck, J., Schwarz, M., Lipp, M., von Berg, B., Ortner, P., Piessens, F., Evtyushkin, D., Gruss, D.: A Systematic Evaluation of Transient Execution Attacks and Defenses. In: USENIX Security Symposium (2019), extended classification tree and PoCs at https://transient.fail/.
- Celio, C., Chiu, P.F., Nikolic, B., Patterson, D.A., Asanović, K.: Boom v2: an open-source out-of-order risc-v core. Tech. rep., EECS Department, University of California, Berkeley (Sep 2017), http://www2.eecs.berkeley.edu/Pubs/TechRpts/2017/EECS-2017-157.html

- Chakraborty, D., Hanzlik, L., Bugiel, S.: simtpm: User-centric TPM for mobile devices. In: 28th USENIX Security Symposium (USENIX Security 19) (Aug 2019)
- 17. Chen, G., Chen, S., Xiao, Y., Zhang, Y., Lin, Z., Lai, T.H.: Sgxpectre: Stealing intel secrets from sgx enclaves via speculative execution. In: EuroS&P (2019)
- 18. Chen, G., Chen, S., Xiao, Y., Zhang, Y., Lin, Z., Lai, T.H.: Sgxpectre: Stealing intel secrets from sgx enclaves via speculative execution. In: 2019 IEEE European Symposium on Security and Privacy (EuroS P) (2019)
- Chen, G., Li, M., Zhang, F., Zhang, Y.: Defeating Speculative-Execution Attacks on SGX with HyperRace. In: Dependable and Secure Computing (DSC) (2019)
- Chen, S., Zhang, X., Reiter, M.K., Zhang, Y.: Detecting privileged side-channel attacks in shielded execution with déjá vu. In: AsiaCCS (2017)
- 21. Cloosters, T., Rodler, M., Davi, L.: Teerex: Discovery and exploitation of memory corruption vulnerabilities in {SGX} enclaves. In: USENIX Security Symposium (2020)
- 22. Cole, M., Prakash, A.: Simplex: Repurposing intel memory protection extensions for information hiding. arXiv:2009.06490 (2020)
- 23. Colin Schmidt, A.I.: A fast parameterized sha3 accelerator. https://people.eecs.berkeley.edu/~kubitron/courses/cs262a-F13/projects/reports/project11\_report.pdf (2015)
- 24. Costan, V., Devadas, S.: Intel sgx explained. IACR Cryptology ePrint Archive (2016)
- Futral, W., Greene, J.: Intel Trusted Execution Technology for Server Platforms:
  A Guide to More Secure Datacenters. Apress, Berkely, CA, USA, 1st edn. (2013)
- Garmany, B., Müller, T.: PRIME: Private RSA Infrastructure for Memory-less Encryption. In: ACSAC (2013)
- 27. Google: Titan m makes pixel 3 our most secure phone yet. https://www.blog.google/products/pixel/titan-m-makes-pixel-3-our-most-secure-phone-yet (2018), accessed: 01/06/2020
- 28. Google: Tpm usage the chromium project. https://www.chromium.org/developers/design-documents/tpm-usage (2019)
- 29. Google: Hardware security module. https://developer.android.com/training/articles/keystore\#HardwareSecurityModule (2021), accessed: 15/12/2021
- 30. Google: Work with keystore entries. https://developer.android.com/training/articles/keystore\#UserAuthentication (2021), accessed: 15/12/2021
- 31. Google: Work with keystore entries. https://developer.android.com/training/articles/keystore\#UserAuthentication (2021), accessed: 15/12/2021
- 32. Greene, James: Intel® smi transfer monitor (stm) user guide. https://firmware.intel.com/content/smi-transfer-monitor-stm (2016)
- 33. Gruss, D., Schuster, F., Ohrimenko, O., Haller, I., Lettner, J., Costa, M.: Strong and Efficient Cache Side-Channel Protection using Hardware Transactional Memory. In: USENIX Security Symposium (2017)
- 34. Han, S., Shin, W., Park, J.H., Kim, H.: A bad dream: Subverting trusted platform module while you are sleeping. In: 27th USENIX Security Symposium (USENIX Security 18). USENIX Association (2018), https://www.usenix.org/conference/usenixsecurity18/presentation/han
- 35. Intel: Rogue system register read (2018), https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/advisory-guidance/rogue-system-register-read.html
- 36. Intel: Vector Register Sampling / CVE-2020-0548 / INTEL-SA-OO329 (2020), https://software.intel.com/content/www/us/en/develop/articles/

