Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

Enclave Not Trusted with INTEL-SA-00289, INTEL-SA-00334

xunf
Novice
‎09-02-2021 10:22 PM
1,885 Views
Solved Jump to solution

Hi,

 

I have tried the recommendations in JesusG's pinned posts whatever possible, but still get the Enclave Not Trusted with SA 00289 and 00334. This issue has not been raised in the community forum nor the sgx-ra-sample Github repository in the last few months. I am wondering if it has been already mitigated.

 

---- IAS Report - JSON - Optional Fields -----------------------------------

platformInfoBlob  = 1502006500000800000B0B02020280040000000000000000000C00000C000000020000000000000C1726388976070505C4998F39FEC351A09857187C40880889BE5CBC1EB00A7F06FF0315981C555070C243ADEA5849E242CA8B0C6B9180A895EBA9FA2B6C12C89239

revocationReason  =

pseManifestStatus =

pseManifestHash   =

nonce             =

epidPseudonym     = abfdIAgc9PlX9IaVpdKC2grH8qWnrUxJHrO/nt+iKmMWH6SAEELRH9MR3fgCDqOQbngSlfLUk5qpoFosOLj3SMcEUCOJOHztu9QF9coV0WJ97WzA26kQaUuQKB9fOhZvkqdkLZGLtrwsZ66yRrkgpdeUOl5e+YHhun434z0y1Ks=

advisoryURL       = https://security-center.intel.com

advisoryIDs       = 0 ?UINTEL-SA-00289,INTEL-SA-00334

----------------------------------------------------------------------------

+++ Verifying report version against API version

 

---- ISV Enclave Trust Status ----------------------------------------------

Enclave NOT TRUSTED - Reason: CONFIGURATION_AND_SW_HARDENING_NEEDED

A Platform Info Blob (PIB) was provided by the IAS

 

 

I built and installed the SGX SDK and PSW 2.14 released in July. SDK is built with the default option ($ make sdk). And my machine is Dell Optiplex 7080 running Ubuntu20.04, Linux Kernel 5.11 with in-kernel driver exposed.

 

The latest Dell BIOS update on 23 Aug still does not expose the Overclocking bits.

 

Best regards

 

Labels (2)
Labels:
0 Kudos
1 Solution
JesusG_Intel
Moderator
‎09-03-2021 07:33 AM
1,864 Views
Solved Jump to solution

Hello xunf,

 

This article will help.

 

Receiving ISV Enclave Trust Status as "Enclave NOT TRUSTED - Reason: CONFIGURATION_AND_SW_HARDENING_NEEDED" During Remote Attestation

 

If the overclocking bit is not exposed in the BIOS then SA-00289 cannot be mitigated.

 

If a processor is affected by SA-00334 (LVI), Intel Attestation Service (IAS) will always reply with at least SW_HARDENING_NEEDED. IAS cannot determine if a customer has built their enclaves with the mitigations in place. The relying party needs to look at its enclave's ISVSVN (enclave version) and decide if it's up to date or not.

 

All Security Advisories must be mitigated in order to remove any of the advisories. If you mitigate only one of the security advisories, it will still show up because not all of them were mitigated.

 

Sincerely,

Jesus G.

Intel Customer Support

 

View solution in original post

Copy link

Link Copied

5 Replies
JesusG_Intel
Moderator
‎09-03-2021 07:33 AM
1,865 Views
Solved Jump to solution

Hello xunf,

 

This article will help.

 

Receiving ISV Enclave Trust Status as "Enclave NOT TRUSTED - Reason: CONFIGURATION_AND_SW_HARDENING_NEEDED" During Remote Attestation

 

If the overclocking bit is not exposed in the BIOS then SA-00289 cannot be mitigated.

 

If a processor is affected by SA-00334 (LVI), Intel Attestation Service (IAS) will always reply with at least SW_HARDENING_NEEDED. IAS cannot determine if a customer has built their enclaves with the mitigations in place. The relying party needs to look at its enclave's ISVSVN (enclave version) and decide if it's up to date or not.

 

All Security Advisories must be mitigated in order to remove any of the advisories. If you mitigate only one of the security advisories, it will still show up because not all of them were mitigated.

 

Sincerely,

Jesus G.

Intel Customer Support

 

Copy link
JesusG_Intel
Moderator
‎09-09-2021 08:48 PM
1,815 Views
Solved Jump to solution

Hello xunf,

 

Do you still need help with this issue?

 

Sincerely,

Jesus G.

Intel Customer Support

 

0 Kudos
Copy link
xunf
Novice
‎09-10-2021 12:08 AM
1,803 Views
Solved Jump to solution

Hi Jesus G,

 

Thank you for the reply. I guess then there is no way for me to make it work on my machine unless Dell provides fixes in the future. Do you know any cloud services on which the ra-sample can run correctly? I am interested in developing software with remote attestation support and needs a way to test the performance of it.

 

Best regards,

xunf

0 Kudos
Copy link
JesusG_Intel
Moderator
‎09-10-2021 09:15 AM
1,795 Views
Solved Jump to solution

Hello xunf,


The sgx-ra-sample with remote attestation is running correctly on your Dell. What you are finding are the security vulnerabilities found by IAS. Everything is working as it should. Your SGX platform sent a quote to the IAS and the IAS reported what it found to the service provider. Now the service provider needs to decide whether to trust the platform.


It is up to your trust policy whether to trust the platform based on the report. Many customers receive security advisories from IAS and choose to trust the platform anyway.


You can run the sgx-ra-sample on Microsoft Azure and IBM cloud.


Sincerely,

Jesus G.

Intel Customer Support


Copy link
xunf
Novice
‎09-12-2021 10:13 PM
1,722 Views
Solved Jump to solution
In response to JesusG_Intel

Thank you. I get it now.

 

Best regards,

xunf

In response to JesusG_Intel
0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.