Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.

Some problems with TCB recovery

Laisky
Beginner
841 Views

Currently, my SGX program keeps reporting errors when executing RemoteAttestion(DCAP) in the tester program:

 

# OpenEnclave
Invalid platform TCB level: OutOfDate (cpu_svn[0] = 0x4, pce_svn = 0xb)

 

But I have upgraded all DCAP, microcode, BIOS, MPA and still can't fix the problem. 

Is there a way to see what problems exist on the machine that do not meet the conditions of TCB?

 

CPU info:

 

cat /proc/cpuinfo
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 106
model name      : Intel(R) Xeon(R) Gold 5320 CPU @ 2.20GHz
stepping        : 6
microcode       : 0xd00037b

 

 SDKs

 

apt list --installed | grep sgx

libsgx-ae-epid/unknown,now 2.18.100.3-focal1 amd64 [installed,automatic]
libsgx-ae-id-enclave/unknown,now 1.15.100.3-focal1 amd64 [installed]
libsgx-ae-le/unknown,now 2.18.100.3-focal1 amd64 [installed,automatic]
libsgx-ae-pce/unknown,now 2.18.100.3-focal1 amd64 [installed,automatic]
libsgx-ae-qe3/unknown,now 1.15.100.3-focal1 amd64 [installed,automatic]
libsgx-ae-qve/unknown,now 1.15.100.3-focal1 amd64 [installed,automatic]
libsgx-aesm-ecdsa-plugin/unknown,now 2.18.100.3-focal1 amd64 [installed,automatic]
libsgx-aesm-epid-plugin/unknown,now 2.18.100.3-focal1 amd64 [installed,automatic]
libsgx-aesm-launch-plugin/unknown,now 2.18.100.3-focal1 amd64 [installed,automatic]
libsgx-aesm-pce-plugin/unknown,now 2.18.100.3-focal1 amd64 [installed,automatic]
libsgx-aesm-quote-ex-plugin/unknown,now 2.18.100.3-focal1 amd64 [installed,automatic]
libsgx-dcap-default-qpl/unknown,now 1.15.100.3-focal1 amd64 [installed]
libsgx-dcap-ql/unknown,now 1.15.100.3-focal1 amd64 [installed]
libsgx-dcap-quote-verify/unknown,now 1.15.100.3-focal1 amd64 [installed,automatic]
libsgx-enclave-common/unknown,now 2.18.100.3-focal1 amd64 [installed]
libsgx-epid/unknown,now 2.18.100.3-focal1 amd64 [installed]
libsgx-launch/unknown,now 2.18.100.3-focal1 amd64 [installed]
libsgx-pce-logic/unknown,now 1.15.100.3-focal1 amd64 [installed,automatic]
libsgx-qe3-logic/unknown,now 1.15.100.3-focal1 amd64 [installed,automatic]
libsgx-quote-ex/unknown,now 2.18.100.3-focal1 amd64 [installed]
libsgx-urts/unknown,now 2.18.100.3-focal1 amd64 [installed]
sgx-aesm-service/unknown,now 2.18.100.3-focal1 amd64 [installed,automatic]
sgx-dcap-pccs/unknown,now 1.15.100.3-focal1 amd64 [installed]

 

 This is my first time dealing with TCB recovery, but Intel® Software Guard Extensions (Intel® SGX) Trusted Computing Base (TCB) Recovery Plans for Q4 202... doesn't mention what to do, and my CPU(Gold 5320) isn't listed, I do not quite understand why I am also affected.

 

It would help me a lot if anyone could provide some guidelines or answers.

Thank you very much.

Labels (2)
0 Kudos
1 Solution
KFPW_Intel
Moderator
620 Views

Hi,

 

Thank you for your patience.

I have checked with the development team.

 

Intel® Xeon® Gold 5300 processors are affected, refer Software Security Guidance for more information.

 

It is suggested to check the version of the uCode loaded by the BIOS, which can be found in the BIOS setup menu. The "cpu_svn[0] = 0x4" is old, the latest is 0x7.