- software-security-guidance/advisory-guidance/vector-register-sampling.html
- 37. Intel Corporation: Intel Low Pin Count Interface Specification, August 2002. https://www.intel.com/content/www/us/en/design/technologies-and-topics/low-pin-count-interface-specification.html (2002), last accessed: 31/10/19
- 38. Intel Corporation: Strengthening security with intel® platform trust technology. https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/enterprise-security-platform-trust-technology-white-paper.pdf (2014)
- 39. Intel Corporation: Intel® 64 and ia-32 architectures software developer's manual. https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-instruction-set-reference-manual-325383.pdf (2016)
- 40. Intel Corporation: Intel® software guard extensions (intel sgx). https://software.intel.com/en-us/sgx (2016), accessed: 15.07.2019
- 41. Intel Corporation: Smi transfer mode (stm). https://software.intel.com/content/www/us/en/develop/articles/smi-transfer-monitor-stm.html (2019), accessed: 06/05/2020
- 42. Intel Corporation: Intel converged security and management engine (intel csme). https://www.intel.com/content/dam/www/public/us/en/security-advisory/documents/intel-csme-security-white-paper.pdf (2020)
- 43. Intel Corporation: Intel-sa-00219 sgx sw developer guidance. https://www.intel.com/content/dam/www/public/us/en/security-advisory/documents/the-intel-csme-dam-vulnerability-cve-2018-3659-and-cve-2018-3643-whitepaper.pdf (2020), accessed: 11/12/2021
- 44. Intel Corporation: The intel® converged security and management engine iommu hardware issue cve-2019-0090 and cve-2020-0566. https://www.intel.com/content/dam/www/public/us/en/security-advisory/documents/cve-2019-0090-whitepaper.pdf (2020), accessed: 11/12/2021
- 45. Intel Corporation: Intel platform service enclave. https://www.intel.com/content/www/us/en/support/articles/000058691/software/intel-security-products.html (2021), accessed: 11/04/2022
- 46. Intel Corporation: Intel® trusted execution technology (intel® txt) software development guide measured launch environment developer's guide. http://www.intel.com/content/www/us/en/software-developers/intel-txt-software-development-guide.html (2021)
- 47. Intel Corporation: Unable to find alternatives to monotonic counter application programming interfaces (apis) in intel® software guard extensions (intel® sgx) for linux\* to prevent sealing rollback attacks. https://www.intel.com/content/www/us/en/support/articles/000057968/software/intel-security-products.html (2021), accessed: 10.01.2022
- 48. Intel Corporation: Xucode: An innovative technology for implementing complex instruction flows. https://software.intel.com/content/www/us/en/develop/articles/software-security-guidance/secure-coding/xucode-implementing-complex-instruction-flows.html (2021)
- Intel Corporation: Kvm sgx. https://github.com/intel/kvm-sgx (2022), accessed: 01/06/2020
- 50. Intel Corporation: Qemu sgx. https://github.com/intel/qemu-sgx (2022), accessed: 01/06/2020

- 51. Jiang, J., Soriente, C., Karame, G.: Monitoring performance metrics is not enough to detect side-channel attacks on intel sgx. arXiv:2011.14599 (2020)
- Karandikar, S., Leary, C., Kennelly, C., Zhao, J., Parimi, D., Nikolic, B., Asanovic, K., Ranganathan, P.: A hardware accelerator for protocol buffers. In: MICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture. MICRO '21 (2021)
- 53. Kauer, B.: Oslo: Improving the security of trusted computing. In: Proc. 16th USENIX Security Symposium (SEC '07). USENIX Association (2007)
- 54. Kenjar, Z., Frassetto, T., Gens, D., Franz, M., Sadeghi, A.: V0LTpwn: Attacking x86 Processor Integrity from Software. In: USENIX Security Symposium (2020)
- Kocher, P., Horn, J., Fogh, A., Genkin, D., Gruss, D., Haas, W., Hamburg, M., Lipp, M., Mangard, S., Prescher, T., Schwarz, M., Yarom, Y.: Spectre attacks: Exploiting speculative execution. In: 2019 IEEE Symposium on Security and Privacy (SP) (2019)
- Lawson, N.: Tpm hardware attacks. https://rdist.root.org/2007/07/16/tpm-hardware-attacks/ (Jul 2007), accessed: 06.08.2018
- 57. Lee, D., Jung, D., Fang, I.T., Tsai, C.C., Popa, R.A.: An off-chip attack on hardware enclaves via the memory bus. In: 29th USENIX Security Symposium (USENIX Security 20) (2020), https://www.usenix.org/conference/usenixsecurity20/presentation/lee-dayeol
- Lee, D., Kohlbrenner, D., Shinde, S., Asanović, K., Song, D.: Keystone: An open framework for architecting trusted execution environments. In: Proceedings of the Fifteenth European Conference on Computer Systems (2020), https://dl.acm.org/doi/abs/10.1145/3342195.3387532
- Lee, J., Jang, J., Jang, Y., Kwak, N., Choi, Y., Choi, C., Kim, T., Peinado, M., Kang, B.B.: Hacking in Darkness: Return-oriented Programming against Secure Enclaves. In: USENIX Security Symposium (2017)
- 60. Li, M., Zhang, Y., Wang, H., Li, K., Cheng, Y.: CIPHERLEAKS: Breaking Constant-time Cryptography on AMD SEV via the Ciphertext Side Channel. In: USENIX Security Symposium (2021)
- Lipp, M., Schwarz, M., Gruss, D., Prescher, T., Haas, W., Fogh, A., Horn, J., Mangard, S., Kocher, P., Genkin, D., Yarom, Y., Hamburg, M.: Meltdown: Reading kernel memory from user space. In: 27th USENIX Security Symposium (USENIX Security 18) (2018)
- 62. M., J.: Virtualizing intel® software guard extensions with kvm and qemu. https://software.intel.com/en-us/articles/virtualizing-intel-software-guard-extensions-with-kvm-and-qemu (2019), accessed: 01/06/2020
- Matetic, S., Ahmed, M., Kostiainen, K., Dhar, A., Sommer, D., Gervais, A., Juels, A., Capkun, S.: ROTE: Rollback protection for trusted execution. In: Proc. 26th USENIX Security Symposium (SEC' 17). usenix (2017)
- 64. McCune, J.M., Parno, B.J., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: An execution infrastructure for tcb minimization. SIGOPS Oper. Syst. Rev. (2008)
- 65. McKeen, F., Alexandrovich, I., Anati, I., Caspi, D., Johnson, S., Leslie-Hurd, R., Rozas, C.: Intel® software guard extensions (intel® sgx) support for dynamic memory management inside an enclave. In: Proceedings of the Hardware and Architectural Support for Security and Privacy 2016 (2016)
- McKeen, F., Alexandrovich, I., Berenzon, A., Rozas, C.V., Shafi, H., Shanbhogue, V., Savagaonkar, U.R.: Innovative instructions and software model for isolated execution. Hasp@ isca 10(1) (2013)
- 67. Michael Schwarz, D.G.: How Trusted Execution Environments Fuel Research on Microarchitectural Attacks. In: Security & Privacy (2020)

