- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Currently, my SGX program keeps reporting errors when executing RemoteAttestion(DCAP) in the tester program:
# OpenEnclave
Invalid platform TCB level: OutOfDate (cpu_svn[0] = 0x4, pce_svn = 0xb)
But I have upgraded all DCAP, microcode, BIOS, MPA and still can't fix the problem.
Is there a way to see what problems exist on the machine that do not meet the conditions of TCB?
CPU info:
cat /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 106
model name : Intel(R) Xeon(R) Gold 5320 CPU @ 2.20GHz
stepping : 6
microcode : 0xd00037b
SDKs
apt list --installed | grep sgx
libsgx-ae-epid/unknown,now 2.18.100.3-focal1 amd64 [installed,automatic]
libsgx-ae-id-enclave/unknown,now 1.15.100.3-focal1 amd64 [installed]
libsgx-ae-le/unknown,now 2.18.100.3-focal1 amd64 [installed,automatic]
libsgx-ae-pce/unknown,now 2.18.100.3-focal1 amd64 [installed,automatic]
libsgx-ae-qe3/unknown,now 1.15.100.3-focal1 amd64 [installed,automatic]
libsgx-ae-qve/unknown,now 1.15.100.3-focal1 amd64 [installed,automatic]
libsgx-aesm-ecdsa-plugin/unknown,now 2.18.100.3-focal1 amd64 [installed,automatic]
libsgx-aesm-epid-plugin/unknown,now 2.18.100.3-focal1 amd64 [installed,automatic]
libsgx-aesm-launch-plugin/unknown,now 2.18.100.3-focal1 amd64 [installed,automatic]
libsgx-aesm-pce-plugin/unknown,now 2.18.100.3-focal1 amd64 [installed,automatic]
libsgx-aesm-quote-ex-plugin/unknown,now 2.18.100.3-focal1 amd64 [installed,automatic]
libsgx-dcap-default-qpl/unknown,now 1.15.100.3-focal1 amd64 [installed]
libsgx-dcap-ql/unknown,now 1.15.100.3-focal1 amd64 [installed]
libsgx-dcap-quote-verify/unknown,now 1.15.100.3-focal1 amd64 [installed,automatic]
libsgx-enclave-common/unknown,now 2.18.100.3-focal1 amd64 [installed]
libsgx-epid/unknown,now 2.18.100.3-focal1 amd64 [installed]
libsgx-launch/unknown,now 2.18.100.3-focal1 amd64 [installed]
libsgx-pce-logic/unknown,now 1.15.100.3-focal1 amd64 [installed,automatic]
libsgx-qe3-logic/unknown,now 1.15.100.3-focal1 amd64 [installed,automatic]
libsgx-quote-ex/unknown,now 2.18.100.3-focal1 amd64 [installed]
libsgx-urts/unknown,now 2.18.100.3-focal1 amd64 [installed]
sgx-aesm-service/unknown,now 2.18.100.3-focal1 amd64 [installed,automatic]
sgx-dcap-pccs/unknown,now 1.15.100.3-focal1 amd64 [installed]
This is my first time dealing with TCB recovery, but Intel® Software Guard Extensions (Intel® SGX) Trusted Computing Base (TCB) Recovery Plans for Q4 2022 doesn't mention what to do, and my CPU(Gold 5320) isn't listed, I do not quite understand why I am also affected.
It would help me a lot if anyone could provide some guidelines or answers.
Thank you very much.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thank you for your patience.
I have checked with the development team.
Intel® Xeon® Gold 5300 processors are affected, refer Software Security Guidance for more information.
It is suggested to check the version of the uCode loaded by the BIOS, which can be found in the BIOS setup menu. The "cpu_svn[0] = 0x4" is old, the latest is 0x7.
You can obtain the TCBInfo for ICX showing both the latest early and late load uCode SVNs via:
a. curl https://api.trustedservices.intel.com/sgx/certification/v4/tcb?fmspc=00606a000000 | python3 -m json.tool
Hope this is helpful.
Regards,
Ken
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Sorry to hear that your SGX programs are facing errors when executing RemoteAttestation (DCAP).
We are investigating with the development team regards to the Intel® Software Guard Extensions (Intel® SGX) Trusted Computing Base (TCB) Recovery Plans for Q4 2022 mentioned, especially for Intel® Xeon® Gold 5320 Processor.
Please allow some time for us to investigate, thank you for your patience.
Regards,
Ken
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thank you for your patience.
I have checked with the development team.
Intel® Xeon® Gold 5300 processors are affected, refer Software Security Guidance for more information.
It is suggested to check the version of the uCode loaded by the BIOS, which can be found in the BIOS setup menu. The "cpu_svn[0] = 0x4" is old, the latest is 0x7.
You can obtain the TCBInfo for ICX showing both the latest early and late load uCode SVNs via:
a. curl https://api.trustedservices.intel.com/sgx/certification/v4/tcb?fmspc=00606a000000 | python3 -m json.tool
Hope this is helpful.
Regards,
Ken
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
May I ask how do you know my fmspc is "00606a000000"? and how to check the latest cpu_svn is “0x4”?
Thanks
Laisky
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I have an intel NUC with the same issue. It is affected of course. I've run the above script and shows some JSON data... however, it is not clear who it is an accepted solution when there is no mention on how to address the issue. I have done an update and see the following:
1 { 2 "tcbInfo": { 3 "id": "SGX", 4 "version": 3, 5 "issueDate": "2023-01-05T19:25:39Z", 6 "nextUpdate": "2023-02-04T19:25:39Z", 7 "fmspc": "00606a000000", 8 "pceId": "0000", 9 "tcbType": 0, 10 "tcbEvaluationDataNumber": 13, 11 "tcbLevels": [ 12 { 13 "tcb": { 14 "sgxtcbcomponents": [ 15 { 16 "svn": 7, 17 "category": "BIOS", 18 "type": "Early Microcode Update" 19 }, 20 { 21 "svn": 9, 22 "category": "OS/VMM", 23 "type": "SGX Late Microcode Update" 24 }, 25 { 26 "svn": 3, 27 "category": "OS/VMM", 28 "type": "TXT SINIT" 29 }, 30 { 31 "svn": 3, 32 "category": "BIOS" 33 }, ....
However, what is the fix? I saw the notice saying systems are affected, mine was supposed to be addressed in November, but it still shows the error.
Thank you!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I hope the information I provided was helpful to you.
Please inform us if you have any questions regards to this issue.
Thank you.
Regards,
Ken
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much for your reply, I will contact OPS to check the machine.
Please forgive my late reply, most of my colleagues have been on sick leave recently due to COVID.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I believe your SGX program reports error of OutofDate (cpu_svn[0] = 0x4) based on your question, the latest is 0x7. It is suggested to check the version of uCode loaded by the BIOS.
I believe FMSPC stands for Family-Model-Stepping-Platform-CustomSKU where it is the description of processor package or platform instance including its Family, Model, Stepping, Platform Type and Customized SKU (if applies). Refer Intel® SGX PCK Certificate and Certificate Revocation List Profile Specification for more information.
Hope this is helpful and your colleagues will recover soon.
Regards,
Ken
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page