Solved: Re:HOW to mitigate SA [GROUP_OUT_OF_DATE] in IAS RA report with latest microcode update

amy-zhang · ‎09-28-2020

I ran the sgx-ra-sample (https://github.com/intel/sgx-ra-sample) in an sgx platform with Intel(R) Xeon(R) CPU E3-1240 v6 @ 3.70GHz, SGX SDK v2.11.100.2 for Linux, microcode version 0xd6.

I got the report return by IAS during remote attestation: {"id":"65203691178931226306956053529440970597","timestamp":"2020-09-28T08:50:14.608997","version":4,"epidPseudonym":"Q9tGD02cioU0XkaMFT9y4ox+FlarYC+OwATTA3JOoH80v8GsyMFHNM6MHz1IHoE0ILIqPcEXfLwRzWsXplq0aw6Z0UvjfkLIqtSPfh8PXHcPih0yT/ymHvFqoeGXrfObUEs7rQg8J2qaBLIuMKeo4ApIWEM3re0DmWQn1NIpwPQ=","advisoryURL":"https://security-center.intel.com","advisoryIDs":["INTEL-SA-00161","INTEL-SA-00320","INTEL-SA-00329","INTEL-SA-00220","INTEL-SA-00270","INTEL-SA-00293"],"isvEnclaveQuoteStatus":"GROUP_OUT_OF_DATE","platformInfoBlob":"1502006504000900000F0F02040101070000000000000000000B00000B000000020000000000000B60E3A11D623442A7AC8C6766A32B62C96C3767AB337B49CE8B2997D6E73A16F37E93F4E866CC76201782D127A67932132A748EADAB11EFF23E368A3DCF6F8BC08F","isvEnclaveQuoteBody":"AgABAGALAAALAAoAAAAAAAhmm1HRlSiQ5yR2P/L3skQAAAAAAAAAAAAAAAAAAAAABhACBP8CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwAAAAAAAAAHAAAAAAAAAPKWuzRbcEM2tmyIfGeHwYxuJCfqgHWmZthbIeKX0xD4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC9ccY4Dvd8VBfostHOLUtlBLn0GOUEk0JEDP/yRD2VvQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADaDZYIs90U3ARF7FF8WGa1sNDHejjC1+U+74L7MAQyQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}

I found that:

1. INTEL-SA-00161, INTEL-SA-00320, INTEL-SA-00329, INTEL-SA-00220, INTEL-SA-00270 require latest microcode update. However, I followed the instructions specified in releasenote of the microcode update project (https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/blob/master/releasenote) and found that the current microcode version is latest.

Hence, my question is how to mitigate these SAs? [Q1]

2. INTEL-SA-00293 says that the version of SGX SDK is old. But, i ran "sgx_sign -version", and the result is that "This is sgx_sign from Intel(R) Software Guard Extensions, version 2.11.100.2 for Linux". That means the version of sgx sdk in the platform is not old.

So, I am confused why there is INTEL-SA-00293 in the report, as my sgx sdk version is v2.11.100.2 for Linux? [Q2]

In addition, we know that IAS checks the microcode version by analyzing the cpusvn field in the quote which is directly obtained by the cpu and can be attested. However, how does the IAS get the trusted sgx sdk version in the sgx platform? [Q3]

JesusG_Intel · ‎10-05-2020

Hello Amy, your SGX software is up-to-date so you do not need to upgrade it further.

Since X-Dragon servers are proprietary servers by Alibaba, you will have to work with Alibaba IT to determine if they have the latest BIOS installed and if the BIOS has the necessary mitigations.

View solution in original post

amy-zhang · ‎09-28-2020

@JesusG_Intel Do you know how to address the problem?

amy-zhang · ‎09-29-2020

To make the problem clear, I give more information:

1. BIOS Revision of the SGX platform : 5.11

2. The decoded pib is: -------------------------------

Platform info is:
sgx_epid_group_fags = 04
QE_EPID_GROUP_OUT_OF_DATE

sgx_tcb_evaluation_flags = 0009
QUOTE_CPUSVN_OUT_OF_DATE
PLATFORM_CONFIGURATION_NEEDED

pse_evaluation_flags = 0000

latest_equivalent_tcb_psvn: 0F0F02040101070000000000000000000B00

latest_pse_isvsvn: 000B

latest_psda_svn: 00000002

xeid: 00000000

gid: 00000B60

signature:
gy: 0FA2D231889A1A746B11916853FD932EC6FE796997F1AA187A91A303F5AF3AD4
gy: AB194DFB1EBCCED8F2BBCCCA924E47B00B5E71E63DFAC769EEFC5986429BB4B0

--------------------

I will appreciate your reply!!!

JesusG_Intel · ‎09-29-2020

Hello Amy,

I apologize for the late reply as I was getting more information on your issue.