- 68. Michael Schwarz, Samuel Weiser, D.G.: Practical Enclave Malware with Intel SGX. In: DIMVA (2019)
- 69. Microsoft Corporation: Bitlocker. https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview (2018)
- 70. Microsoft Corporation: Meet the microsoft pluton processor the security chip designed for the future of windows pcs. https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/ (2021)
- Moghimi, D., Lipp, M., Sunar, B., Schwarz, M.: Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis. In: USENIX Security Symposium (2020)
- 72. Moghimi, D., Sunar, B., Eisenbarth, T., Heninger, N.: TPM-FAIL: TPM meets Timing and Lattice Attacks. In: 29th USENIX Security Symposium (USENIX Security 20). USENIX Association (2020)
- 73. Müller, T., Freiling, F.C., Dewald, A.: Tresor runs encryption securely outside ram. In: USENIX Security Symposium (2011)
- 74. Murdock, K., Oswald, D., Garcia, F.D., Van Bulck, J., Gruss, D., Piessens, F.: Plundervolt: Software-based Fault Injection Attacks against Intel SGX. In: S&P (2020)
- 75. Oleksenko, O., Trach, B., Krahn, R., Silberstein, M., Fetzer, C.: Varys: Protecting SGX Enclaves from Practical Side-channel Attacks. In: USENIX ATC (2018)
- 76. Parno, B.: Bootstrapping trust in a "trusted" platform. In: Proceedings of the 3rd Conference on Hot Topics in Security. HOTSEC'08 (2008)
- 77. Perez, R., Sailer, R., van Doorn, L., et al.: vtpm: virtualizing the trusted platform module. In: Proc. 15th Conf. on USENIX Security Symposium. pp. 305–320 (2006)
- 78. Phoronix: Intel MPX Support Is Dead With Linux 5.6 (2020), https://www.phoronix.com/scan.php?page=news\_item&px=Intel-MPX-Is-Dead
- 79. Qiu, P., Wang, D., Lyu, Y., Qu, G.: Voltjockey: Breaching trustzone by software-controlled voltage manipulation over multi-core frequencies. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. CCS '19, Association for Computing Machinery (2019)
- 80. Ragab, H., Milburn, A., Razavi, K., Bos, H., Giuffrida, C.: CrossTalk: Speculative Data Leaks Across Cores Are Real. In: S&P (2021)
- 81. Raj, H., Saroiu, S., Wolman, A., Aigner, R., Cox, J., England, P., Fenner, C., Kinshumann, K., Loeser, J., Mattoon, D., Nystrom, M., Robinson, D., Spiger, R., Thom, S., Wooten, D.: ftpm: A software-only implementation of a TPM chip. In: 25th USENIX Security Symposium (USENIX Security 16) (2016)
- 82. van Schaik, S., Milburn, A., Österlund, S., Frigo, P., Maisuradze, G., Razavi, K., Bos, H., Giuffrida, C.: RIDL: Rogue in-flight data load. In: S&P (May 2019)
- 83. Schwarz, M., Gruss, D.: How trusted execution environments fuel research on microarchitectural attacks. IEEE Security and Privacy (2020)
- 84. Schwarz, M., Lipp, M., Moghimi, D., Van Bulck, J., Stecklina, J., Prescher, T., Gruss, D.: ZombieLoad: Cross-privilege-boundary data sampling. In: CCS (2019)
- 85. Shih, M.W., Lee, S., Kim, T., Peinado, M.: T-SGX: Eradicating controlled-channel attacks against enclave programs. In: NDSS (2017)
- 86. Simon Johnson and Vinnie Scarlata and Carlos Rozas and Ernie Brickell and Frank Mckeen: Intel software guard extensions: Epid provisioning and attestation services. https://software.intel.com/sites/default/files/managed/57/0e/ww10-2016-sgx-provisioning-and-attestation-final.pdf (2016)

