Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.
1345 Discussions

SW_HARDENING_NEEDED "INTEL-SA-00657" but microcode it's patched

JuanColina
Beginner
598 Views

Hi team. I have an Intel NUC7PJYH (J5005) that is reporting "SW_HARDENING_NEEDED" due to "INTEL-SA-00657" vulnerability. I'm using Ubuntu 22.04 with latest Intel Microcode:

 

juan@nuc2:~$ sudo dmesg | grep microcode
[ 1.286371] microcode: sig=0x706a8, pf=0x1, revision=0x20
[ 1.286628] microcode: Microcode Update Driver: v2.2.
juan@nuc2:~$

 

is this vulnerability suposed to be fixed in this microcode version or am I wrong?

what can I do to fix it?

 

Thanks in advance

 

 

0 Kudos
1 Solution
Sahira_Intel
Moderator
548 Views

Hi Juan,

You will need to following the recommendations in SA-00657 (https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00657.html) that talk about the new SGX SDK versions. If you have are already running the SGX SDK version 2.17.101.1 or later, then you don't need to do anything further. The message will always show up, because Intel actually has no way of knowing if an ISV has the mitigations already.


"If a processor is affected by this security advisory (LVI), IAS will always reply with at least "SW_HARDENING_NEEDED." There is no way for IAS to tell if a customer has built their enclaves with the mitigations in place. The relying party needs to look at its enclave's ISVSVN (enclave version) and decide if it's up-to-date or not." For more information, see this post on the Forums: https://community.intel.com/t5/Intel-Software-Guard-Extensions/How-to-mitigate-common-SAs-reported-b...


Let me know if you have more questions

Sincerely,

Sahira






View solution in original post

1 Reply
Sahira_Intel
Moderator
549 Views

Hi Juan,

You will need to following the recommendations in SA-00657 (https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00657.html) that talk about the new SGX SDK versions. If you have are already running the SGX SDK version 2.17.101.1 or later, then you don't need to do anything further. The message will always show up, because Intel actually has no way of knowing if an ISV has the mitigations already.


"If a processor is affected by this security advisory (LVI), IAS will always reply with at least "SW_HARDENING_NEEDED." There is no way for IAS to tell if a customer has built their enclaves with the mitigations in place. The relying party needs to look at its enclave's ISVSVN (enclave version) and decide if it's up-to-date or not." For more information, see this post on the Forums: https://community.intel.com/t5/Intel-Software-Guard-Extensions/How-to-mitigate-common-SAs-reported-b...


Let me know if you have more questions

Sincerely,

Sahira






Reply