For those who don't know, SGX allows the software to run in a safe corner of the processor. The safe areas have their memory and are isolated from other system software like hypervisors and the operating system.
Ohio State University researchers have uncovered a new variant of the Spectre vulnerability dubbed SgxPectre. It allows the safe areas created by SGX to be cracked and show that Chipzilla's SGX goes to pieces so fast that people can be killed by the shrapnel.
The research paper explains the SgxPectre vulnerability abuses this branch prediction ability to tease information out of the safe area created by SGX. Intel issued this statement in response:
“We are aware of the research paper from Ohio State and have previously provided information and guidance online about how Intel SGX may be impacted by the side channel analysis vulnerabilities. We anticipate that the existing mitigations for Spectre and Meltdown, in conjunction with an updated software development toolkit for SGX application providers -- which we plan to begin making available on March 16th -- will be effective against the methods described in that research. We recommend customers make sure they are always using the most recent version of the toolkit.”
The ray of light is, as the original Meltdown-Spectre vulnerabilities themselves, SgxPectre can be mitigated over time. This mitigation will come on March 16th in the form of a new SGX software development kit (SDK) and microcode updates for affected microprocessors. Let's just pray Intel gets it right out of the gate this time, unlike the first attempt.