- 87. Sparks, Sherri, Embleton, Shawn, Zou, Cliff: Smm rootkits: A new breed of os independent malware. http://www.eecs.ucf.edu/~czou/research/SMM-Rootkits-Securecom08.pdf (2008)
- 88. Stecklina, J., Prescher, T.: LazyFP: Leaking FPU Register State using Microarchitectural Side-Channels. arXiv:1806.07480 (2018)
- 89. Stefan, B., David, S.: Software tpm emulator. https://github.com/stefanberger/swtpm (2022), accessed: 01/06/2020
- 90. Stiles, D.: The hardware security behind azure sphere. IEEE Micro (2019)
- 91. Trusted Computing Group: Tpm 2.0 library specification. https://trustedcomputinggroup.org/resource/tpm-library-specification/ (2016)
- 92. Trusted Computing Group: Trusted platform module library part 1: Architecture. https://trustedcomputinggroup.org/wp-content/uploads/TCG\_TPM2\_r1p59\_Part1\_Architecture\_pub.pdf (2019)
- 93. Van Bulck, J.: Microarchitectural Side-Channel Attacks for Privileged Software Adversaries. Ph.D. thesis, KU Leuven (2020)
- 94. Van Bulck, J., Moghimi, D., Schwarz, M., Lipp, M., Minkin, M., Genkin, D., Yarom, Y., Sunar, B., Gruss, D., Piessens, F.: LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection. In: S&P (2020)
- 95. Van Bulck, J., Oswald, D., Marin, E., Aldoseri, A., Garcia, F.D., Piessens, F.: A tale of two worlds: Assessing the vulnerability of enclave shielding runtimes. In: CCS (2019)
- 96. Van Bulck, J., Piessens, F., Strackx, R.: Sgx-step: A practical attack framework for precise enclave execution control. In: Proceedings of the 2nd Workshop on System Software for Trusted Execution. SysTEX'17 (2017)
- 97. Wampler, J., Martiny, I., Wustrow, E.: Exspectre: Hiding malware in speculative execution. In: NDSS (2019)
- 98. Weichbrodt, N., Kurmus, A., Pietzuch, P., Kapitza, R.: AsyncShock: Exploiting Synchronisation Bugs in Intel SGX Enclaves. In: ESORICS (2016)
- 99. Wojtczuk, Rafal, Rutkowska, Joanna: Attacking intel® trusted execution technology. https://invisiblethingslab.com/resources/bh09dc/Attacking\% 20Intel\%20TXT\%20-\%20paper.pdf (2009)
- 100. Xu, Y., Cui, W., Peinado, M.: Controlled-channel attacks: Deterministic side channels for untrusted operating systems. In: ssp15. IEEE Computer Society (2015)
- 101. Yarom, Y., Falkner, K.: Flush+reload: A high resolution, low noise, l3 cache side-channel attack. In: Proceedings of the 23rd USENIX Conference on Security Symposium. SEC'14 (2014)
- 102. Zhang, F., Zhang, H.: Sok: A study of using hardware-assisted isolated execution environments for security. In: Proceedings of the Hardware and Architectural Support for Security and Privacy 2016. HASP 2016, Association for Computing Machinery (2016)
- 103. Zhang, T., Koltermann, K., Evtyushkin, D.: Exploring branch predictors for constructing transient execution trojans. In: ASPLOS (2020)



**Fig. 5:** High-level idea for integrating SGX enclaves with TPM as coprocessor. Access control to the TPM entities are controlled using Locality for different levels (ring) of software and using EAP for different software working in the same level (ring); EAP = Extended Authorization Policies.

| SGX command/operation        | TPM commands                             |
|------------------------------|------------------------------------------|
| Sgx_get_key                  | ${\it TPM2\_CreatePrimary/TPM2\_Create}$ |
| Sgx_get_trusted_time         | $TPM2\_GetTime/TPM2\_Readclock$          |
| Sgx_create_monotonic_counter | TPM2_NVDefineSpace                       |
| Encryption                   | (TPM2_Load,) TPM2_EncryptDecrypt         |
| Sign                         | (TPM2_Load,) TPM2_Sign                   |
| Quote                        | (TPM2_Load,) TPM2_Quote                  |

Table 1: SGX-TPM commands mapping

## Appendix A TALUS Implementation

In this section, we briefly introduce implementation details of a proof-of-concept of TALUS based on SGX and a hardware TPM. An in-depth discussion is available in Section A. We first show the functionality and all security guarantees using the Intel SGX emulator [62] and a hardware TPM, as this allows implementing the entire design of TALUS. For the performance evaluation, we instead use a hardware SGX enclave in combination with the same hardware TPM, with the limitation that the communication channel is not protected against a malicious OS. The reason for the two parts is that only Intel can update microcode. Hence, we cannot implement all changes required for the secure communication channel in off-the-shelf hardware.

#### A.1 Connecting SGX and TPM

The connection between SGX and TPM has to fulfill the challenges outlined in Section 4.2. In this section, we present the implementation details of the communication channel, which is illustrated in Figure 5.

Channel between SGX and TPM (SC1). Typically, the OS provides the TPM as an MMIO device to system and user-space software. However, TALUS cannot rely on the untrusted OS to communicate between the TPM and enclaves. For our proof-of-concept implementation, we rely on the end-to-end-encrypted programmed I/O channel between the CPU and the hardware TPM. This channel is controlled by Intel TXT using an access control mechanism called Locality offered by the TPM through TPM Locality Address Mapping [46]. TPM localities indicate the source of the command within the platform. Locality 0 is full public access, locality 1 is the OS. Higher localities (up to locality 4) correspond to the highest privilege levels, i.e., hardware and microcode, including SGX. In TALUS, localities ensure the vertical access control to the TPM (e.g., software, OS), while command authorization (cf. Section A.2) ensures the horizontal access control (i.e., different enclaves).

The programmed I/O communication channel allows the CPU to choose where to store (sensitive) data received from the TPM, e.g., directly into CPU registers (SC3). In contrast, for direct-memory-access-based (DMA) communication, TPM data is always fetched into CPU caches. From there, it can be directly extracted via Foreshadow [12] if the CPU is affected, or via Spectre [55] indirectly if a suitable gadget exists in the enclave. To prevent untrusted system software from interfering with the channel, we change the logic in the I/O controller hub. When a programmed I/O communication is initiated, the I/O controller hub does not process an incoming MMIO request from DMA. This is possible by distinguishing an I/O request from a DMA request in the LAD[3:0] bus signal (00: I/O read-write, 10: DMA read-write) [37]. Thus, the system software can interact with the TPM with a regular DMA request only when SGX is not interacting with the TPM. In our proof-of-concept implementation, we implemented this in QEMU's ICH9-I/O controller hub device, which can be updated through microcode.

Although the size of CPU registers is limited, previous work showed that it is sufficient to compute AES [73] and RSA [26] entirely in registers. Cole and Prakash [22] showed that in addition to general-purpose registers, sensitive data can also be stored in the Intel MPX bnd registers. As Intel MPX is not supported by Linux or GCC anymore [78], these registers can be used by an enclave without conflicting with any other existing software.

