Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

SGX Attestation results in CONFIGURATION_NEEDED

Gordon__Arthur
Beginner
‎10-23-2018 06:45 AM
1,488 Views

I have run attestation on my Thinkpad T470 with Core i5 806E9 7th Gen (Kabylake) with the latest microcode 0x8E from Bios update 1.53 released 9/10/2018 and get CONFIGURATION_NEEDED.

CONFIGURATION_NEEDED is defined in the IAS API as -The EPID signature of the ISV enclave QUOTE has been verified correctly, but additional configuration of SGX platform may be needed (for further details see Advisory IDs).

Digging further through the Response Header

advisory-url : https://security-center.intel.com

advisory-ids : INTEL-SA-00161

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html?wapkw=intel-sa-00161

Looking through the advisory INTEL-SA-00161 it appears that the issue was addressed with the INTEL-SA-00115 with microcode 0x8E on this processor.

So what is the logic behind CONFIGURATION_NEEDED, is this to flag that the microcode fix is insufficient to address this issue? Are software mitigations  also required to address this issue? Can we please have some clarification.

Regards,

-Arthur

0 Kudos

Link Copied

5 Replies
Dr__Greg
Super User
‎10-23-2018 10:38 AM
1,488 Views

Good afternoon Arthur and more generally to everyone.

Review section 4.2.1 of revision 4.1 of the Intel SGX API services documentation.  A PDF of that document is linked off the primary Intel SGX homepage.

In the process review your BIOS configuration settings and if hyper-threading is enabled disable it.

The CONFIGURATION_NEEDED status is returned under two separate conditions:

  1. An EPID has been provisioned to the platform and sealed against the most recent Trusted Computing Base (TCB) specification for the platform but hyper-threading is enabled.
  2. The platform has not been provisioned against the current platform TCB (GROUP_OUT_OF_DATE) and the platform does not have the security sensitive BIOS microcode update applied.

Based on the description of your platform and its configuration I suspect you are falling into condition one.

It is important to be aware that the state of enablement of hyper-threading has an impact with respect to the Security Version (SVN) of the platform.  This in turn translates to implications with respect to static key derivation by the ENCLU[EGETKEY] instruction.  As a result of this, keys generated with hyper-threading disabled will not be available if the platform is running with hyper-threading enabled.  This is secondary to the fact that, secondary to FORESHADOW, a hyper-threading enabled platform is considered to be less secure then one which has hyper-threading enabled.

Best wishes for your SGX development efforts and for a productive remainder of the week.

Dr. Greg

0 Kudos
Copy link
Gordon__Arthur
Beginner
‎10-24-2018 04:25 AM
1,488 Views

Hi Greg,

Good call, turns out that CONFIGURATION_NEEDED does mean "you need to turn off hyper-threading" in this case.

Fortunately the ThinkPad offered the ability to switch off hyper-threading in the BIOS and the result was isvEnclaveQuoteStatus = OK.

Beware that not all machines have this option in the BIOS, and switching off hyper-threading does impact performance.

Hopefully the next generation of processors will not require this 'configuration', but it would be good if someone can confirm this.

Regards,

-Arthur

 


 

0 Kudos
Copy link
Hszz09
Beginner
‎01-27-2019 11:20 PM
1,488 Views

Hi Arthur,

How did you manage to shut down hyper-threading in BIOS in thinkpad? I cannot find it.

Thanks!

Gordon, Arthur wrote:

Hi Greg,

Good call, turns out that CONFIGURATION_NEEDED does mean "you need to turn off hyper-threading" in this case.

Fortunately the ThinkPad offered the ability to switch off hyper-threading in the BIOS and the result was isvEnclaveQuoteStatus = OK.

Beware that not all machines have this option in the BIOS, and switching off hyper-threading does impact performance.

Hopefully the next generation of processors will not require this 'configuration', but it would be good if someone can confirm this.

Regards,

-Arthur

 

 

0 Kudos
Copy link
Hszz09
Beginner
‎01-27-2019 11:43 PM
1,488 Views

Ah I figured it out with a bash script.

0 Kudos
Copy link
Gordon__Arthur
Beginner
‎01-28-2019 12:30 AM
1,488 Views

Hi Hszz09,

I was about to say that I don't currently have the Thinkpad (T470) with me, but it looks like you have found a solution anyway.

I believe (but can't verify) I had an option under BIOS > Config >  CPU. Interestingly that option does not exists on the Thinkpad emulator https://download.lenovo.com/bsco/index.html. However I am running the latest BIOS, and it could have been added into a later version, so make sure that you are running the latest BIOS for your hardware.

I found the following links that maybe useful to others

* Thread on disabling HT on Thinkpads https://forums.lenovo.com/t5/ThinkPad-T400-T500-and-newer-T/How-do-you-disable-hyperthreading-on-a-T480/td-p/4294634

* Disabling HT using bash script on Ubuntu https://askubuntu.com/questions/942728/disable-hyper-threading-in-ubuntu

Regards,

-Arthur

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.