Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
New Contributor I
837 Views

Remote attestation still returns "configuration needed" with latest bios and microcode update

Jump to solution

Hi, all,

We've tested the remote attestation sample code on 2 platforms available to us: Dell Poweredge R340 (CPU: Intel(R) Xeon(R) E-2174G), and Lenovo ThinkSystem SR250 Rack Server (CPU: Intel(R) Xeon(R) E-2288G). We've updated to the latest BIOS version from the OEM, and the latest microcode patches from: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files

However the remote attestation returns

---- Enclave Trust Status from Service Provider ----------------------------

Enclave Trust is TRUSTED and COMPLICATED. The client is out of date and

may not be trusted in the future depending on the service provider's policy.

A Platform Info Blob (PIB) was provided by the IAS

----------------------------------------------------------------------------

---- IAS Advisories --------------------------------------------------------

https://security-center.intel.com

INTEL-SA-00219,INTEL-SA-00289

---- ISV Enclave Trust Status ----------------------------------------------

Enclave TRUSTED and COMPLICATED - Reason: CONFIGURATION_NEEDED

A Platform Info Blob (PIB) was provided by the IAS

The microcode version is 0xca. The SGX SDK is the latest 2.9 version (as of 06/09/2020).

According to the OEM website (Lenovo):

https://datacentersupport.lenovo.com/us/en/product_security/home the INTEL-SA-00219 (CVE-2019-0117) and INTEL-SA-00289 (CVE-2019-11157) were fixed in LEN-29846 (UEFI: ISE114H) and LEN-27714 (UEFI: ISE112).

Perhaps, a TCB recovery is needed for the advisories (https://software.intel.com/sites/default/files/managed/01/7b/Intel-SGX-Trusted-Computing-Base-Recove...)? Is there any instructions on how to perform the TCB recovery?

Thanks

0 Kudos
23 Replies
Highlighted
Moderator
103 Views

Hello Yunfeng,


I apologize for the delay. Some key people have been out and are returning this week. I hope to have an answer for you this week.


Jesus Garcia, Intel Customer Support
0 Kudos
Highlighted
Moderator
341 Views

Hello Yunfeng,


The backend team did some research and it turns out my previous response was correct. It has to do with being able to enable the overclocking lock bit, which your vendors did not implement. The only thing you can do is to contact them to implement this feature as described in Intel-SA-00289.


Jesus Garcia, Intel Customer Support

View solution in original post

0 Kudos
Highlighted
New Contributor I
78 Views

Thank you, Jesus. We really appreciate your help on this.

Best,

Wenhao

0 Kudos
Highlighted
Moderator
60 Views

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


Jesus Garcia, Intel Customer Support
0 Kudos