Interrupt Handling (FC3). On an interrupt, SGX performs an Asynchronous Enclave Exit (AEX) to save the enclave execution state in the State Save Area (SSA) before invoking the OS exception handling. After the exception is handled, the enclave can resume by restoring the saved, protected state. While this is architecturally secure, RIDL [82], ZombieLoad [84] and ÆPIC [8] showed that storing registers in the SSA leaves copies of the values in the line-fill buffer and load ports from where they can be leaked via these attacks, even if the enclave code is not vulnerable to side channels. Forcing SGX to dump register contents

to the SSA is always possible as an attacker can inject interrupts at arbitrary points during enclave execution [96].

To remedy this attack, TALUS does not allow the registers (BNDO-BND3) holding potentially secret data to be saved directly to the SSA. In our proof-of-concept implementation, we encrypt the registers on an EEXIT, EREMOVE, or AEX before storing them. We use AES in counter mode, with the already-existing SGX sealing key as the encryption key and the number of asynchronous exits as the counter. Hence, even in the presence of transient-execution attacks, an attacker can only leak the encrypted secrets. Using the number of asynchronous exits as a counter has two advantages. First, an attacker has only one shot at leaking the (encrypted) secret. Second, an attacker cannot even detect if the secret has changed between two interrupts, a design issue that led to side-channel attacks on AMD SEV [60].

As computations with secrets often require multiple general-purpose or SIMD registers [73, 26], it is also beneficial to prevent other registers from spilling secrets into the SSA. Similarly to protecting enclaves from traditional side-channel attacks, we see that responsibility with the enclave developer, as this can be entirely ensured in software. In contrast, without TALUS, a developer cannot write code such that secrets are not leaked via transient-execution attacks. If TSX is available, protecting intermediate results from spilling to the architectural domain is possible by relying on a compiler extension [33]. However, as TSX is deprecated, transient execution can be used as a (less-efficient) alternative, as shown in recent work [97, 84, 103]. Hence, we consider the actual computations with secrets out of scope for TALUS and only provide the means to securely store secrets and transfer them between SGX and TPM.

#### A.2 Porting SGX Functionality to TPM

In this section, we demonstrate that given *TALUS*'s secure channel, SGX functionality can be transparently mapped to the TPM using command authorization.

#### TPM Command Mapping (FC1).

Table 1 provides an overview of the mapping between TPM commands and the SGX commands and operations. Figure 1.a shows the TALUS workflow for using the TPM as the backend for SGX-SDK functions handling keys. Other operations, such as reading a persistent counter from the TPM follow the same idea. Typically, SGX enclaves create keys via the  $sgx_get_key$  command, which returns the actual key to the enclave. TALUS provides a modified version of that command ( ) with the same parameters to select the seeds for key derivation (e.g., MRENCLAVE). The microcode gathers the calling enclave's identity from its SECS (SGX Enclave Control Structure, stores per-enclave metadata associated with each enclave) and uses it as seed parameters in the TPM2\_CreatePrimary() command ( ). As with EGETKEY, the TPM key is derived from the calling enclave's identity. In contrast to SGX, TPM returns a key handle (and optionally the public key and wrapped private key), which is then forwarded to the enclave

for later use ( as and as ). If an enclave wants to sign or encrypt data with the TPM key ( as ), it has to use the corresponding key handle. For persistent secure storage of the wrapped keys, an enclave can rely on the OS to store the data on the hard disk. Creating and using counters is similar to key handling. TPM counters are implemented in the TPM's NVM. Thus, creating a new counter equals creating a new dedicated NVM space with TPM\_NVDefineSpace and returning a handle to that space to the enclave. Via this handle, the enclave can read or increment the TPM-managed counter. In contrast to the SGX counters, these counters cannot be reset [63] and are not limited to Windows [47]. For retrieving the time, TPM's GetTime or Readclock can be used. TPM provides a secure clock signal with the granularity of 30 ns (LPC bus bandwidth is 33 MHz).

SGX Key Generation with TPM. SGX cryptographic keys are derived in the EGETKEY instruction from different combinations of key derivation material (KDM). The KDM consists of a list of enclave-related information and a list of CPU-known values. The enclave information is MRSIGNER (enclave developer's identity), MRENCLAVE (hash of enclave memory pages), ISVSVN (enclave security version number), ISVPRODID (enclave product ID), KEYID (a value supplied by the enclave), KEYNAME (key type), and MASKEDATTRIBUTES (enclave attributes). This information is available in the SECS created by SGX for every enclave. The CPU-specific values are OWNEREPOCH (platform owner identification), CPUSVN (CPU version number), and SEAL\_FUSES (a secret known only to the processor).

A TPM provides adequate secrets and functionality to achieve the same binding of keys as SGX (cf. Figure 1.b). TPM offers TPM2\_OWNERSHIP, which can replace the OWEREPOCH. Hence, if the platform changes the owner, all keys are invalided in the same fashion as for a changed CPU OWEREPOCH. CPUSVN is not a secret value but a counter denoting the current version of the CPU. SGX can share the CPUSVN with the TPM to be used as KDF input. SEAL\_FUSES binds all generated keys to the specific CPU. TPM-generated keys can be bound to the specific TPM through TPM secret seeds (i.e., TPM2\_CreatePrimary command or TPM2\_Create for non-migratable keys). To bind generated keys in TALUS to both platform CPU and TPM, SGX sends a secret derived from SEAL\_FUSES to the TPM as input to the TPM key generation. Lastly, it should be noted that SGX uses an SGX master derivation key (derived using Provisioning Secret) as input to the KDF. However, the purpose is undocumented [24]. We suspect this has to do with AES-CMAC used as PRF in SGX. Since TPM uses SP800-108 as KDF with HMAC as PRF, we do not address the master derivation key for now in our proof-of-concept implementation.

