hello2mao
commented
3 years ago Open hello2mao opened 3 years ago
hello2mao
commented
3 years ago 
hyjiang
commented
3 years ago Pls install libsgx-dcap-quoteverify-dev and try again.
hello2mao
commented
3 years ago Pls install libsgx-dcap-quoteverify-dev and try again.
Thanks. /close
hello2mao
commented
3 years ago root@impulse-NUC02:~/individual/hello2mao/SGXDataCenterAttestationPrimitives/SampleCode/QuoteVerificationSample# ./app
Info: ECDSA quote path: ../QuoteGenerationSample/quote.dat
Trusted quote verification:
Info: get target info successfully returned.
Info: sgx_qv_set_enclave_load_policy successfully returned.
Info: sgx_qv_get_quote_supplemental_data_size successfully returned.
Info: App: sgx_qv_verify_quote successfully returned.
Info: Ecall: Verify QvE report and identity successfully returned.
Warning: App: Verification completed with Non-terminal result: a008
===========================================
Untrusted quote verification:
Info: sgx_qv_get_quote_supplemental_data_size successfully returned.
Info: App: sgx_qv_verify_quote successfully returned.
Warning: App: Verification completed with Non-terminal result: a008@hyjiang update bios to the latest, but still failed.
BIOS info:
hyjiang
commented
3 years ago This is a warning instead of an error.
You can try to change SMT configuration in BIOS, then try again.
hello2mao
commented
3 years ago This is a warning instead of an error.
You can try to change SMT configuration in BIOS, then try again.
any wrong with this setting?
hello2mao
commented
3 years ago Intel(R) Xeon(R) E-2286M CPU @ 2.40GHzBIOS Information
Vendor: Intel Corp.
Version: QNCFLX70.0059.2020.1130.2122
Release Date: 11/30/2020
Address: 0xF0000
Runtime Size: 64 kB
ROM Size: 16 MB
Characteristics:
PCI is supported
BIOS is upgradeable
BIOS shadowing is allowed
Boot from CD is supported
Selectable boot is supported
BIOS ROM is socketed
EDD is supported
5.25"/1.2 MB floppy services are supported (int 13h)
3.5"/720 kB floppy services are supported (int 13h)
3.5"/2.88 MB floppy services are supported (int 13h)
Print screen service is supported (int 5h)
Serial services are supported (int 14h)
Printer services are supported (int 17h)
ACPI is supported
USB legacy is supported
BIOS boot specification is supported
Targeted content distribution is supported
UEFI is supported
BIOS Revision: 5.13
Firmware Revision: 24.39Linux impulse-NUC02 5.4.0-58-generic #64~18.04.1-Ubuntu SMP Wed Dec 9 17:11:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Linux version 5.4.0-58-generic (buildd@lgw01-amd64-040) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #64~18.04.1-Ubuntu SMP Wed Dec 9 17:11:11 UTC 2020sgx_linux_x64_driver_1.36.2.bin
sgx_linux_x64_sdk_2.12.100.3.bin
libsgx-dcap-quote-verify-dev_1.9.100.3-bionic1_amd64.deb
filename: /lib/modules/5.4.0-58-generic/updates/dkms/intel_sgx.ko
version: 1.36.2
license: Dual BSD/GPL
author: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
description: Intel SGX DCAP Driver
srcversion: 27300A67E38AEEFA889568B
alias: acpi*:INT0E0C:*
depends:
retpoline: Y
name: intel_sgx
vermagic: 5.4.0-58-generic SMP mod_unload
signat: PKCS#7
signer:
sig_key:
sig_hashalgo: md4Pls change Hyper-Threading to Enable, then try to execute quote generation & verification again.
Error code a008 means the TCB level of the platform is up to date. But additional configuration of the platform at its current patching level may be needed. Moreover, SGX SW Hardening is also needed. So you need to check:
hello2mao
commented
3 years ago Thanks.
- Check HW configuration, usually SMT (Hyper-Threading) in BIOS
Done.
