Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1545 Discussions

How to recover trust in Intel TDX platform after leaked private PCK key?

Elod
Beginner
‎11-17-2025 02:36 AM
244 Views

In the TEE.fail research paper, the authors demonstrate a method by which an Intel TDX platform’s PCK could potentially be extracted.

I have the following questions:

1. In the event of a successful PCK extraction, what recovery or re-provisioning mechanisms are officially supported by Intel?
2. For each supported mechanism, what are the exact operational steps, and does any of them require a full TCB Recovery cycle?
3. How long does the re-provisioning or TCB Recovery process typically take, and when will attestation collateral signed with the compromised PCK (or derived keys) be rejected?
4. Is it possible to use these procedures combined with a physical audit and physical sealing (by lock and key) of the platform to ensure the CPU’s PCK is not compromised prior to the sealing?


For context: I am evaluating these topics internally because, given the implications of the TEE.Fail attack, we cannot assume long-term trust in CPUs prior to deployment. The attack can be carried out while a system is offline, or potentially even months or years before installation (e.g., secondhand CPUs), with stolen PCK material being used later. This makes clarity on recovery and re-provisioning procedures essential.


0 Kudos

Link Copied

0 Replies
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.