Enclave Authorization (SC2). To ensure that one enclave cannot have unauthorized access to another enclave's TPM entities, TALUS uses TPM's extended authorization policies (EAP). EAP policies are set during the creation of a TPM entity, such as a key. Using an EAP-protected TPM entity requires a successful TPM policy session that fulfills the entity's EAP. The CPU in TALUS dictates the EAP of newly created TPM entities (using its role as TPM driver for

enclaves). It handles the policy sessions with the TPM, hereby supplying the necessary information for authorization from the KDM. With EAP, we can represent the same policies that are reflected in the KDM selection in default SGX. For example, if a key is created with MRSIGNER selected but not MRENCLAVE, *i.e.*, it can be derived by all enclaves of the same developer, we represent this in an EAP that requires the enclave's MRSIGNER value. When using the key, the CPU supplies the current enclave's MRSIGNER value to the TPM policy session. Only if it matches the value set in the EAP at key creation time, that enclave can use the key.

## A.3 Limitations of the TALUS Implementation

Our proof-of-concept implementation demonstrates that TPM and SGX are very amenable for an integration and that this symbiosis is beneficial for enclave security (cf. Section 6 for case studies). Our security discussion motivates further research into more securely integrating coprocessors with CPUs. To create a secure channel between TPM and CPU in our prototype, we depend on the chipset controller and firmware (Intel TXT). For a production deployment, this dependency is not ideal. In the past, Intel TXT was attacked several times [99, 87] through Secure Management Mode (SMM), and Intel had to deploy patches [99] and implement SMM Transfer Mode (STM) [41]. STM is a sandboxed SMM handler using virtualization with VT-x and VT-d. However, it cannot be ruled out that further attacks against SMM or TXT are discovered. Hence, adding SMM or TXT to the TCB is undesirable.

As the TPM is outside the CPU package, it is susceptible to cuckoo attacks [76] when the client (here the CPU) is not assured of talking to the intended TPM chip. In that case, the connection to the TPM can be redirected to an attacker-controlled TPM. In our proof-of-concept implementation, the CPU uses an end-to-end encrypted channel with pre-shared keys to the TPM (TPM\_TakeOwnership). In this setting, the pre-shared key for the CPU is stored by the chipset and provided to the CPU during initialization. Thus, a cuckoo attack does not succeed as long as the TPM and the chipset have not been compromised. However, as argued above, being dependent on the chipset integrity is undesirable as it increases the TCB.

A coprocessor physically integrated into the CPU, such as Microsoft Pluton [70], can remove the dependency on the chipset for a secure, authenticated connection and is promising for securing enclave technology as it does not increase the TCB. While we did not attempt such a tighter integration for the proof-of-concept in this paper, we provide functional objectives and requirements for a secure integration between a coprocessor and enclave that have to be fulfilled indepedently from how the coprocessor and CPU are connected. Our prototype then demonstrates the resulting benefits at the concrete example of TPM and SGX.

|                                              | C        | Cop                     | oroc                          | ess              | sor          | 's           | $\mathbf{T}$ | El      | Εs            |                 |
|----------------------------------------------|----------|-------------------------|-------------------------------|------------------|--------------|--------------|--------------|---------|---------------|-----------------|
| Security Requirements                        | AMD PSP  | Intel PTT in Intel CSME | Google Titan Chip<br>Annle T2 | Microsoft Pluton | Firmware TPM | Hardware TPM | Intel SGX    | AMD SEV | ARM TrustZone | Keystone RISC-V |
|                                              |          |                         |                               |                  |              |              |              |         |               |                 |
| CC. Communication Channel                    |          |                         |                               |                  |              |              |              |         |               |                 |
| + CC1. Secure communication channel with CPU | <b>/</b> | X.                      | x x                           | *                | ×            | ~            | ~            | X       | X             | X               |
| + CC2. No dependencies on external buffers   | X        | *                       | VV                            | *                | X            | X            | X            | X       | X             | X               |
| HC. Horizontal Access Control                | •        | X.                      | <b>X</b> *                    | · 🗸              | <b>~</b>     | <b>/</b>     | <b>~</b>     | ~       | <b>~</b>      | ~               |
| VC. Vertical Access Control                  | X        | ×                       | x x                           | ~                | <b>/</b>     | V            | X            | X       | ٥             | ×               |

**Table 2:** Comparison of Coprocessors and Trusted Execution Environments (TEEs) against security requirements. (✓ = fulfilled; ズ = partially fulfilled; ズ = not fulfilled; ☀ = Unknown)

# Appendix B Extended Requirements Analysis

In this section, we complement our requirements analysis from Section 3 and systematically compare how different solutions for secure coprocessors and TEEs match the requirements defined that Section, and, hence, which pairings of coprocessors and TEEs are most suitable for integration. The considered coprocessors are AMD PSP [1], Intel PTT running in Intel CSME [38], Google Titan [27], Apple T2 [3], Microsoft Pluton, Firmware TPM, and Hardware TPM. For TEEs, we consider Intel SGX [40], AMD SEV, ARM TrustZone, and RISC-V Keystone.