You most likely need to install an updated BIOS from your OEM that contains the latest early BIOS load microcode. The microcode you installed from the Github repository, version 0xd6, is an OS microcode update. To mitigate SGX issues, you always need the early load microcode that comes with the latest BIOS from your OEM.

Please send us your system manufacturer and model number so that we can help identify which is the latest BIOS you need. If the OEM provides a BIOS with the fixes in the microcode, then you will have to install it.

This article, https://software.intel.com/security-software-guidance/secure-coding/loading-microcode-os, explains the different types of microcode in the section, Microcode Loading Points.

amy-zhang · ‎09-29-2020

Thanks for your reply!

The cpu info is：

vendor_id : GenuineIntel
cpu family : 6
model : 158
model name : Intel(R) Xeon(R) CPU E3-1240 v6 @ 3.70GHz
stepping : 9
microcode : 0xd6
cpu MHz : 1498.431

Another problem is that why there is "INTEL-SA-00293" in the IAS report which means that the sgx sdk version is old, while I have installed the sgx sdk v2.11.100.2?

Is it because the version of quoting enclave is too old? If so, how to update it?

amy-zhang · ‎09-29-2020

Thanks for your reply!

The cpu info is：

vendor_id : GenuineIntel
cpu family : 6
model : 158
model name : Intel(R) Xeon(R) CPU E3-1240 v6 @ 3.70GHz
stepping : 9
microcode : 0xd6
cpu MHz : 1498.431

Another problem is that why there is "INTEL-SA-00293" in the IAS report which means that the sgx sdk version is old, while I have installed the sgx sdk v2.11.100.2?

Is it because the version of quoting enclave is too old? If so, how to update it?

JesusG_Intel · ‎09-30-2020

Hello Amy,

You must also make sure that you have the latest Intel SGX PSW installed, https://github.com/intel/linux-sgx#install-the-intelr-sgx-psw. If you already have the latest SDK and the latest PSW and are still getting SA-00293, it may be because the other vulnerabilities are still unmitigated. The IAS backend implements an "all-or-none" approach for certain TCBs which means that you must fix all of the reported vulnerabilities in order to clear any of them. If even one vulnerability is not mitigated, then the rest will show up too. This is by design. If an attacker were to exploit any one of the vulnerabilities then the attacker can make the system fake that the other vulnerabilities are fixed. Therefore, they must all be fixed.

The CPU info is helpful but we also need the system manufacturer and model number. For example, do you have a Lenovo Thinkcenter or HP, Dell, etc?

You must work with your OEM to get the latest BIOS and inquire if it has the latest microcode with the required fixes implemented.

amy-zhang · ‎10-02-2020

Dear Jesus,

I have installed the latest Intel SGX PSW, but I found that some packages is quite old as follows:

