Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1444 Discussions

Remote attestation still returns "configuration needed" with latest bios and microcode update

yunfeng7854
New Contributor I
5,491 Views

Hi, all,

We've tested the remote attestation sample code on 2 platforms available to us: Dell Poweredge R340 (CPU: Intel(R) Xeon(R) E-2174G), and Lenovo ThinkSystem SR250 Rack Server (CPU: Intel(R) Xeon(R) E-2288G). We've updated to the latest BIOS version from the OEM, and the latest microcode patches from: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files

However the remote attestation returns

---- Enclave Trust Status from Service Provider ----------------------------

Enclave Trust is TRUSTED and COMPLICATED. The client is out of date and

may not be trusted in the future depending on the service provider's policy.

A Platform Info Blob (PIB) was provided by the IAS

----------------------------------------------------------------------------

---- IAS Advisories --------------------------------------------------------

https://security-center.intel.com

INTEL-SA-00219,INTEL-SA-00289

---- ISV Enclave Trust Status ----------------------------------------------

Enclave TRUSTED and COMPLICATED - Reason: CONFIGURATION_NEEDED

A Platform Info Blob (PIB) was provided by the IAS

The microcode version is 0xca. The SGX SDK is the latest 2.9 version (as of 06/09/2020).

According to the OEM website (Lenovo):

https://datacentersupport.lenovo.com/us/en/product_security/home the INTEL-SA-00219 (CVE-2019-0117) and INTEL-SA-00289 (CVE-2019-11157) were fixed in LEN-29846 (UEFI: ISE114H) and LEN-27714 (UEFI: ISE112).

Perhaps, a TCB recovery is needed for the advisories (https://software.intel.com/sites/default/files/managed/01/7b/Intel-SGX-Trusted-Computing-Base-Recovery.pdf)? Is there any instructions on how to perform the TCB recovery?

Thanks

1 Solution
JesusG_Intel
Moderator
4,992 Views

Hello Yunfeng,


The backend team did some research and it turns out my previous response was correct. It has to do with being able to enable the overclocking lock bit, which your vendors did not implement. The only thing you can do is to contact them to implement this feature as described in Intel-SA-00289.


View solution in original post

0 Kudos
24 Replies
JesusG_Intel
Moderator
1,041 Views

Hello Yunfeng,


I apologize for the delay. Some key people have been out and are returning this week. I hope to have an answer for you this week.


0 Kudos
JesusG_Intel
Moderator
4,993 Views

Hello Yunfeng,


The backend team did some research and it turns out my previous response was correct. It has to do with being able to enable the overclocking lock bit, which your vendors did not implement. The only thing you can do is to contact them to implement this feature as described in Intel-SA-00289.


0 Kudos
yunfeng7854
New Contributor I
1,016 Views

Thank you, Jesus. We really appreciate your help on this.

Best,

Wenhao

0 Kudos
JesusG_Intel
Moderator
998 Views

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


0 Kudos
Reply