Communication Channel (CC). To briefly recap, for a secure integration between the security coprocessor and the application processor (AP), the communication channel between them must be secured from eavesdropping even in case of physical attacks, e.g., bus sniffing (CC1), and there should not be any dependencies on buffers vulnerable to microarchitectural attacks that can leak sensitive data transferred via the channel (CC2). From Table 2, hardware TPM fulfills CC1 (Hardware TPM CC1: ✓) by supporting end-to-end encrypting the communication with the TPM [91]. However, this channel does not avoid insecure buffers, and decrypted data at the CPU-side might still pass through such buffers. In comparison, AMD PSP also supports only CC1 (PSP CC1: ✓) as it is part of the application processor (AP) package, i.e., physical bus tapping is not feasible. However, secret data is transferred in plaintext and might

|            |                                          | Coprocessors |                         |                   |          |                  | $\mathbf{T}$ | ΕI           | $\Sigma \mathbf{s}$ | ;       |               |                 |
|------------|------------------------------------------|--------------|-------------------------|-------------------|----------|------------------|--------------|--------------|---------------------|---------|---------------|-----------------|
|            | Objectives                               | AMD PSP      | Intel PTT in Intel CSME | Google Titan Chip | Apple T2 | Microsoft Pluton | Firmware TPM | Hardware TPM | Intel SGX           | AMD SEV | ARM TrustZone | Keystone RISC-V |
| SP. Securi | ty Properties                            |              |                         |                   |          |                  |              |              |                     |         |               |                 |
| + SP1.     | Strict hardware isolation                | ~            | •                       | <b>/</b>          | •        | ~                | X            | <b>/</b>     | X                   | X       | X             | X               |
| + SP2.     | Untrusted software dependency            | ~            | •                       | <b>~</b>          | X        | *                | X            | •            | X                   | X       | X             | 0               |
| SSC. Secu  | re Storage Capability                    |              |                         |                   |          |                  |              |              |                     |         |               |                 |
| + SSC1.    | Confidentiality and Integrity of storage | X            | X                       | •                 | 0        | ٥                | •            | ~            | ×                   | X       | ٥             | ×               |
| + SSC2.    | Secure counter / Rollback protection     | X            | X                       | 0                 | 0        | 0                | •            | 1            | 0                   | 0       | X             | X               |

**Table 3:** Comparison of Security Coprocessors and Trusted execution environments (TEEs) against objectives.

pass through insecure buffers. Google Titan and Apple T2 [4,3] fulfill only CC2 (**Titan, Apple T2 CC2:**  $\checkmark$ ) by not releasing secret keys outside their execution environment, i.e., they can never pass through insecure buffers. However, secret data has to be exchanged over an unencrypted channel with the coprocessor for processing (e.g., decryption). None of the TEEs is free of insecure buffers, as demonstrated by recent attacks. Moreover, only SGX can inherently provide a way to establish a secure channel with a coprocessor to the best of our knowledge. Though not inherent to SGX but to Intel CPUs, they support creating an end-to-end encrypted channel between TPM and CPU [25, 46].

Horizontal Access Control (HC). TEEs can host multiple tenants. For example, SGX supports multiple (parallel) enclaves. We defined horizontal access control as a requirement to ensure that AP and coprocessor can distinguish between requests from mutually-untrusted tenants inside a TEE. For instance, one enclave should not be able to access another enclave's data within the coprocessor. A trusted entity, like AP, needs to create access or identity tokens that can identify the TEE tenants. The tokens must be securely communicated to the coprocessor. The coprocessor also needs an understanding of those tokens to control access to managed data and secrets. AMD PSP can distinguish between requests originating from different SEV VMs (PSP HC: ✓). Hardware TPM and Firmware TPM employ extended authorization policies (EAP) that

can utilize such access tokens for access control to TPM-managed objects, like TPM-internal storage and keys (Hardware TPM, Firmware TPM HC:  $\checkmark$ ). Microsoft Pluton is fully compliant with the TPM 2.0 specification [91] (Pluton HC:  $\checkmark$ ). Other coprocessors like Intel PTT, Google Titan, or Apple T2 do not intrinsically differentiate between their callers' identities or access rights. All of the AP-based TEEs can fulfill this requirement because they can uniquely identify different enclave code that they host. They can provide this information on calls to the coprocessor (SGX, SEV, TrustZone, Keystone HC:  $\checkmark$ ). For example, in SGX, this would be the code measurement of the enclave by the CPU, and for ARM TrustZone the trusted OS in the secure world can identify the trusted applications.

Vertical Access Control (VC). As defined in Section 3, both the AP-based TEE technologies and the coprocessor should support access control based on different security levels (e.g., application, OS, or hardware) to prevent non-enclave code from being able to access enclave-owned entities in the coprocessor. The access token to distinguish between different security levels needs to be generated and handled by a secure piece of code and be securely communicated to the coprocessor. Hardware and firmware TPM offer Locality to distinguish between TPM commands originating from different security levels (Hardware TPM, Firmware TPM VC:  $\checkmark$ ), but the locality of a command has to be communicated to the TPM by the CPU or firmware. Microsoft Pluton is TPM compliant in this regard (**Pluton VC:**  $\checkmark$ ). Other coprocessors like AMD PSP, Intel PTT, Google Titan, or Apple T2 do not inherently differentiate between the origin of commands. Among the TEEs, ARM TrustZone CPUs communicate the current security level via a bit on the system-on-chip bus, but this bit has to be communicated on calls to the coprocessor (TrustZone VC: ②). In contrast, SGX, SEV, and Keystone register when they are executing in enclave mode, but this security level is only used CPU-internally (SGX, SEV, Keystone VC: X).

We additionally compare the TEEs and coprocessors regarding their security properties and provisioning of secure storage.

