Hi,
I have tried the recommendations in JesusG's pinned posts whatever possible, but still get the Enclave Not Trusted with SA 00289 and 00334. This issue has not been raised in the community forum nor the sgx-ra-sample Github repository in the last few months. I am wondering if it has been already mitigated.
---- IAS Report - JSON - Optional Fields -----------------------------------
platformInfoBlob = 1502006500000800000B0B02020280040000000000000000000C00000C000000020000000000000C1726388976070505C4998F39FEC351A09857187C40880889BE5CBC1EB00A7F06FF0315981C555070C243ADEA5849E242CA8B0C6B9180A895EBA9FA2B6C12C89239
revocationReason =
pseManifestStatus =
pseManifestHash =
nonce =
epidPseudonym = abfdIAgc9PlX9IaVpdKC2grH8qWnrUxJHrO/nt+iKmMWH6SAEELRH9MR3fgCDqOQbngSlfLUk5qpoFosOLj3SMcEUCOJOHztu9QF9coV0WJ97WzA26kQaUuQKB9fOhZvkqdkLZGLtrwsZ66yRrkgpdeUOl5e+YHhun434z0y1Ks=
advisoryURL = https://security-center.intel.com
advisoryIDs = 0 ?UINTEL-SA-00289,INTEL-SA-00334
----------------------------------------------------------------------------
+++ Verifying report version against API version
---- ISV Enclave Trust Status ----------------------------------------------
Enclave NOT TRUSTED - Reason: CONFIGURATION_AND_SW_HARDENING_NEEDED
A Platform Info Blob (PIB) was provided by the IAS
I built and installed the SGX SDK and PSW 2.14 released in July. SDK is built with the default option ($ make sdk). And my machine is Dell Optiplex 7080 running Ubuntu20.04, Linux Kernel 5.11 with in-kernel driver exposed.
The latest Dell BIOS update on 23 Aug still does not expose the Overclocking bits.
Best regards
Hello xunf,
This article will help.
If the overclocking bit is not exposed in the BIOS then SA-00289 cannot be mitigated.
If a processor is affected by SA-00334 (LVI), Intel Attestation Service (IAS) will always reply with at least SW_HARDENING_NEEDED. IAS cannot determine if a customer has built their enclaves with the mitigations in place. The relying party needs to look at its enclave's ISVSVN (enclave version) and decide if it's up to date or not.
All Security Advisories must be mitigated in order to remove any of the advisories. If you mitigate only one of the security advisories, it will still show up because not all of them were mitigated.
Sincerely,
Jesus G.
Intel Customer Support
链接已复制
Hello xunf,
This article will help.
If the overclocking bit is not exposed in the BIOS then SA-00289 cannot be mitigated.
If a processor is affected by SA-00334 (LVI), Intel Attestation Service (IAS) will always reply with at least SW_HARDENING_NEEDED. IAS cannot determine if a customer has built their enclaves with the mitigations in place. The relying party needs to look at its enclave's ISVSVN (enclave version) and decide if it's up to date or not.
All Security Advisories must be mitigated in order to remove any of the advisories. If you mitigate only one of the security advisories, it will still show up because not all of them were mitigated.
Sincerely,
Jesus G.
Intel Customer Support
Hello xunf,
Do you still need help with this issue?
Sincerely,
Jesus G.
Intel Customer Support
Hi Jesus G,
Thank you for the reply. I guess then there is no way for me to make it work on my machine unless Dell provides fixes in the future. Do you know any cloud services on which the ra-sample can run correctly? I am interested in developing software with remote attestation support and needs a way to test the performance of it.
Best regards,
xunf
Hello xunf,
The sgx-ra-sample with remote attestation is running correctly on your Dell. What you are finding are the security vulnerabilities found by IAS. Everything is working as it should. Your SGX platform sent a quote to the IAS and the IAS reported what it found to the service provider. Now the service provider needs to decide whether to trust the platform.
It is up to your trust policy whether to trust the platform based on the report. Many customers receive security advisories from IAS and choose to trust the platform anyway.
You can run the sgx-ra-sample on Microsoft Azure and IBM cloud.
Sincerely,
Jesus G.
Intel Customer Support
