For Intel it's not out of scope, it's just that the specific CPUs they attacked fall into a tech mid-point in which Intel temporarily descoped bus interposers from the threat model to pivot in the market towards encrypting much larger memory spaces. From Alder Lake onwards they fixed the issue in a different way from classic "client SGX" which had the most cryptographically robust protections and is not vulnerable to this attack, but which imposed higher memory access costs that scaled poorly as size of protected RAM grew.

For AMD they just haven't invested as much as Intel and it's indeed out of scope for them. The tech still isn't useless though, there are some kinds of attacks that it blocks.

You've mentioned multiple times on this thread that Intel has a fix for this in their latest CPUs, but I haven't seen that called out anywhere else... I've only seen the idea that latest CPUs use DDR5 (which also is true of AMD SEV-SNP's EPYC 9005) and so happen to be too difficult (for now) for either the teams of Battering RAM or WireTap?

Look at their advisory. It says:

> Use of cryptographic integrity protection mode of Intel® Total Memory Encryption - Multi-Key (Intel® TME-MK) can provide additional protection against alias-based attacks, such as those outlined in the Battering RAM paper. This feature is available on 5th Generation Intel® Xeon® processors (formerly codenamed Emerald Rapids) and Intel® Xeon® 6 processor family with P-cores (formerly codenamed Granite Rapids).

I guess it depends how you interpret "additional protection". But look at the website. They say none of their attacks work on TDX. Only "Scalable SGX".

However, TME-MK is indeed still vulnerable to other kinds of attacks like replay attacks. It isn't going to be as strong as the original SGX design. Unfortunately, as I explain in my other comment, the original SGX design is a kind of theoretical ideal that expects people to make software redesign efforts to benefit from it and the market just has no stomach for much extra spending on security or privacy right now.

Ok, I see: it isn't TME-MK that does it alone -- that is covered by the paper, even, as insufficient -- but this extra "cryptographic integrity protection mode", which is separate and yet not given a fancy name.

> Furthermore, TDX adds cryptographic integrity via a 28-bit MAC in ECC bits [19, 47].

> While the logical integrity could be bypassed by aliasing between two different TDs, as demonstrated in Section 5, the cryptographic integrity remains robust against simple aliasing attacks. This is because, while an interposer enables replay of the data bits containing the ciphertext, it cannot be used to replay the ECC bits, which store the cryptographic MAC. Replaying both data and ECC bits, while theoretically possible, would require a full-fledged interposer capable of intercepting and replaying the data contents. Such an interposer poses significantly higher engineering challenges.

Even this is only sort of better, in that it isn't actually secure against a truly evil RAM chip: it just happens to be using a feature of the RAM chip that narrowly defeats this particular form of command address override attack... but, though, that's still pretty reasonable, as the only reason this attack could be so cheap to build is because of its limitations.

Thanks!!

I’ve always assumed it’s a long term goal for total DRM

Remote attestation of our personal devices, including computers, the apps we run and the media we play on them.

The server side also has to be secure for the lock-in to be effective.

Security theater, mostly.

TEEs don't work, period.

FHE does (ok, it's much slower for now).

Why do you say TEEs don’t work at all?

TEEs, as they're marketed, requires a true black box. True black boxes do not exist, as a property of the rules of our universe.

You can ALWAYS break them, it's just a matter of cost, even assuming they're perfectly designed and have no design/implementation flaws. And they're often not perfectly designed, sometimes requiring no physical hardware tampering.

The point of security efforts is to make an attacker's life harder, not to construct perfect defenses (because there's no such thing, as you've noted).

TEEs make attacker's lives harder. Unless you can find a way to make your interposer invisible and undetectable, the value is limited.

Quantum mechanics with its non-copy property implies that a true black box can be created.