Dear Intel® SGX and Intel® TDX Customers,

Over the past 1+ years, we have integrated changes into our Intel Provisioning Certification Service (PCS) to maximize customer choice and flexibility with respect to attestation options. Examples of the changes are the addition of the “update” parameter to GetTCBInfo, as well as updating Intel’s policy to establish a 12-month period between when new verification collateral is available when using different values of this new “update” parameter (“early”, “standard”).  NOTE:  The default without the “update” parameter added is “standard”.  All customers are strongly encouraged to spend time ensuring they understand the implications of these changes. Further background, details, and reasoning for the changes can be found in the Remote Attestation Process section of the Trusted Computing Base (TCB) Recovery technical article.  

With the 12-month delay of collateral availability via PCS at update = “standard” compared with update = “early”, there may be one or more TCB Recovery Events (or TCB-R Events*) in the meantime. As partners may have their infrastructure updated to any TCB-R Counter** value (representing a distinct TCB Level^) between the ones offered by early and standard, Intel has recently expanded the capabilities of the PCS to address. Specifically:

1. A new endpoint (tcbevaluationdatanumbers) to provide a list of the most recently introduced TCB evaluation data numbers has been added
2. The existing PCS APIs for retrieving verification collateral (TCB Info, Enclave/TD Identity) have been extended with a new parameter: tcbEvaluationDataNumber. This enables the user to retrieve a valid response for a specified TCB-R Counter value that is between the current value returned for [update] = ”early” and the current value returned for [update] = ”standard”. This parameter is optional, to maintain backward compatibility.

Future details can be found in the updated API Documentation.

Some scenarios these were envisioned for:

Scenario 1: A user wants to know whether their infrastructure is updated to the TCB level associated with the most recent TCB-R Counter value.

1. Solution: Call the new tcbevaluationdatanumbers endpoint and compare the TCB-R Counter value (i.e. tcbEvaluationDataNumber in the TCB Info structure) with the tcbEvaluationDataNumber included in the signed verification collateral returned by your verifier.

Scenario 2: An additional TCB-R Event (example Event2) happens in the course of the 12-month period after original TCB-R Event Event1. The user wants valid verification collateral for Event1 (at this point in time, calling Get TCB Info with update=”early” would return the collateral for Event2, and calling Get TCB Info with update=”standard” (or not specifying a value for the update parameter)  would return the collateral for Event0, the event preceding Event1 (since 12 months hasn’t passed since Event1)).

1. Solution: Call the applicable updated Get TCB Info endpoint specifying the tcbEvaluationDataNumber for Event1, and Event1’s verification collateral will be returned.

Thank You,

Intel SGX & TDX Services Team

Glossary

*TCB-R Event: When Intel first publishes Provisioning Certification Key certificates and verification collateral, typically shortly after public disclosure of the mitigation.

**TCB-R Counter – similar to the tcbEvaluationDataNumber contained within TCB Information (verification collateral). The number is incremented for each TCB-R event (the highest number being the most recent) and can be used to determine the most recent verification collateral to use for quote verification.

^TCB Level: Array of TCB components and their corresponding SVN^^ numbers that together help describe security of a platform.

^^Security Version Numbers (SVN): Value representing ‘security worthiness’ of a component used in the Trusted Computing Base^^^ (TCB) of a Trusted Execution Environment (TEE). For Microcode Updates (MCU) it is often referred to as the "anti-rollback ID." When loading an MCU (WRMSR 0x79) the new value is compared with the current value to prevent loading an MCU with a lower SVN. When an MCU is released to address security issues, the SVN may be incremented to prevent loading of an older, potentially vulnerable, MCU.

^^^Trusted Computing Base (TCB): All hardware, firmware, and/or software components that are critical to implement the security objectives of Intel SGX and Intel TDX.