Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1444 Discussions

SW_HARDENING_NEEDED "INTEL-SA-00657" but microcode it's patched

JuanColina
Beginner
839 Views

Hi team. I have an Intel NUC7PJYH (J5005) that is reporting "SW_HARDENING_NEEDED" due to "INTEL-SA-00657" vulnerability. I'm using Ubuntu 22.04 with latest Intel Microcode:

 

juan@nuc2:~$ sudo dmesg | grep microcode
[ 1.286371] microcode: sig=0x706a8, pf=0x1, revision=0x20
[ 1.286628] microcode: Microcode Update Driver: v2.2.
juan@nuc2:~$

 

is this vulnerability suposed to be fixed in this microcode version or am I wrong?

what can I do to fix it?

 

Thanks in advance

 

 

0 Kudos
1 Solution
Sahira_Intel
Moderator
789 Views

Hi Juan,

You will need to following the recommendations in SA-00657 (https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00657.html) that talk about the new SGX SDK versions. If you have are already running the SGX SDK version 2.17.101.1 or later, then you don't need to do anything further. The message will always show up, because Intel actually has no way of knowing if an ISV has the mitigations already.


"If a processor is affected by this security advisory (LVI), IAS will always reply with at least "SW_HARDENING_NEEDED." There is no way for IAS to tell if a customer has built their enclaves with the mitigations in place. The relying party needs to look at its enclave's ISVSVN (enclave version) and decide if it's up-to-date or not." For more information, see this post on the Forums: https://community.intel.com/t5/Intel-Software-Guard-Extensions/How-to-mitigate-common-SAs-reported-by-IAS-during-remote/td-p/1211599


Let me know if you have more questions

Sincerely,

Sahira






View solution in original post

0 Kudos
1 Reply
Sahira_Intel
Moderator
790 Views

Hi Juan,

You will need to following the recommendations in SA-00657 (https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00657.html) that talk about the new SGX SDK versions. If you have are already running the SGX SDK version 2.17.101.1 or later, then you don't need to do anything further. The message will always show up, because Intel actually has no way of knowing if an ISV has the mitigations already.


"If a processor is affected by this security advisory (LVI), IAS will always reply with at least "SW_HARDENING_NEEDED." There is no way for IAS to tell if a customer has built their enclaves with the mitigations in place. The relying party needs to look at its enclave's ISVSVN (enclave version) and decide if it's up-to-date or not." For more information, see this post on the Forums: https://community.intel.com/t5/Intel-Software-Guard-Extensions/How-to-mitigate-common-SAs-reported-by-IAS-during-remote/td-p/1211599


Let me know if you have more questions

Sincerely,

Sahira






0 Kudos
Reply