- In order to get specific Intel Advisory Number, you need to get TCB info first, pls refer to Intel Trusted Service API Website
Show below:
{
"tcbInfo": {
"version": 2,
"issueDate": "2020-12-28T02:30:56Z",
"nextUpdate": "2021-01-27T02:30:56Z",
"fmspc": "00906ED50000",
"pceId": "0000",
"tcbType": 0,
"tcbEvaluationDataNumber": 10,
"tcbLevels": [
{
"tcb": {
"sgxtcbcomp01svn": 17,
"sgxtcbcomp02svn": 17,
"sgxtcbcomp03svn": 2,
"sgxtcbcomp04svn": 4,
"sgxtcbcomp05svn": 1,
"sgxtcbcomp06svn": 128,
"sgxtcbcomp07svn": 6,
"sgxtcbcomp08svn": 0,
"sgxtcbcomp09svn": 0,
"sgxtcbcomp10svn": 0,
"sgxtcbcomp11svn": 0,
"sgxtcbcomp12svn": 0,
"sgxtcbcomp13svn": 0,
"sgxtcbcomp14svn": 0,
"sgxtcbcomp15svn": 0,
"sgxtcbcomp16svn": 0,
"pcesvn": 10
},
"tcbDate": "2020-11-11T00:00:00Z",
"tcbStatus": "SWHardeningNeeded"
},
{
"tcb": {
"sgxtcbcomp01svn": 17,
"sgxtcbcomp02svn": 17,
"sgxtcbcomp03svn": 2,
"sgxtcbcomp04svn": 4,
"sgxtcbcomp05svn": 1,
"sgxtcbcomp06svn": 128,
"sgxtcbcomp07svn": 0,
"sgxtcbcomp08svn": 0,
"sgxtcbcomp09svn": 0,
"sgxtcbcomp10svn": 0,
"sgxtcbcomp11svn": 0,
"sgxtcbcomp12svn": 0,
"sgxtcbcomp13svn": 0,
"sgxtcbcomp14svn": 0,
"sgxtcbcomp15svn": 0,
"sgxtcbcomp16svn": 0,
"pcesvn": 10
},
"tcbDate": "2020-11-11T00:00:00Z",
"tcbStatus": "ConfigurationAndSWHardeningNeeded"
},
{
"tcb": {
"sgxtcbcomp01svn": 15,
"sgxtcbcomp02svn": 15,
"sgxtcbcomp03svn": 2,
"sgxtcbcomp04svn": 4,
"sgxtcbcomp05svn": 1,
"sgxtcbcomp06svn": 128,
"sgxtcbcomp07svn": 6,
"sgxtcbcomp08svn": 0,
"sgxtcbcomp09svn": 0,
"sgxtcbcomp10svn": 0,
"sgxtcbcomp11svn": 0,
"sgxtcbcomp12svn": 0,
"sgxtcbcomp13svn": 0,
"sgxtcbcomp14svn": 0,
"sgxtcbcomp15svn": 0,
"sgxtcbcomp16svn": 0,
"pcesvn": 10
},
"tcbDate": "2020-06-10T00:00:00Z",
"tcbStatus": "OutOfDate"
},
{
"tcb": {
"sgxtcbcomp01svn": 15,
"sgxtcbcomp02svn": 15,
"sgxtcbcomp03svn": 2,
"sgxtcbcomp04svn": 4,
"sgxtcbcomp05svn": 1,
"sgxtcbcomp06svn": 128,
"sgxtcbcomp07svn": 0,
"sgxtcbcomp08svn": 0,
"sgxtcbcomp09svn": 0,
"sgxtcbcomp10svn": 0,
"sgxtcbcomp11svn": 0,
"sgxtcbcomp12svn": 0,
"sgxtcbcomp13svn": 0,
"sgxtcbcomp14svn": 0,
"sgxtcbcomp15svn": 0,
"sgxtcbcomp16svn": 0,
"pcesvn": 10
},
"tcbDate": "2020-06-10T00:00:00Z",
"tcbStatus": "OutOfDateConfigurationNeeded"
},
{
"tcb": {
"sgxtcbcomp01svn": 14,
"sgxtcbcomp02svn": 14,
"sgxtcbcomp03svn": 2,
"sgxtcbcomp04svn": 4,
"sgxtcbcomp05svn": 1,
"sgxtcbcomp06svn": 128,
"sgxtcbcomp07svn": 6,
"sgxtcbcomp08svn": 0,
"sgxtcbcomp09svn": 0,
"sgxtcbcomp10svn": 0,
"sgxtcbcomp11svn": 0,
"sgxtcbcomp12svn": 0,
"sgxtcbcomp13svn": 0,
"sgxtcbcomp14svn": 0,
"sgxtcbcomp15svn": 0,
"sgxtcbcomp16svn": 0,
"pcesvn": 10
},
"tcbDate": "2019-12-11T00:00:00Z",
"tcbStatus": "OutOfDate"
},
{
"tcb": {
"sgxtcbcomp01svn": 14,
"sgxtcbcomp02svn": 14,
"sgxtcbcomp03svn": 2,
"sgxtcbcomp04svn": 4,
"sgxtcbcomp05svn": 1,
"sgxtcbcomp06svn": 128,
