Community
cancel
Showing results for 
Search instead for 
Did you mean: 
JesusG_Intel
Moderator
1,361 Views

How to mitigate common SAs reported by IAS during remote attestation

When performing remote attestation for an enclave, the Intel Attestation Service (IAS) responds with a status and corresponding Security Advisories (SA) that may affect the platform on which the enclave is running. A common response from IAS (as reported by the SGX Remote Attestation Sample app here) looks like this:

---- IAS Report - JSON - Optional Fields -----------------------------------

platformInfoBlob = 150200####...

revocationReason =

pseManifestStatus =

pseManifestHash =

nonce =

epidPseudonym =

advisoryURL = https://security-center.intel.com

advisoryIDs = INTEL-SA-00334,INTEL-SA-00161,INTEL-SA-00219,INTEL-SA-00289

----------------------------------------------------------------------------

+++ Verifying report version against API version

---- ISV Enclave Trust Status ----------------------------------------------

Enclave NOT TRUSTED - Reason: CONFIGURATION_AND_SW_HARDENING_NEEDED

A Platform Info Blob (PIB) was provided by the IAS

 

The trust decision is made by the relying party once they have analyzed the SA’s in the response.  Your enclave may be vulnerable to certain attacks described in the SA list. In the example above, the platform may be affected by SAs 00334, 00161, 00219, and 00289.

 

These SAs frequently occur together. Below are explanations of these SA and how to mitigate them, if possible.

  • INTEL-SA-00161 – “L1TF” - Speculative Execution Side Channel - uCode update as part of INTEL-SA-00115.  Need to disable hyperthreading.
  • INTEL-SA-00219 - Processor Graphics Update Advisory. You have to disable integrated graphics, or use special memory handling techniques in your enclaves.  But, even if you modify your enclaves, you will still always get this reply if integrated graphics is enabled.
  • INTEL-SA-00289 - "Plundervolt" - Voltage Settings Modification Advisory. This requires a BIOS update and vendor enabling overclocking lock bit. There is a BIOS option that can control the bit - Overclocking Lock. For Intel customer reference boards, it’s under BIOS menu “Advanced -> Power & Performance -> CPU - Power Management Control -> CPU Lock configuration -> overclocking lock”.  Check if you can enable the lock on your platform to mitigate SA-00289.
  • INTEL-SA-00334 - Load Value Injection (LVI) Deep Dive. You have to update the Intel® SGX Platform Software (PSW) and build your enclaves with the updated toolchain to fully mitigate.  If a processor is affected by this security advisory (LVI), IAS will always reply with at least "SW_HARDENING_NEEDED." There is no way for IAS to tell if a customer has built their enclaves with the mitigations in place.  The relying party needs to look at its enclave's ISVSVN (enclave version) and decide if it's up-to-date or not.

In summary, to mitigate these SAs, you need to disable HT, disable integrated graphics, get the BIOS updated for "Plundervolt" and enable the overclocking lock bit, and then build your enclaves with mitigations for LVI.  You will still always get a “SW_HARDENING_NEEDED” reply back from IAS because of LVI.

You may also always get SAs 161, 219, and 289 because of what could be done with some of these attacks.

It’s possible that if someone uses one of these attacks, you could make one of the other features look like it is disabled when it really isn’t. So, the backend logic is: You either get all issues possible on that processor, or you get none (they’ve all been mitigated). It’s up to the user to confirm that all the other manual mitigations can be fixed.

 

If you disable HT, disable integrated graphics, enable the overclocking lock bit, and the BIOS/microcode was fixed, those three SAs (161, 219, and 289) would go away. You either get all three SAs or none. If your BIOS does not allow you to enable the overclocking lock bit, you cannot fully implement the mitigation for SA-00289. This is a common scenario - the BIOS is up to date, but the vendor has not implemented the overclocking lock bit.  And, since 289 is there, so will the rest of them.  

 

To re-iterate, if your processor is susceptible to LVI, you will still always get INTEL-SA-00334 and SW_HARDENING_NEEDED.

 

Labels (4)
0 Replies
Reply