The TCB-R 20, initiated August 12, 2025 (for update = “early”) continues to be affected by the issue first identified with TCBR-18 with Intel® Software Guard Extensions ECDSA Quote Verification Library: the list of advisory IDs (commonly known as the Security Advisory List) reported by the library may not be complete. In more detail, Advisory IDs assigned to the tdxModuleIdentites structure may be missing, resulting in an incomplete advisoryID list (please see this link for the original Intel post on this matter). As a reminder, the issue does not affect the accuracy of the tcbStatus (that is, UpToDate, OutOfDate) or the tcbDate value reported by the library.

As a result of the existing issue, Security Advisories pertaining to the Intel TDX Module (specifically: INTEL-SA-01192, INTEL-SA-01245, and INTEL-SA-01312 for TCB-R 20) may be omitted from the full expected list, depending on the Intel Product (Intel® Xeon® 6 Processor with P-cores (formerly codenamed Granite Rapids) was not affected by INTEL-SA-01192, and so that Security Advisory / Product combination wouldn’t be in the full expected list).

Due to the anticipated late 2025 timing of a new version of the Intel DCAP QVL software, as well as the need to provide the ecosystem with sufficient time to transition to the new version, Intel has implemented a data workaround that will be in place for the immediate future. Intel will communicate further regarding the length of time the workaround will be in place. The workaround is to include these advisoryIDs in the tdxtcbcomponents structure responses when appropriate (i.e., for a tcbStatus value other than UpToDate when the product is affected by the issue described in the advisory).

The workaround was implemented for Sapphire Rapids, Emerald Rapids, Sierra Forest and Granite Rapids products. It results in improved responses in the QVL output, but does not completely address the behavior. The QVL output depends on the TCB of the Intel TDX Module and the rest of the TCB. In the following table, we present one row for all possible status combinations. In column 3, we first report what would happen without the workaround. In column 4, we then present what happens with the workaround. Under-reporting means several SA values that would be expected to be in the advisoryID list are not. Over-reporting means several SA values that would be expected to be in the advisoryID list are present, but appear multiple times.