Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1481 Discussions

EPID Remote Attestation Error: IAS responds with SGX_ERROR_UPDATE_REQUIRED on fully updated system

TomJ
Novice
3,065 Views

OS: Ubuntu-18.04.5 LTS Desktop

Motherboard: MSI MEG Z490I UNIFY

CPU: i7-10700k

CPUID: A0655

Microcode: E2

Intel CSME Version: 14.1.52.1560

Bios Version: 7C77v162

SGX Driver: Intel SGX DCAP v1.9.100.3

SGX SDK: v2.12.100.3

PSW: v2.12.100.3

 

Hello,

I am encountering problems when trying to run the linux-sgx EPID RemoteAttestation sample code found here: https://github.com/intel/linux-sgx/tree/master/SampleCode/RemoteAttestation.

ECDSA completes successfully but EPID fails with:

Error, call sgx_ra_get_msg1_ex fail [main].

Digging into the logs, it looks like the IAS is responding to msg1 with PVE_PROV_ATTEST_KEY_TCB_OUT_OF_DATE (SGX_ERROR_UPDATE_REQUIRED).

I have updated the bios to the latest version which includes the E2 microcode update for my processor and I have also updated CSME to the latest version.

The failing EPID Request ID is: 679aabb77d72415d9ef69a37a8e76df7

Would it be possible for someone at Intel to please shed some light on why my system is being rejected as I believe I am fully up to date? If my system is out of date, what version of microcode is the IAS expecting for my processor so I can contact MSI?

I have seen on other forum posts that the IAS normally responds with the reason why the request has been rejected but I receive no such report. I have also tried the sgx-ra-sample and that fails at the same point with no attestation report shown.

Please see attached sgx-logs.txt file for the output from running the sample code, the aesm service log and the debug internal_log.txt.

Kind regards

Tom

0 Kudos
1 Solution
JesusG_Intel
Moderator
3,022 Views

Hello Tom,


The issue you are experiencing is due to the BIOS.


Please contact your BIOS manufacturer, provide them the info you have already gathered, and work with them to receive an updated BIOS with the required fixes.


From an SGX IAS perspective, it is not a matter of the BIOS version, but the implementation of the BIOS itself.


Sincerely,

Jesus G.

Intel Customer Support


View solution in original post

0 Kudos
9 Replies
JesusG_Intel
Moderator
3,043 Views

Hello TomJ,


We are escalating your issue to engineering. I will respond as soon as I have an update.


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
TomJ
Novice
3,034 Views

Hi Jesus,

Thank you for your prompt response, it is much appreciated. Let me know if you need me to provide more information.

Kind regards

Tom

0 Kudos
JesusG_Intel
Moderator
3,023 Views

Hello Tom,


The issue you are experiencing is due to the BIOS.


Please contact your BIOS manufacturer, provide them the info you have already gathered, and work with them to receive an updated BIOS with the required fixes.


From an SGX IAS perspective, it is not a matter of the BIOS version, but the implementation of the BIOS itself.


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
TomJ
Novice
3,018 Views

Hi Jesus,

Thank you for getting back to me. Do you have any further information on how the BIOS should be implemented or what is lacking from the current implementation so I can pass this on to MSI?

Thanks

Tom

0 Kudos
JesusG_Intel
Moderator
3,003 Views

Hello Tom,


We cannot say exactly what is wrong with the BIOS. Your BIOS manufacturer should be able to troubleshoot it.


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
TomJ
Novice
2,981 Views

Hi Jesus,

Okay, thank you to you and the engineering team for investigating my issue. I have contacted MSI, hopefully they can get this resolved soon.

Kind regards

Tom

AndrewK
Beginner
2,705 Views

Hi TomJ,

i have a similar problem with BIOS MSI Z490 MPG Gaming Plus.

// "sgx_error_update_need"

*** Motherboards built on the same Z490 chipset and almost 100% the same architecture and BIOS from AMI pass the test. But these are other manufacturers, for example ASUS and ASROCK. I just don't understand how this happens, even if the BIOS is from one manufacturer.

Did you manage to find out something from the MSI coders?

Thanks for attention, I would be very grateful for your information.

Andrew

0 Kudos
TomJ
Novice
2,696 Views

Hi Andrew,

 

They sent me the latest BIOS for my MSI MEG Z490i UNIFY and the Remote EPID Attestation was still failing. As I was still in my 14 day return period, I decided to return my motherboard and purchased an ASUS board instead.

 

MSI's implementation of EPID Remote Attestation seems to be broken and I believed switching to another manufacturer that has implemented this correctly was the best option. With my ASUS board it worked first time, I am now communicating with them to resolve the final security advisories.

 

Sorry for the bad news.

 

Tom

0 Kudos
JesusG_Intel
Moderator
2,960 Views

Intel is no longer monitoring this thread. If you want a response from Intel in a follow-up question, please open a new thread.


0 Kudos
Reply