- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
OS: Ubuntu-18.04.5 LTS Desktop
Motherboard: MSI MEG Z490I UNIFY
CPU: i7-10700k
CPUID: A0655
Microcode: E2
Intel CSME Version: 14.1.52.1560
Bios Version: 7C77v162
SGX Driver: Intel SGX DCAP v1.9.100.3
SGX SDK: v2.12.100.3
PSW: v2.12.100.3
Hello,
I am encountering problems when trying to run the linux-sgx EPID RemoteAttestation sample code found here: https://github.com/intel/linux-sgx/tree/master/SampleCode/RemoteAttestation.
ECDSA completes successfully but EPID fails with:
Error, call sgx_ra_get_msg1_ex fail [main].
Digging into the logs, it looks like the IAS is responding to msg1 with PVE_PROV_ATTEST_KEY_TCB_OUT_OF_DATE (SGX_ERROR_UPDATE_REQUIRED).
I have updated the bios to the latest version which includes the E2 microcode update for my processor and I have also updated CSME to the latest version.
The failing EPID Request ID is: 679aabb77d72415d9ef69a37a8e76df7
Would it be possible for someone at Intel to please shed some light on why my system is being rejected as I believe I am fully up to date? If my system is out of date, what version of microcode is the IAS expecting for my processor so I can contact MSI?
I have seen on other forum posts that the IAS normally responds with the reason why the request has been rejected but I receive no such report. I have also tried the sgx-ra-sample and that fails at the same point with no attestation report shown.
Please see attached sgx-logs.txt file for the output from running the sample code, the aesm service log and the debug internal_log.txt.
Kind regards
Tom
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hello Tom,
The issue you are experiencing is due to the BIOS.
Please contact your BIOS manufacturer, provide them the info you have already gathered, and work with them to receive an updated BIOS with the required fixes.
From an SGX IAS perspective, it is not a matter of the BIOS version, but the implementation of the BIOS itself.
Sincerely,
Jesus G.
Intel Customer Support
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hello TomJ,
We are escalating your issue to engineering. I will respond as soon as I have an update.
Sincerely,
Jesus G.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi Jesus,
Thank you for your prompt response, it is much appreciated. Let me know if you need me to provide more information.
Kind regards
Tom
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hello Tom,
The issue you are experiencing is due to the BIOS.
Please contact your BIOS manufacturer, provide them the info you have already gathered, and work with them to receive an updated BIOS with the required fixes.
From an SGX IAS perspective, it is not a matter of the BIOS version, but the implementation of the BIOS itself.
Sincerely,
Jesus G.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi Jesus,
Thank you for getting back to me. Do you have any further information on how the BIOS should be implemented or what is lacking from the current implementation so I can pass this on to MSI?
Thanks
Tom
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hello Tom,
We cannot say exactly what is wrong with the BIOS. Your BIOS manufacturer should be able to troubleshoot it.
Sincerely,
Jesus G.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi Jesus,
Okay, thank you to you and the engineering team for investigating my issue. I have contacted MSI, hopefully they can get this resolved soon.
Kind regards
Tom
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi TomJ,
i have a similar problem with BIOS MSI Z490 MPG Gaming Plus.
// "sgx_error_update_need"
*** Motherboards built on the same Z490 chipset and almost 100% the same architecture and BIOS from AMI pass the test. But these are other manufacturers, for example ASUS and ASROCK. I just don't understand how this happens, even if the BIOS is from one manufacturer.
Did you manage to find out something from the MSI coders?
Thanks for attention, I would be very grateful for your information.
Andrew
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi Andrew,
They sent me the latest BIOS for my MSI MEG Z490i UNIFY and the Remote EPID Attestation was still failing. As I was still in my 14 day return period, I decided to return my motherboard and purchased an ASUS board instead.
MSI's implementation of EPID Remote Attestation seems to be broken and I believed switching to another manufacturer that has implemented this correctly was the best option. With my ASUS board it worked first time, I am now communicating with them to resolve the final security advisories.
Sorry for the bad news.
Tom
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Intel is no longer monitoring this thread. If you want a response from Intel in a follow-up question, please open a new thread.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page