"sgxtcbcomp07svn": 0,
"sgxtcbcomp08svn": 0,
"sgxtcbcomp09svn": 0,
"sgxtcbcomp10svn": 0,
"sgxtcbcomp11svn": 0,
"sgxtcbcomp12svn": 0,
"sgxtcbcomp13svn": 0,
"sgxtcbcomp14svn": 0,
"sgxtcbcomp15svn": 0,
"sgxtcbcomp16svn": 0,
"pcesvn": 10
},
"tcbDate": "2019-12-11T00:00:00Z",
"tcbStatus": "OutOfDateConfigurationNeeded"
},
{
"tcb": {
"sgxtcbcomp01svn": 13,
"sgxtcbcomp02svn": 13,
"sgxtcbcomp03svn": 2,
"sgxtcbcomp04svn": 4,
"sgxtcbcomp05svn": 1,
"sgxtcbcomp06svn": 128,
"sgxtcbcomp07svn": 2,
"sgxtcbcomp08svn": 0,
"sgxtcbcomp09svn": 0,
"sgxtcbcomp10svn": 0,
"sgxtcbcomp11svn": 0,
"sgxtcbcomp12svn": 0,
"sgxtcbcomp13svn": 0,
"sgxtcbcomp14svn": 0,
"sgxtcbcomp15svn": 0,
"sgxtcbcomp16svn": 0,
"pcesvn": 9
},
"tcbDate": "2019-11-13T00:00:00Z",
"tcbStatus": "OutOfDate"
},
{
"tcb": {
"sgxtcbcomp01svn": 13,
"sgxtcbcomp02svn": 13,
"sgxtcbcomp03svn": 2,
"sgxtcbcomp04svn": 4,
"sgxtcbcomp05svn": 1,
"sgxtcbcomp06svn": 128,
"sgxtcbcomp07svn": 0,
"sgxtcbcomp08svn": 0,
"sgxtcbcomp09svn": 0,
"sgxtcbcomp10svn": 0,
"sgxtcbcomp11svn": 0,
"sgxtcbcomp12svn": 0,
"sgxtcbcomp13svn": 0,
"sgxtcbcomp14svn": 0,
"sgxtcbcomp15svn": 0,
"sgxtcbcomp16svn": 0,
"pcesvn": 9
},
"tcbDate": "2019-11-13T00:00:00Z",
"tcbStatus": "OutOfDateConfigurationNeeded"
},
{
"tcb": {
"sgxtcbcomp01svn": 2,
"sgxtcbcomp02svn": 2,
"sgxtcbcomp03svn": 2,
"sgxtcbcomp04svn": 4,
"sgxtcbcomp05svn": 1,
"sgxtcbcomp06svn": 128,
"sgxtcbcomp07svn": 0,
"sgxtcbcomp08svn": 0,
"sgxtcbcomp09svn": 0,
"sgxtcbcomp10svn": 0,
"sgxtcbcomp11svn": 0,
"sgxtcbcomp12svn": 0,
"sgxtcbcomp13svn": 0,
"sgxtcbcomp14svn": 0,
"sgxtcbcomp15svn": 0,
"sgxtcbcomp16svn": 0,
"pcesvn": 7
},
"tcbDate": "2019-05-15T00:00:00Z",
"tcbStatus": "OutOfDate"
},
{
"tcb": {
"sgxtcbcomp01svn": 1,
"sgxtcbcomp02svn": 1,
"sgxtcbcomp03svn": 2,
"sgxtcbcomp04svn": 4,
"sgxtcbcomp05svn": 1,
"sgxtcbcomp06svn": 128,
"sgxtcbcomp07svn": 0,
"sgxtcbcomp08svn": 0,
"sgxtcbcomp09svn": 0,
"sgxtcbcomp10svn": 0,
"sgxtcbcomp11svn": 0,
"sgxtcbcomp12svn": 0,
"sgxtcbcomp13svn": 0,
"sgxtcbcomp14svn": 0,
"sgxtcbcomp15svn": 0,
"sgxtcbcomp16svn": 0,
"pcesvn": 7
},
"tcbDate": "2019-01-09T00:00:00Z",
"tcbStatus": "OutOfDate"
},
{
"tcb": {
"sgxtcbcomp01svn": 1,
"sgxtcbcomp02svn": 1,
"sgxtcbcomp03svn": 2,
"sgxtcbcomp04svn": 4,
"sgxtcbcomp05svn": 1,
"sgxtcbcomp06svn": 128,
"sgxtcbcomp07svn": 0,
"sgxtcbcomp08svn": 0,
"sgxtcbcomp09svn": 0,
"sgxtcbcomp10svn": 0,
"sgxtcbcomp11svn": 0,
"sgxtcbcomp12svn": 0,
"sgxtcbcomp13svn": 0,
"sgxtcbcomp14svn": 0,
"sgxtcbcomp15svn": 0,
"sgxtcbcomp16svn": 0,
"pcesvn": 6
},
"tcbDate": "2018-08-15T00:00:00Z",
"tcbStatus": "OutOfDate"
}
]
},
"signature": "e2a1f44a0dd212dd57ca5163e2b5253efbe2243783edd5ea5d388021b7229822b84893b59aecfe99f4e43a217ec014ad2884ddc7ed5dbe78939b1c2456a7919e"
}
- After you get Advisory Number, pls refer to Intel Security Center
No advisoryIDs.
