Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

CPU has latest microcode, but Attestation Service claims an update is needed

dcerezo
Novice
‎11-27-2020 09:49 AM
2,016 Views
Solved Jump to solution

I have a server running Ubuntu 18.04.5 LTS with an Intel® Core™ i3-9100 CPU @ 3.60GHz. On 11 November 2020, I updated to the latest microcode:

dcerezo@sgxnode:~/Desktop/sgx-ra-sample$ apt show intel-microcode
Package: intel-microcode
Version: 3.20201110.0ubuntu0.18.04.2
Priority: extra
Section: admin
Origin: Ubuntu
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Henrique de Moraes Holschuh <hmh@debian.org>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 3.532 kB
Depends: iucode-tool (>= 1.0)
Recommends: initramfs-tools (>= 0.113~)
Conflicts: microcode.ctl (<< 0.18~0)
Homepage: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
Supported: 5y
Download-Size: 2.742 kB
APT-Manual-Installed: yes
APT-Sources: http://es.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
Description: Processor microcode firmware for Intel CPUs
This package contains updated system processor microcode for
Intel i686 and Intel X86-64 processors. Intel releases microcode
updates to correct processor behavior as documented in the
respective processor specification updates.
.
For AMD processors, please refer to the amd64-microcode package.

N: There is 1 additional record. Please use the '-a' switch to see it


I remember that after updating the microcode and rebooting, sgx-ra-sample was notifying me about INTEL-SA-00334, as expected according to your guide  posted in this forum.
However, 3 weeks later, sgx-ra-sample is notifying me about the advisories that the latest microcode was supposed to solve:

---- IAS Report - JSON - Optional Fields -----------------------------------
platformInfoBlob = 150200650400010000111102040180070000000000000000000B00000B000000020000000000000BE7698CFFD568E70C7C00FB3917451594DBB561CE03D3B9C748140E8A26851DB0598EAC125E2656069694156CE8E4BFA6A2FD41473BF45C70EA47BA285D3CE760AD
revocationReason =
pseManifestStatus =
pseManifestHash =
nonce =
epidPseudonym =
advisoryURL = https://security-center.intel.com
advisoryIDs = INTEL-SA-00381,INTEL-SA-00389
----------------------------------------------------------------------------
+++ Verifying report version against API version

---- ISV Enclave Trust Status ----------------------------------------------
Enclave NOT TRUSTED and COMPLICATED - Reason: GROUP_OUT_OF_DATE
A Platform Info Blob (PIB) was provided by the IAS

---- Platform Update Required ----------------------------------------------
The following Platform Update(s) are required to bring this
platform's Trusted Computing Base (TCB) back into compliance:

* The CPU Microcode needs to be updated. Contact your OEM for a platform
BIOS Update.

----------------------------------------------------------------------------


As you can check, the computer has the latest microcode installed:

dcerezo@sgxnode:~/Desktop$ wget "https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/main/intel-ucode/06-9e-0b"
--2020-11-27 18:13:21-- https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/main/intel-ucode/06-9e-0b
Resolving github.com (github.com)... 140.82.121.4
Connecting to github.com (github.com)|140.82.121.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/intel/Intel-Linux-Processor-Microcode-Data-Files/main/intel-ucode/06-9e-0b [following]
--2020-11-27 18:13:21-- https://raw.githubusercontent.com/intel/Intel-Linux-Processor-Microcode-Data-Files/main/intel-ucode/06-9e-0b
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.132.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.132.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 104448 (102K) [application/octet-stream]
Saving to: ‘06-9e-0b’

06-9e-0b 100%[===================>] 102,00K --.-KB/s in 0,03s

2020-11-27 18:13:21 (3,56 MB/s) - ‘06-9e-0b’ saved [104448/104448]

dcerezo@sgxnode:~/Desktop$ od -t x4 06-9e-0b | head -n 1
0000000 00000001 000000de 05252020 000906eb
dcerezo@sgxnode:~/Desktop/sgx-ra-sample$ dmesg | grep "microcode: sig="
[ 1.100308] microcode: sig=0x906eb, pf=0x2, revision=0xde


This is a contradiction: how could the CPU need to be updated, when the CPU has the latest microcode?

Labels (1)
Labels:
0 Kudos
1 Solution
JesusG_Intel
Moderator
‎12-01-2020 02:59 PM
1,996 Views
Solved Jump to solution

Hello Ben,


The microcode files available from the Intel Linux Processor Microcode Files Github repository are OS microcode updates but SGX mitigations require early load microcode available in BIOS.


Follow these steps to mitigate SGX issues:

  1. Refer to your OEM to get the latest BIOS and inquire if it has the latest microcode with the required fixes implemented.
  2. Install the early load microcode that comes with the latest BIOS from the OEM.


The article, Loading Microcode from the OS, contains more information on the different types of microcode.


Sincerely,

Jesus G.

Intel Customer Support



View solution in original post

0 Kudos
Copy link

Link Copied

3 Replies
JesusG_Intel
Moderator
‎12-01-2020 02:59 PM
1,997 Views
Solved Jump to solution

Hello Ben,


The microcode files available from the Intel Linux Processor Microcode Files Github repository are OS microcode updates but SGX mitigations require early load microcode available in BIOS.


Follow these steps to mitigate SGX issues:

  1. Refer to your OEM to get the latest BIOS and inquire if it has the latest microcode with the required fixes implemented.
  2. Install the early load microcode that comes with the latest BIOS from the OEM.


The article, Loading Microcode from the OS, contains more information on the different types of microcode.


Sincerely,

Jesus G.

Intel Customer Support



0 Kudos
Copy link
dcerezo
Novice
‎12-02-2020 06:44 AM
1,977 Views
Solved Jump to solution
In response to JesusG_Intel

Hi Jesus,

Thank you for confirming that a BIOS update is absolutely necessary and an OS microcode update is not enough: hopefully, the motherboard manufacturer will provide an update sooner now that there is less confusion about this issue.

In response to JesusG_Intel
0 Kudos
Copy link
JesusG_Intel
Moderator
‎12-02-2020 09:38 AM
1,966 Views
Solved Jump to solution

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.