Community
cancel
Showing results for 
Search instead for 
Did you mean: 
hervey_w_
Beginner
224 Views

GROUP_OUT_OF_DATE from IAS?

I recently started getting this response from Remote Attestation, the documentation says:

"The EPID signature of the ISV enclave QUOTE has been verified correctly, but the TCB level of SGX platform is outdated. The platform has not
been identified as compromised and thus it is not revoked. It is up to the Service Provider to decide whether or not to trust the content of the QUOTE. "

I've searched but not had any luck in understanding what this really means and how it can be rectified...

0 Kudos
2 Replies
Rodolfo_S_
New Contributor III
224 Views

Hi,

if you are registered to the Intel Developer Services, you should have received the following message from Intel six days ago:

Intel® Software Guard Extensions (Intel® SGX) consists of a set of CPU instructions and platform enhancements that enable applications to create private areas within which code and associated data can be protected from compromise during execution. The protections offered by Intel SGX, when used appropriately by application developers, can prevent compromise due to attacks from privileged software and many hardware based attacks. 

 

One way to ensure the technology is appropriately used and managed, is through the process of remote attestation. The remote attestation process verifies the platform is a valid SGX platform and that the platform components meet a defined set of security requirements.  In addition, the attestation process enables the Application Provider to verify the security version of the application.

 

A security update has been issued that improves the security of Intel SGX (Link: INTEL-SA-00076).  This should be reviewed by your team.

 

Next Steps

On August 21, 2017, updated Intel SGX platform security requirements will go into effect on the Intel® Attestation Service development environment (DEV).  This environment will start reporting a “GROUP_OUT_OF_DATE” response for attestation requests originating from Intel SGX enabled platforms whose security requirements no longer meet these newly updated requirements.  Additional information provided along with the response in a “platformInfoBlob” will indicate that a microcode update is required to bring the platform into compliance. That microcode update will be provided via a platform BIOS update provided by the platform vendor (OEM). To ensure compatibility, and to ensure the best customer experience for your application, Intel is providing a three-month window for you to test your remote attestation proxy server to ensure proper handling of “GROUP_OUT_OF_DATE” responses. 

 

On November 14, 2017, the same updated Intel SGX platform security requirements will go into effect on the Intel® Attestation Service production environment (LIV).  Your remote attestation proxy server will begin to receive the “GROUP_OUT_OF_DATE” response described above for attestation requests originating from Intel SGX enabled platforms whose security requirements no longer meet these newly updated requirements.

 

Actions to take

1. Review Intel’s Security Advisory.

2. Determine the impact to your Intel SGX enabled application(s) and remote attestation proxy.

3. If required, implement a policy for handling “GROUP_OUT_OF_DATE” responses based on your application and customer needs

4. Take note of the three month window provided for testing by Intel, and validate your policy implementation to ensure compatibility and to ensure the best customer experience for your application.

5. If you have further questions, contact the Intel representative that is assigned to your organization.  Alternatively please contact secure@intel.com.

 

Reference Documentation

 

Follow the instructions there to understand and solve this response from IAS.

hervey_w_
Beginner
224 Views

Rudolfo, thanks for the detailed reply. I only recently registered as a developer and did not receive the email, although I suspected that the problem was related to the referenced security issue. At this point, the hardware vendor for my development machine has not issued an updated BIOS so I'll be using this as an opportunity to better understand what policies we might develop for attestation.

Reply