How to get a Advisory Number?
hyjiang
commented
3 years ago From the TCB info you provided, seems there is no advisory ID for you system right now.
As current TCB level is ConfigurationAndSWHardeningNeeded, after you changing HW configuration (Hyper-Threading), your TCB level would change to SWHardeningNeeded. Then you need to check your enclave by yourself. such as whether your enclave have linked trusted SGX libs in /opt/intel/sgxsdk/lib64/cve_2020_0551_xxx.
ScottR-Intel
commented
3 years ago Hello.
From the pics you provided and the BIOS version, it appears you're using the Intel NUC9 Pro (NUC9VXQNX). One other configuration change you'll need to make is to disable internal graphics. Once you do that, you'll need to either use the VGA port (which is attached to the integrated BMC and not the Intel integrated graphics), use an add-in graphics card, or use the remote KVM built in to the BMC to control the NUC.
Regards.
Scott
srieyulianti
commented
3 years ago Hello,
I got the same problem while running QuoteVerificationSample. The problem is related to a007 error (SWHardeningNeeded). I checked the TCB info but no advisory ID is available. Has this issue already solved?
Regards, Sri
ScottR-Intel
commented
3 years ago Hello Sri.
Even if everything is fully up to date on a platform, certain processors will always get the SWHardeningNeeded reply. This is due to Load Value Injection (aka LVI, ) mitigations required. More info on LVI and other SAs can be found in this forum post and INTEL-SA-00334.
Scott
DylanWangWQF
commented
3 years ago Hi, @ScottR-Intel . I also hit this issue. I got a list of tcbinfo without advisoryIDs. Could you give me some suggestions?
{
"tcbInfo": {
"version": 2,
"issueDate": "2021-04-06T00:57:06Z",
"nextUpdate": "2021-05-06T00:57:06Z",
"fmspc": "00906ed50000",
"pceId": "0000",
"tcbType": 0,
"tcbEvaluationDataNumber": 10,
"tcbLevels": [
{
"tcb": {
"sgxtcbcomp01svn": 17,
"sgxtcbcomp02svn": 17,
"sgxtcbcomp03svn": 2,
"sgxtcbcomp04svn": 4,
"sgxtcbcomp05svn": 1,
"sgxtcbcomp06svn": 128,
"sgxtcbcomp07svn": 6,
"sgxtcbcomp08svn": 0,
"sgxtcbcomp09svn": 0,
"sgxtcbcomp10svn": 0,
"sgxtcbcomp11svn": 0,
"sgxtcbcomp12svn": 0,
"sgxtcbcomp13svn": 0,
"sgxtcbcomp14svn": 0,
"sgxtcbcomp15svn": 0,
"sgxtcbcomp16svn": 0,
"pcesvn": 10
},
"tcbDate": "2020-11-11T00:00:00Z",
"tcbStatus": "SWHardeningNeeded"
},
{
"tcb": {
"sgxtcbcomp01svn": 17,
"sgxtcbcomp02svn": 17,
"sgxtcbcomp03svn": 2,
"sgxtcbcomp04svn": 4,
"sgxtcbcomp05svn": 1,
