Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.

Enclave Not Trusted with INTEL-SA-00289, INTEL-SA-00334

xunf
Novice
880 Views

Hi,

 

I have tried the recommendations in JesusG's pinned posts whatever possible, but still get the Enclave Not Trusted with SA 00289 and 00334. This issue has not been raised in the community forum nor the sgx-ra-sample Github repository in the last few months. I am wondering if it has been already mitigated.

 

---- IAS Report - JSON - Optional Fields -----------------------------------

platformInfoBlob  = 1502006500000800000B0B02020280040000000000000000000C00000C000000020000000000000C1726388976070505C4998F39FEC351A09857187C40880889BE5CBC1EB00A7F06FF0315981C555070C243ADEA5849E242CA8B0C6B9180A895EBA9FA2B6C12C89239

revocationReason  =

pseManifestStatus =

pseManifestHash   =

nonce             =

epidPseudonym     = abfdIAgc9PlX9IaVpdKC2grH8qWnrUxJHrO/nt+iKmMWH6SAEELRH9MR3fgCDqOQbngSlfLUk5qpoFosOLj3SMcEUCOJOHztu9QF9coV0WJ97WzA26kQaUuQKB9fOhZvkqdkLZGLtrwsZ66yRrkgpdeUOl5e+YHhun434z0y1Ks=

advisoryURL       = https://security-center.intel.com

advisoryIDs       = 0 ?UINTEL-SA-00289,INTEL-SA-00334

----------------------------------------------------------------------------

+++ Verifying report version against API version

 

---- ISV Enclave Trust Status ----------------------------------------------

Enclave NOT TRUSTED - Reason: CONFIGURATION_AND_SW_HARDENING_NEEDED

A Platform Info Blob (PIB) was provided by the IAS

 

 

I built and installed the SGX SDK and PSW 2.14 released in July. SDK is built with the default option ($ make sdk). And my machine is Dell Optiplex 7080 running Ubuntu20.04, Linux Kernel 5.11 with in-kernel driver exposed.

 

The latest Dell BIOS update on 23 Aug still does not expose the Overclocking bits.

 

Best regards

 

Labels (2)
0 Kudos
1 Solution
JesusG_Intel
Moderator
859 Views

Hello xunf,

 

This article will help.

 

Receiving ISV Enclave Trust Status as "Enclave NOT TRUSTED - Reason: CONFIGURATION_AND_SW_HARDENING_...

 

If the overclocking bit is not exposed in the BIOS then SA-00289 cannot be mitigated.

 

If a processor is affected by SA-00334 (LVI), Intel Attestation Service (IAS) will always reply with at least SW_HARDENING_NEEDED. IAS cannot determine if a customer has built their enclaves with the mitigations in place. The relying party needs to look at its enclave's ISVSVN (enclave version) and decide if it's up to date or not.

 

All Security Advisories must be mitigated in order to remove any of the advisories. If you mitigate only one of the security advisories, it will still show up because not all of them were mitigated.

 

Sincerely,

Jesus G.

Intel Customer Support

 

View solution in original post

5 Replies
JesusG_Intel
Moderator
860 Views

Hello xunf,

 

This article will help.

 

Receiving ISV Enclave Trust Status as "Enclave NOT TRUSTED - Reason: CONFIGURATION_AND_SW_HARDENING_...

 

If the overclocking bit is not exposed in the BIOS then SA-00289 cannot be mitigated.

 

If a processor is affected by SA-00334 (LVI), Intel Attestation Service (IAS) will always reply with at least SW_HARDENING_NEEDED. IAS cannot determine if a customer has built their enclaves with the mitigations in place. The relying party needs to look at its enclave's ISVSVN (enclave version) and decide if it's up to date or not.

 

All Security Advisories must be mitigated in order to remove any of the advisories. If you mitigate only one of the security advisories, it will still show up because not all of them were mitigated.

 

Sincerely,

Jesus G.

Intel Customer Support

 

JesusG_Intel
Moderator
810 Views

Hello xunf,

 

Do you still need help with this issue?

 

Sincerely,

Jesus G.

Intel Customer Support

 

xunf
Novice
798 Views

Hi Jesus G,

 

Thank you for the reply. I guess then there is no way for me to make it work on my machine unless Dell provides fixes in the future. Do you know any cloud services on which the ra-sample can run correctly? I am interested in developing software with remote attestation support and needs a way to test the performance of it.

 

Best regards,

xunf

JesusG_Intel
Moderator
790 Views

Hello xunf,


The sgx-ra-sample with remote attestation is running correctly on your Dell. What you are finding are the security vulnerabilities found by IAS. Everything is working as it should. Your SGX platform sent a quote to the IAS and the IAS reported what it found to the service provider. Now the service provider needs to decide whether to trust the platform.


It is up to your trust policy whether to trust the platform based on the report. Many customers receive security advisories from IAS and choose to trust the platform anyway.


You can run the sgx-ra-sample on Microsoft Azure and IBM cloud.


Sincerely,

Jesus G.

Intel Customer Support


xunf
Novice
717 Views

Thank you. I get it now.

 

Best regards,

xunf

Reply