Security News > 2022 > August > APIC/EPIC! Intel chips leak secrets even the kernel shouldn’t see…
What is an APIC, and why do I need it? How can you have data that even the kernel can't peek at? What causes this epic failure in APIC? Does the ÆPIC Leak affect me? What to do about it? What's an APIC?
How can you have data that even the kernel can't peek at?
This feature is supported by namy recent Intel CPUs, and it provides a way for the operating system kernel to "Seal" a chunk of code and data into a physical block of RAM so as to form what's known as an enclave, much like the special security chips in mobile phones that are used to store secrets such as decryption keys.
The researchers behind the ÆPIC Leak paper discovered that by arranging to read out APIC data via a cunning and unusual sequence of memory accesses.
They could trick the processor into filling up the APIC MMIO space not only with data freshly received from the APIC itself, but alsowith data that just happened to have been used by the CPU recently for some other purpose.
Regular users can't access the APIC MMIO data block, and therefore have no way of peeking at anything at all in there, let alone secret data that might have leaked out from an SGX enclave.