-----------------------------

libsgx-ae-epid/unknown,now 2.11.100.2-bionic1 amd64 [installed,automatic]
libsgx-ae-le/unknown,now 2.11.100.2-bionic1 amd64 [installed,automatic]
libsgx-ae-pce/unknown,now 2.11.100.2-bionic1 amd64 [installed,automatic]
libsgx-ae-qe3/unknown,now 1.8.100.2-bionic1 amd64 [installed,automatic]
libsgx-ae-qve/unknown 1.8.100.2-bionic1 amd64
libsgx-aesm-ecdsa-plugin/unknown,now 2.11.100.2-bionic1 amd64 [installed,automatic]
libsgx-aesm-ecdsa-plugin-dbgsym/unknown 2.11.100.2-bionic1 amd64
libsgx-aesm-epid-plugin/unknown,now 2.11.100.2-bionic1 amd64 [installed,automatic]
libsgx-aesm-epid-plugin-dbgsym/unknown 2.11.100.2-bionic1 amd64
libsgx-aesm-launch-plugin/unknown,now 2.11.100.2-bionic1 amd64 [installed,automatic]
libsgx-aesm-launch-plugin-dbgsym/unknown 2.11.100.2-bionic1 amd64
libsgx-aesm-pce-plugin/unknown,now 2.11.100.2-bionic1 amd64 [installed,automatic]
libsgx-aesm-pce-plugin-dbgsym/unknown 2.11.100.2-bionic1 amd64
libsgx-aesm-quote-ex-plugin/unknown,now 2.11.100.2-bionic1 amd64 [installed,automatic]
libsgx-aesm-quote-ex-plugin-dbgsym/unknown 2.11.100.2-bionic1 amd64
libsgx-dcap-default-qpl/unknown 1.8.100.2-bionic1 amd64
libsgx-dcap-default-qpl-dbg/unknown 1.3.101.3-bionic1 amd64
libsgx-dcap-default-qpl-dbgsym/unknown 1.8.100.2-bionic1 amd64
libsgx-dcap-default-qpl-dev/unknown 1.8.100.2-bionic1 amd64
libsgx-dcap-pccs/unknown 1.3.101.3-bionic1 amd64
libsgx-dcap-ql/unknown 1.8.100.2-bionic1 amd64
libsgx-dcap-ql-dbg/unknown 1.3.101.3-bionic1 amd64
libsgx-dcap-ql-dbgsym/unknown 1.8.100.2-bionic1 amd64
libsgx-dcap-ql-dev/unknown 1.8.100.2-bionic1 amd64
libsgx-dcap-quote-verify/unknown 1.8.100.2-bionic1 amd64
libsgx-dcap-quote-verify-dbgsym/unknown 1.8.100.2-bionic1 amd64
libsgx-dcap-quote-verify-dev/unknown 1.8.100.2-bionic1 amd64
libsgx-enclave-common/unknown,now 2.11.100.2-bionic1 amd64 [installed,automatic]
libsgx-enclave-common-dbgsym/unknown 2.11.100.2-bionic1 amd64
libsgx-enclave-common-dev/unknown 2.11.100.2-bionic1 amd64
libsgx-epid/unknown,now 2.11.100.2-bionic1 amd64 [installed]
libsgx-epid-dbgsym/unknown 2.11.100.2-bionic1 amd64
libsgx-epid-dev/unknown 2.11.100.2-bionic1 amd64
libsgx-launch/unknown,now 2.11.100.2-bionic1 amd64 [installed]
libsgx-launch-dbgsym/unknown 2.11.100.2-bionic1 amd64
libsgx-launch-dev/unknown 2.11.100.2-bionic1 amd64
libsgx-pce-logic/unknown,now 1.8.100.2-bionic1 amd64 [installed,automatic]
libsgx-pce-logic-dbgsym/unknown 1.8.100.2-bionic1 amd64
libsgx-qe3-logic/unknown,now 1.8.100.2-bionic1 amd64 [installed,automatic]
libsgx-qe3-logic-dbgsym/unknown 1.8.100.2-bionic1 amd64
libsgx-quote-ex/unknown,now 2.11.100.2-bionic1 amd64 [installed]
libsgx-quote-ex-dbgsym/unknown 2.11.100.2-bionic1 amd64
libsgx-quote-ex-dev/unknown 2.11.100.2-bionic1 amd64
libsgx-ra-network/unknown 1.8.100.2-bionic1 amd64
libsgx-ra-network-dbgsym/unknown 1.8.100.2-bionic1 amd64
libsgx-ra-network-dev/unknown 1.8.100.2-bionic1 amd64
libsgx-ra-uefi/unknown 1.8.100.2-bionic1 amd64
libsgx-ra-uefi-dbgsym/unknown 1.8.100.2-bionic1 amd64
libsgx-ra-uefi-dev/unknown 1.8.100.2-bionic1 amd64
libsgx-uae-service/unknown,now 2.11.100.2-bionic1 amd64 [installed]
libsgx-uae-service-dbgsym/unknown 2.11.100.2-bionic1 amd64
libsgx-urts/unknown,now 2.11.100.2-bionic1 amd64 [installed]
libsgx-urts-dbgsym/unknown 2.11.100.2-bionic1 amd64
linux-base-sgx/bionic-updates,bionic-updates,bionic-security,bionic-security 4.5ubuntu1.2 all
sgx-aesm-service/unknown,now 2.11.100.2-bionic1 amd64 [installed,automatic]
sgx-aesm-service-dbgsym/unknown 2.11.100.2-bionic1 amd64
sgx-dcap-pccs/unknown 1.8.100.2-bionic1 amd64
sgx-pck-id-retrieval-tool/unknown 1.8.100.2-bionic1 amd64
sgx-pck-id-retrieval-tool-dbgsym/unknown 1.8.100.2-bionic1 amd64
sgx-ra-service/unknown 1.8.100.2-bionic1 amd64
sgx-ra-service-dbgsym/unknown 1.8.100.2-bionic1 amd64

--------------------------

The command "sudo apt list --upgradable" shows that no package needs to be upgrade.

The command "sudo apt-get dist-upgrade -o Dpkg::Options::="--force-overwrite"" shows "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."

Do I need to upgrade these packages? If so, how to upgrade them?

In addition, I check the hardware info as follows:

Manufacturer: Alibaba
Product Name: X-Dragon CN 01
Version: To be filled by O.E.M.

What is latest bios version for my sgx server running on the Alibaba CLOUD?

amy-zhang · ‎10-03-2020

Hi Jesus,

Whether I require to update the sgx-related libs?

Looking forward to your reply!

JesusG_Intel · ‎10-05-2020

Hello Amy, your SGX software is up-to-date so you do not need to upgrade it further.

Since X-Dragon servers are proprietary servers by Alibaba, you will have to work with Alibaba IT to determine if they have the latest BIOS installed and if the BIOS has the necessary mitigations.

JesusG_Intel · ‎10-08-2020

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.