"sgxtcbcomp06svn": 128,
"sgxtcbcomp07svn": 0,
"sgxtcbcomp08svn": 0,
"sgxtcbcomp09svn": 0,
"sgxtcbcomp10svn": 0,
"sgxtcbcomp11svn": 0,
"sgxtcbcomp12svn": 0,
"sgxtcbcomp13svn": 0,
"sgxtcbcomp14svn": 0,
"sgxtcbcomp15svn": 0,
"sgxtcbcomp16svn": 0,
"pcesvn": 10
},
"tcbDate": "2020-11-11T00:00:00Z",
"tcbStatus": "ConfigurationAndSWHardeningNeeded"
},
{
"tcb": {
"sgxtcbcomp01svn": 15,
"sgxtcbcomp02svn": 15,
"sgxtcbcomp03svn": 2,
"sgxtcbcomp04svn": 4,
"sgxtcbcomp05svn": 1,
"sgxtcbcomp06svn": 128,
"sgxtcbcomp07svn": 6,
"sgxtcbcomp08svn": 0,
"sgxtcbcomp09svn": 0,
"sgxtcbcomp10svn": 0,
"sgxtcbcomp11svn": 0,
"sgxtcbcomp12svn": 0,
"sgxtcbcomp13svn": 0,
"sgxtcbcomp14svn": 0,
"sgxtcbcomp15svn": 0,
"sgxtcbcomp16svn": 0,
"pcesvn": 10
},
"tcbDate": "2020-06-10T00:00:00Z",
"tcbStatus": "OutOfDate"
},
{
"tcb": {
"sgxtcbcomp01svn": 15,
"sgxtcbcomp02svn": 15,
"sgxtcbcomp03svn": 2,
"sgxtcbcomp04svn": 4,
"sgxtcbcomp05svn": 1,
"sgxtcbcomp06svn": 128,
"sgxtcbcomp07svn": 0,
"sgxtcbcomp08svn": 0,
"sgxtcbcomp09svn": 0,
"sgxtcbcomp10svn": 0,
"sgxtcbcomp11svn": 0,
"sgxtcbcomp12svn": 0,
"sgxtcbcomp13svn": 0,
"sgxtcbcomp14svn": 0,
"sgxtcbcomp15svn": 0,
"sgxtcbcomp16svn": 0,
"pcesvn": 10
},
"tcbDate": "2020-06-10T00:00:00Z",
"tcbStatus": "OutOfDateConfigurationNeeded"
},
{
"tcb": {
"sgxtcbcomp01svn": 14,
"sgxtcbcomp02svn": 14,
"sgxtcbcomp03svn": 2,
"sgxtcbcomp04svn": 4,
"sgxtcbcomp05svn": 1,
"sgxtcbcomp06svn": 128,
"sgxtcbcomp07svn": 6,
"sgxtcbcomp08svn": 0,
"sgxtcbcomp09svn": 0,
"sgxtcbcomp10svn": 0,
"sgxtcbcomp11svn": 0,
"sgxtcbcomp12svn": 0,
"sgxtcbcomp13svn": 0,
"sgxtcbcomp14svn": 0,
"sgxtcbcomp15svn": 0,
"sgxtcbcomp16svn": 0,
"pcesvn": 10
},
"tcbDate": "2019-12-11T00:00:00Z",
"tcbStatus": "OutOfDate"
},
{
"tcb": {
"sgxtcbcomp01svn": 14,
"sgxtcbcomp02svn": 14,
"sgxtcbcomp03svn": 2,
"sgxtcbcomp04svn": 4,
"sgxtcbcomp05svn": 1,
"sgxtcbcomp06svn": 128,
"sgxtcbcomp07svn": 0,
"sgxtcbcomp08svn": 0,
"sgxtcbcomp09svn": 0,
"sgxtcbcomp10svn": 0,
"sgxtcbcomp11svn": 0,
"sgxtcbcomp12svn": 0,
"sgxtcbcomp13svn": 0,
"sgxtcbcomp14svn": 0,
"sgxtcbcomp15svn": 0,
"sgxtcbcomp16svn": 0,
"pcesvn": 10
},
"tcbDate": "2019-12-11T00:00:00Z",
"tcbStatus": "OutOfDateConfigurationNeeded"
},
{
"tcb": {
"sgxtcbcomp01svn": 13,
"sgxtcbcomp02svn": 13,
"sgxtcbcomp03svn": 2,
"sgxtcbcomp04svn": 4,
"sgxtcbcomp05svn": 1,
"sgxtcbcomp06svn": 128,
"sgxtcbcomp07svn": 2,
"sgxtcbcomp08svn": 0,
"sgxtcbcomp09svn": 0,
"sgxtcbcomp10svn": 0,
"sgxtcbcomp11svn": 0,
"sgxtcbcomp12svn": 0,
"sgxtcbcomp13svn": 0,
