<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Trusted Computing Base Recovery 19 Update in Intel® Software Guard Extensions (Intel® SGX)</title>
    <link>https://community.intel.com/t5/Intel-Software-Guard-Extensions/Trusted-Computing-Base-Recovery-19-Update/m-p/1708059#M6447</link>
    <description>&lt;P&gt;Due to an implementation oversight associated with the updates Intel made to its security services in mid-May, attestation verification collateral returned by Intel PCS was “over-enforcing” upgrade requirements for platforms potentially impacted by &lt;A href="https://cdrdv2.intel.com/v1/dl/getContent/827044" target="_blank" rel="noopener"&gt;INTEL-TA-01153&lt;/A&gt;, when the web parameter [update] = “early” (or the parameter [tcbEvaluationDataNumber] was specified as 19). Specifically, attestation was requiring a MCU_BIOS_TCBR[1] to return the best response, where a MCU_OSPL_SGX_TCBR[1] should have been sufficient.&lt;/P&gt;
&lt;P&gt;In an update planned for early August 8 pacific time, Intel will update collateral for Ice Lake Xeon-SP (CPUID 606A6), Ice Lake Xeon D (Idaville – CPUID 606C1) and Coffee Lake H / Xeon E / S (CPUID 906ED) to only require the expected MCU_OSPL_SGX_TCBR (other affected products from &lt;A href="https://cdrdv2.intel.com/v1/dl/getContent/827044" target="_blank" rel="noopener"&gt;INTEL-TA-01153&lt;/A&gt; will be updated at a point in the near-future).&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Your Action May be Required:&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Following the update (and assuming microcode containing the mitigations has been deployed):&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Infrastructure Providers should obtain new platform PCK Certificates.&lt;/LI&gt;
&lt;LI&gt;Customers who cache attestation verification collateral using a collateral caching service should refresh their cache to store the new collateral. This update should include both updated platform PCK certificates as well as refreshed TCBInfo collateral.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-unlink="true"&gt;[1] reference Key &lt;A href="https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/trusted-computing-base-recovery-attestation.html" target="_blank"&gt;here&lt;/A&gt;&lt;/P&gt;</description>
    <pubDate>Thu, 07 Aug 2025 18:52:12 GMT</pubDate>
    <dc:creator>Scott_R_Intel</dc:creator>
    <dc:date>2025-08-07T18:52:12Z</dc:date>
    <item>
      <title>Trusted Computing Base Recovery 19 Update</title>
      <link>https://community.intel.com/t5/Intel-Software-Guard-Extensions/Trusted-Computing-Base-Recovery-19-Update/m-p/1708059#M6447</link>
      <description>&lt;P&gt;Due to an implementation oversight associated with the updates Intel made to its security services in mid-May, attestation verification collateral returned by Intel PCS was “over-enforcing” upgrade requirements for platforms potentially impacted by &lt;A href="https://cdrdv2.intel.com/v1/dl/getContent/827044" target="_blank" rel="noopener"&gt;INTEL-TA-01153&lt;/A&gt;, when the web parameter [update] = “early” (or the parameter [tcbEvaluationDataNumber] was specified as 19). Specifically, attestation was requiring a MCU_BIOS_TCBR[1] to return the best response, where a MCU_OSPL_SGX_TCBR[1] should have been sufficient.&lt;/P&gt;
&lt;P&gt;In an update planned for early August 8 pacific time, Intel will update collateral for Ice Lake Xeon-SP (CPUID 606A6), Ice Lake Xeon D (Idaville – CPUID 606C1) and Coffee Lake H / Xeon E / S (CPUID 906ED) to only require the expected MCU_OSPL_SGX_TCBR (other affected products from &lt;A href="https://cdrdv2.intel.com/v1/dl/getContent/827044" target="_blank" rel="noopener"&gt;INTEL-TA-01153&lt;/A&gt; will be updated at a point in the near-future).&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Your Action May be Required:&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Following the update (and assuming microcode containing the mitigations has been deployed):&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Infrastructure Providers should obtain new platform PCK Certificates.&lt;/LI&gt;
&lt;LI&gt;Customers who cache attestation verification collateral using a collateral caching service should refresh their cache to store the new collateral. This update should include both updated platform PCK certificates as well as refreshed TCBInfo collateral.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-unlink="true"&gt;[1] reference Key &lt;A href="https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/trusted-computing-base-recovery-attestation.html" target="_blank"&gt;here&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 07 Aug 2025 18:52:12 GMT</pubDate>
      <guid>https://community.intel.com/t5/Intel-Software-Guard-Extensions/Trusted-Computing-Base-Recovery-19-Update/m-p/1708059#M6447</guid>
      <dc:creator>Scott_R_Intel</dc:creator>
      <dc:date>2025-08-07T18:52:12Z</dc:date>
    </item>
  </channel>
</rss>

