undefined | Better HN

0 pointsCyph0n9y ago0 comments

No, that's different. The crypto is done in hardware, yes, but keys and plaintext are still seen in software, and software is inherently untrusted. Our aim is to support use cases where you do not want software to handle anything.

I think Intel's SGX is a better solution for hardware-supported software isolation, but it still isn't widespread and has a number of weaknesses.

0 comments

amluto9y ago

> I think Intel's SGX is a better solution for hardware-supported software isolation, but it still isn't widespread and has a number of weaknesses.

It's not really usable at all right now, but I'm cautiously optimistic that a version of Linux coming soon will support it on a CPU coming eventually.

(The relevant CPU feature is IA32_SGXLEPUBKEYHASH. Until that feature is available, SGX is every bit as worthlessly locked down as the worst GlobalPlatform gadgets IMO.)

Kaby Lake does not appear to have this feature.

j / k navigate · click thread line to collapse