 

You can obtain the TCBInfo for ICX showing both the latest early and late load uCode SVNs via:

 

a.        curl https://api.trustedservices.intel.com/sgx/certification/v4/tcb?fmspc=00606a000000 | python3 -m json.tool

 

Hope this is helpful.

 

Regards,

Ken


View solution in original post

7 Replies
KFPW_Intel
Moderator
819 Views

Hi,

 

Sorry to hear that your SGX programs are facing errors when executing RemoteAttestation (DCAP).

 

We are investigating with the development team regards to the Intel® Software Guard Extensions (Intel® SGX) Trusted Computing Base (TCB) Recovery Plans for Q4 202... mentioned, especially for Intel® Xeon® Gold 5320 Processor.

 

Please allow some time for us to investigate, thank you for your patience.

 

Regards,

Ken


KFPW_Intel
Moderator
621 Views

Hi,

 

Thank you for your patience.

I have checked with the development team.

 

Intel® Xeon® Gold 5300 processors are affected, refer Software Security Guidance for more information.

 

It is suggested to check the version of the uCode loaded by the BIOS, which can be found in the BIOS setup menu. The "cpu_svn[0] = 0x4" is old, the latest is 0x7.

 

You can obtain the TCBInfo for ICX showing both the latest early and late load uCode SVNs via:

 

a.        curl https://api.trustedservices.intel.com/sgx/certification/v4/tcb?fmspc=00606a000000 | python3 -m json.tool

 

Hope this is helpful.

 

Regards,

Ken


Laisky
Beginner
556 Views

May I ask how do you know my fmspc is "00606a000000"? and how to check the latest cpu_svn is “0x4”?

 

Thanks

Laisky

onepotato
Beginner
452 Views

Hi, I have an intel NUC with the same issue. It is affected of course. I've run the above script and shows some JSON data... however, it is not clear who it is an accepted solution when there is no mention on how to address the issue. I have done an update and see the following:

 

1 { 2 "tcbInfo": { 3 "id": "SGX", 4 "version": 3, 5 "issueDate": "2023-01-05T19:25:39Z", 6 "nextUpdate": "2023-02-04T19:25:39Z", 7 "fmspc": "00606a000000", 8 "pceId": "0000", 9 "tcbType": 0, 10 "tcbEvaluationDataNumber": 13, 11 "tcbLevels": [ 12 { 13 "tcb": { 14 "sgxtcbcomponents": [ 15 { 16 "svn": 7, 17 "category": "BIOS", 18 "type": "Early Microcode Update" 19 }, 20 { 21 "svn": 9, 22 "category": "OS/VMM", 23 "type": "SGX Late Microcode Update" 24 }, 25 { 26 "svn": 3, 27 "category": "OS/VMM", 28 "type": "TXT SINIT" 29 }, 30 { 31 "svn": 3, 32 "category": "BIOS" 33 }, .... 

 

However, what is the fix? I saw the notice saying systems are affected, mine was supposed to be addressed in November, but it still shows the error.


Thank you!

KFPW_Intel
Moderator
572 Views

Hi,


I hope the information I provided was helpful to you.

Please inform us if you have any questions regards to this issue.

Thank you.

 

Regards,

Ken


Laisky
Beginner
562 Views

Thank you very much for your reply, I will contact OPS to check the machine.


Please forgive my late reply, most of my colleagues have been on sick leave recently due to COVID.

KFPW_Intel
Moderator
544 Views

Hi,


I believe your SGX program reports error of OutofDate (cpu_svn[0] = 0x4) based on your question, the latest is 0x7. It is suggested to check the version of uCode loaded by the BIOS.


I believe FMSPC stands for Family-Model-Stepping-Platform-CustomSKU where it is the description of processor package or platform instance including its Family, Model, Stepping, Platform Type and Customized SKU (if applies). Refer Intel® SGX PCK Certificate and Certificate Revocation List Profile Specification for more information.


Hope this is helpful and your colleagues will recover soon.


Regards,

Ken


Reply