Solved: EPID Remote Attestation Error: IAS responds with SGX_ERROR_UPDATE_REQUIRED on fully updated system

TomJ · ‎02-01-2021

OS: Ubuntu-18.04.5 LTS Desktop

Motherboard: MSI MEG Z490I UNIFY

CPU: i7-10700k

CPUID: A0655

Microcode: E2

Intel CSME Version: 14.1.52.1560

Bios Version: 7C77v162

SGX Driver: Intel SGX DCAP v1.9.100.3

SGX SDK: v2.12.100.3

PSW: v2.12.100.3

Hello,

I am encountering problems when trying to run the linux-sgx EPID RemoteAttestation sample code found here: https://github.com/intel/linux-sgx/tree/master/SampleCode/RemoteAttestation.

ECDSA completes successfully but EPID fails with:

Error, call sgx_ra_get_msg1_ex fail [main].

Digging into the logs, it looks like the IAS is responding to msg1 with PVE_PROV_ATTEST_KEY_TCB_OUT_OF_DATE (SGX_ERROR_UPDATE_REQUIRED).

I have updated the bios to the latest version which includes the E2 microcode update for my processor and I have also updated CSME to the latest version.

The failing EPID Request ID is: 679aabb77d72415d9ef69a37a8e76df7

Would it be possible for someone at Intel to please shed some light on why my system is being rejected as I believe I am fully up to date? If my system is out of date, what version of microcode is the IAS expecting for my processor so I can contact MSI?

I have seen on other forum posts that the IAS normally responds with the reason why the request has been rejected but I receive no such report. I have also tried the sgx-ra-sample and that fails at the same point with no attestation report shown.

Please see attached sgx-logs.txt file for the output from running the sample code, the aesm service log and the debug internal_log.txt.

Kind regards

Tom

JesusG_Intel · ‎02-02-2021

Hello Tom,

The issue you are experiencing is due to the BIOS.

Please contact your BIOS manufacturer, provide them the info you have already gathered, and work with them to receive an updated BIOS with the required fixes.

From an SGX IAS perspective, it is not a matter of the BIOS version, but the implementation of the BIOS itself.

Sincerely,

Jesus G.

Intel Customer Support

View solution in original post

JesusG_Intel · ‎02-01-2021

Hello TomJ,

We are escalating your issue to engineering. I will respond as soon as I have an update.

Sincerely,

Jesus G.

Intel Customer Support

TomJ · ‎02-02-2021

Hi Jesus,

Thank you for your prompt response, it is much appreciated. Let me know if you need me to provide more information.

Kind regards

Tom

JesusG_Intel · ‎02-02-2021

Hello Tom,

The issue you are experiencing is due to the BIOS.

Please contact your BIOS manufacturer, provide them the info you have already gathered, and work with them to receive an updated BIOS with the required fixes.

From an SGX IAS perspective, it is not a matter of the BIOS version, but the implementation of the BIOS itself.

Sincerely,

Jesus G.

Intel Customer Support

View solution in original post

TomJ · ‎02-02-2021

Hi Jesus,

Thank you for getting back to me. Do you have any further information on how the BIOS should be implemented or what is lacking from the current implementation so I can pass this on to MSI?

Thanks

Tom

JesusG_Intel · ‎02-02-2021

Hello Tom,

We cannot say exactly what is wrong with the BIOS. Your BIOS manufacturer should be able to troubleshoot it.

Sincerely,

Jesus G.

Intel Customer Support

TomJ · ‎02-04-2021

Hi Jesus,

Okay, thank you to you and the engineering team for investigating my issue. I have contacted MSI, hopefully they can get this resolved soon.

Kind regards

Tom

JesusG_Intel · ‎02-05-2021

Intel is no longer monitoring this thread. If you want a response from Intel in a follow-up question, please open a new thread.