Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

How to resolve 0x4006 error code (GROUP_OUT_OF_DATE)

Rama__Klei
Beginner
2,234 Views

I am trying to run RAP code (with few modification) from https://github.com/intel/sgx-ra-sample

In my settings I have two computers Intel NUC both with production code: BOXNUC8i7HVK3.

Two days before I updated their BIOS to the latest version which to my best knowledge is: HNKBLi70.86A.0059.2019.1112.1124

In both PCs I am using ubuntu 18.04 and have also downloaded the latest SGX packages which seems to be version 2.7.101.3 from https://download.01.org/intel-sgx/sgx-linux/2.7.1/distro/ubuntu18.04-server/

So up to now I assumed everything was up to date.

Then I run RAP betweem two computers in which one acts as client where my enclave resides and the other acts as server from where in gateway (a VM in my case) initiates RAP with the client.

The code runs and I got the following output in both machines:

in server machine where I execute: ./run-server, I got the following output:

 

---- ISV Enclave Trust Status ----------------------------------------------
Enclave NOT TRUSTED and COMPLICATED - Reason: GROUP_OUT_OF_DATE
A Platform Info Blob (PIB) was provided by the IAS

And at client side I got the following output:

---- Enclave Trust Status from Service Provider ----------------------------
Enclave TRUSTED
A Platform Info Blob (PIB) was provided by the IAS
+++ PIB: 04000900000d0d02040101030000000000000000000a00000b000000020000000000000b71609ba302469a76dcf30f0dc16dbe69cb2f779d648a577e960948c9c32da1ca65758b9618c49a952c29213fbe4b8aa3cd04116a8df549112f672f213b4a4291f5
+++ sgx_report_attestation_status ret = 0x4006
----------------------------------------------------------------------------

---- Platform Update Required ----------------------------------------------
The following Platform Update(s) are required to bring this
platform's Trusted Computing Base (TCB) back into compliance:

  * Intel SGX Platform Software needs to be updated to the latest version.
  * The CPU Microcode needs to be updated.  Contact your OEM for a platform
    BIOS Update.

----------------------------------------------------------------------------

I need some help how to resolve such issue.

0 Kudos
3 Replies
Junli_S_Intel
Employee
2,234 Views

The root cause should be that the BIOS has some security issue, and the used latest BIOS didn't resolve this security issue. 

In your log file, there are should some information like: advisory-url and advisory-ids. Please refer these information.

 

Except waiting for the latest BISO that resolve the security issue,  it seems that there is no good way to resolve your problem.

0 Kudos
Zavalyshyn__Igor
Beginner
2,234 Views

Hi Junli,

I have the same problem as a topic starter. While I have the latest BIOS version in place, I also get a GROUP_OUT_OF_DATE error from IAS.

Now, I do understand that due to newly discovered CPU vulnerabilities (now there is a new LVI one) there will be new BIOS updates with patches. This is great and I applaud your team for their effort to make SGX more secure and robust. What I don't understand is why you update the IAS configs that determine what platforms can be trusted or not without releasing the BIOS updates for those platforms at the same time.

Will there ever be a moment when my Intel NUC NUC7i7BNH with the latest BIOS installed and the Intel IAS service trust each other? Is there anything I can do about it?

Thanks

JUNLI S. (Intel) wrote:

The root cause should be that the BIOS has some security issue, and the used latest BIOS didn't resolve this security issue. 

In your log file, there are should some information like: advisory-url and advisory-ids. Please refer these information.

 

Except waiting for the latest BISO that resolve the security issue,  it seems that there is no good way to resolve your problem.

0 Kudos
Junli_S_Intel
Employee
2,234 Views

@Igor, Sorry for my later response. 

1. When IAS has new release, I think you should receive the notice.  Please pay attention to the notice

2. please monitor the BIOS update for your platform

3. please pay attention to use the latest SGX PSW software stack. 

0 Kudos
Reply