What is group sgx (999)?
After the recent update a new system group sgx was added. As it is not in the arch linux doc, what is it about? Is it legit? What program installs it?
Edit:
[2021-04-06T20:32:55+0200] [ALPM] running '20-sysusers.hook'...
[2021-04-06T20:32:55+0200] [ALPM-SCRIPTLET] Creating group sgx with gid 999.
The file that installs the group is 20-sysusers.hook, but when I search for the esysusers package that contains it, I get "No matching packages found". Please update your database.
I'd prefer control over the groups I add. I don't user software guard extensions (if that's what it is about), it is disabled in my BIOS and in my kernel.
Edit:
It is a split package, part of xudev.
Edit:
From xudev/src/systemd-stable/NEWS (I had to download the entire source for this):
* Intel SGX enclave device nodes (which expose a security feature of
newer Intel CPUs) will now be owned by a new system group "sgx".
According to my search, Intel SGX may be a security risk:
https://arstechnica.com/information-technology/2020/03/hackers-can-steal-secret-data-stored-in-intels-sgx-secure-enclave/
There is more. As I said, I disabled it, and I want a choice of adding groups or not.
Edit: Is this relevant for esysusers, or elogind, or the soon-to-come xudev?
* /dev/ is not mounted noexec anymore. This didn't provide any
significant security benefits and would conflict with the executable
mappings used with /dev/sgx device nodes. The previous behaviour can
be restored for individual services with NoExecPaths=/dev (or by allow-
listing and excluding /dev from ExecPaths=).
This should probably go into logind.conf. According to /proc/mounts, my /dev is
dev /dev devtmpfs rw,nosuid,relatime,size=10240k,nr_inodes=944475,mode=755 0 0
This is the first time I learn that it could be mounted noexec.
Topic: What is group sgx (999)? (Read 1844 times)
previous topic - next topic