Security Properties (SP). Security properties are broken into Strict hardware isolation and Untrusted software dependencies (see Table 3). SGX uses PTT for certain trusted computing use-cases. PTT is housed inside the CSME [42] and connected through the DMI interface without any security around the communication channel. PTT uses the isolated execution environment powered by a 32-bit processor based on the Intel 486 architecture with a small dedicated SRAM (PTT SP1: ). CSME employs its own TCB OS with its own security ring, completely segregated from the platform security (PTT SP2: ). However, the command buffer for PTT is configured by untrusted software such as the OS. In Section 2.2, we introduced Firmware and Hardware TPM and their features. Hardware TPM is equipped with a low-end 32-bit coprocessor and has access to a small RAM (Hardware TPM SP1: ) and NV-storage. Google Titan [27] is designed and developed using a RISC-V processor combined with

its own memory [29] offering strict hardware isolation (**Titan SP1:**  $\checkmark$ ). The goal of Titan with Android keymaster [30] is to keep the key material secure with no possibility of extracting it from the hardware [31]. The Titan backed keystore does not release keys to the system (**Titan SP2:**  $\checkmark$ ). Apple implements T2 with strict hardware isolation (**T2 SP1:**  $\checkmark$ ). According to Microsoft, Pluton is fully compliant with the TCG TPM 2.0 [92] specification. It uses a dedicated ARM M4 processor with 128 kB of *Tightly Coupled Memory* (TCM) and 64 kB bootloader ROM [90]. This configuration can provide an isolated hardware execution environment (**Pluton SP1:**  $\checkmark$ ). It is also unknown how the Pluton device is exposed to the platform (e.g., as MMIO device) or if any untrusted software dependency is required (e.g., preparing the command buffer) to perform actions on Pluton (**Pluton SP2:** \*).

Secure Storage (SSC). In SGX, support for counters depends on the Platform Service Enclave and Intel ME, which often are not available in SGX production deployments, and already deprecated [47] (SGX SSC2: ♥). Moreover, these counters can be simply reset by reinstalling the SGX platform software [63]. As SGX stores counters inside the BIOS flash storage, they do not persist across system resets [63] (SGX SSC1:X). The NV-storage implemented inside the TPM chip offers complete confidentiality and integrity of storage of secrets (Hardware **TPM SSC1:**  $\checkmark$ ). The aforementioned storage can be used to implement secure counters which also can provide protection against version rollback attacks for both system and third party software, and hardware (Hardware TPM SSC2: ✓). SEV SNP, i.e., SEV with the secure nested paging extion, provides protection against firmware rollback but shows no evidence providing protection against virtual machine state roll back attack as it provides no secure storage capability (SEV SSC2: ❖ and SEV SSC1: ※). Titan provides secure storage for the keys it generates or imports for its client (**Titan SSC1:**  $\checkmark$ ). This storage can also store a secure counter for rollback protection. However, we are unaware of existence of such counters (Titan SSC2: ②). TrustZone does not offer any secure storage facility. Manufacturer, e.g., Microsoft, implement RPMB-based storage to store counters and fuses for other secrets such as device specific OEM keys. However, this storage is only available to system software (TrustZone **SSC1: 3**). While confidentiality and integrity of the T2 storage is given, third party code in the TEE cannot utilize it (**T2 SSC1:**  $\checkmark$ ). T2 implements secure rollback protection only to the firmware, resulting in a limited counter support and rollback protection (T2 SSC2:  $\checkmark$ ). Pluton does not offer any secure storage facility other than programmable fuses to store platform specific cryptographic secrets (Pluton SSC1: ②). These fuses can be used to store counters to provide rollback protection. However, it is doubtful how much this protection can be extended beyond the platform (Pluton SSC2: ②).

# Appendix C Other Platforms

TALUS shows how a co-processor can be integrated with a TEE on x86. In Section 5.1, we present the integration process between a TPM and Intel SGX, and in Section 6 we show the integration use cases. These use cases show that by integrating the functionalities of TPM with Intel SGX, security details, such as the launch key or quoting key, can be protected better. Moreover, TPM provides crucial trusted building blocks (e.g., secure counter) to the TEE.

ARM platforms are not equipped with a TPM. However, Google (with the Titan chip for Android) and Apple (with the Secure Enclave and T2 chip) equipped their ARM platforms with security co-processors to strengthen ARM Trust-Zone's security guarantees. However, these co-processors are still not deeply integrated into ARM TrustZone, with only limited use cases, e.g., disk encryption, key generation, or attestation (see Section 3). ARM TrustZone uses NS bit to distinguish between secure world and non-secure world, providing vertical access control. However, it lacks inherently a secure communication channel, which exists between Secure Enclave and T2. The UUID-based identification of Trusted Applets in TrustZone is by specification not a secure identity and cannot be used to implement horizontal access control. Moreover, TALUS uses the enclave code measurements as identities to control access to TPM objects. ARM TrustZone does not inherently use code measurements to identify secure code but would rely on the secure world OS for this task. Both Google Titan and Apple T2 do not support vertical access control (similar to TPM locality). Establishing secure identities for trusted applets for TrustZone and locality based access control for Google Titan and Apple T2 would be necessary steps towards fulfilling our requirements.

RISC-V is a comparatively new platform and mostly limited to research prototypes. Specific RISC-V core implementations, such as the Boom core [15] and Rocket core [6], allow implementing a special core within the processor called RoCC (Rocket chip coprocessor). RoCC accelerator can provide a secure register-based communication channel. RoCC can directly communicate to the physical core over registers, which can be used to establish a secure channel between keystone enclaves and RoCC. Only Keystone offers horizontal access control through enclave code measurement but not RoCC. RoCC and Keystone both do not support any type of vertical access control similar to TPM locality. However, we believe RISC-V has more implementation efforts than fundamental limitations. RoCC has proven its capability as an accelerator [52, 23] but how much of a security coprocessor can be implemented in RoCC to support our requirements is unclear.