My attesting machine has i5-8400 CPU with an FMSPC of 00906EA10000. Looking at the certification with:

curl "https://api.trustedservices.intel.com/sgx/certification/v4/tcb?fmspc=00906EA10000" | jq . | less

I see that the best TCB level is "SWHardeningNeeded", the second best is "ConfigurationAndSWHardeningNeeded". My attesting enclave never gets to the best level and is stuck at Configuration Needed.

After reading Intel® SGX Attestation Technical Details, I did the following to comply with the attestation requirements:

• For HT, I did nothing. The i5-8400 does not have HT.
• For iGPU: I added a discrete GPU to the machine, and disabled the integrated GPU in the BIOS. lspci -v shows only the discrete GPU.
• For Voltage MSRs: I activated the Overclocking Lock in the BIOS. Many reddit posts talk about how this setting toggles Bit 20 in the 0x194 MSR. With msr-tools, I confirmed that the Bit 20 is set after toogling this. rdmsr -a 0x194 returns 0x110000 for all CPUs. rdmsr 0x195 fails as this MSR does not exist on this CPU.
• Update my BIOS to include microcode: sig=0x906ea, pf=0x2, revision=0xf4

Additionally, I found:

• rdmsr 0xE2 returns 0x1e008000. Bit 15 is set, which according to the Intel Architecture Sw.Dev.Man.Vol.4 corresponds to CFG Lock. 
• rdmsr 0x1AA returns 0x401cc0. This seems to be associated with power management. I have no good interpretation of that value.
• If rdmsr 0x150 returns value X, then rdmsr 0x150 still returns value X after wrmsr 0x150 0x0. So writes to 0x150 seem to be blocked.

My TCB level is still ConfigurationAndSWHardeningNeeded after all the steps above.  What do I need to do to lift my TCB Status to SWHardeningNeeded?

Thanks!