Due to an implementation oversight associated with the updates Intel made to its security services in mid-May, attestation verification collateral returned by Intel PCS was “over-enforcing” upgrade requirements for platforms potentially impacted by INTEL-TA-01153, when the web parameter [update] = “early” (or the parameter [tcbEvaluationDataNumber] was specified as 19). Specifically, attestation was requiring a MCU_BIOS_TCBR[1] to return the best response, where a MCU_OSPL_SGX_TCBR[1] should have been sufficient.
In an update planned for early August 8 pacific time, Intel will update collateral for Ice Lake Xeon-SP (CPUID 606A6), Ice Lake Xeon D (Idaville – CPUID 606C1) and Coffee Lake H / Xeon E / S (CPUID 906ED) to only require the expected MCU_OSPL_SGX_TCBR (other affected products from INTEL-TA-01153 will be updated at a point in the near-future).
Your Action May be Required:
Following the update (and assuming microcode containing the mitigations has been deployed):
- Infrastructure Providers should obtain new platform PCK Certificates.
- Customers who cache attestation verification collateral using a collateral caching service should refresh their cache to store the new collateral. This update should include both updated platform PCK certificates as well as refreshed TCBInfo collateral.
[1] reference Key here