"sgxtcbcomp14svn": 0,
"sgxtcbcomp15svn": 0,
"sgxtcbcomp16svn": 0,
"pcesvn": 9
},
"tcbDate": "2019-11-13T00:00:00Z",
"tcbStatus": "OutOfDate"
},
{
"tcb": {
"sgxtcbcomp01svn": 13,
"sgxtcbcomp02svn": 13,
"sgxtcbcomp03svn": 2,
"sgxtcbcomp04svn": 4,
"sgxtcbcomp05svn": 1,
"sgxtcbcomp06svn": 128,
"sgxtcbcomp07svn": 0,
"sgxtcbcomp08svn": 0,
"sgxtcbcomp09svn": 0,
"sgxtcbcomp10svn": 0,
"sgxtcbcomp11svn": 0,
"sgxtcbcomp12svn": 0,
"sgxtcbcomp13svn": 0,
"sgxtcbcomp14svn": 0,
"sgxtcbcomp15svn": 0,
"sgxtcbcomp16svn": 0,
"pcesvn": 9
},
"tcbDate": "2019-11-13T00:00:00Z",
"tcbStatus": "OutOfDateConfigurationNeeded"
},
{
"tcb": {
"sgxtcbcomp01svn": 2,
"sgxtcbcomp02svn": 2,
"sgxtcbcomp03svn": 2,
"sgxtcbcomp04svn": 4,
"sgxtcbcomp05svn": 1,
"sgxtcbcomp06svn": 128,
"sgxtcbcomp07svn": 0,
"sgxtcbcomp08svn": 0,
"sgxtcbcomp09svn": 0,
"sgxtcbcomp10svn": 0,
"sgxtcbcomp11svn": 0,
"sgxtcbcomp12svn": 0,
"sgxtcbcomp13svn": 0,
"sgxtcbcomp14svn": 0,
"sgxtcbcomp15svn": 0,
"sgxtcbcomp16svn": 0,
"pcesvn": 7
},
"tcbDate": "2019-05-15T00:00:00Z",
"tcbStatus": "OutOfDate"
},
{
"tcb": {
"sgxtcbcomp01svn": 1,
"sgxtcbcomp02svn": 1,
"sgxtcbcomp03svn": 2,
"sgxtcbcomp04svn": 4,
"sgxtcbcomp05svn": 1,
"sgxtcbcomp06svn": 128,
"sgxtcbcomp07svn": 0,
"sgxtcbcomp08svn": 0,
"sgxtcbcomp09svn": 0,
"sgxtcbcomp10svn": 0,
"sgxtcbcomp11svn": 0,
"sgxtcbcomp12svn": 0,
"sgxtcbcomp13svn": 0,
"sgxtcbcomp14svn": 0,
"sgxtcbcomp15svn": 0,
"sgxtcbcomp16svn": 0,
"pcesvn": 7
},
"tcbDate": "2019-01-09T00:00:00Z",
"tcbStatus": "OutOfDate"
},
{
"tcb": {
"sgxtcbcomp01svn": 1,
"sgxtcbcomp02svn": 1,
"sgxtcbcomp03svn": 2,
"sgxtcbcomp04svn": 4,
"sgxtcbcomp05svn": 1,
"sgxtcbcomp06svn": 128,
"sgxtcbcomp07svn": 0,
"sgxtcbcomp08svn": 0,
"sgxtcbcomp09svn": 0,
"sgxtcbcomp10svn": 0,
"sgxtcbcomp11svn": 0,
"sgxtcbcomp12svn": 0,
"sgxtcbcomp13svn": 0,
"sgxtcbcomp14svn": 0,
"sgxtcbcomp15svn": 0,
"sgxtcbcomp16svn": 0,
"pcesvn": 6
},
"tcbDate": "2018-08-15T00:00:00Z",
"tcbStatus": "OutOfDate"
}
]
},
"signature": "b683a4f5b97864367646f0d70ec96f00004582f29fa53ec17443143b7521b26ab8cc7237827254b3b4c6b2fad0280fb4faaece863b48024a60c9d18d089662dc"
}Some BIOS settings: I disabled and enabled the hyper-threading, and finally still got this.
ScottR-Intel
commented
3 years ago @ChrisVoile Did you get an error code from the QuoteVerificationSample? If so, what is the error?
DylanWangWQF
commented
3 years ago @ChrisVoile Did you get an error code from the QuoteVerificationSample? If so, what is the error?
Hi @ScottR-Intel .Many thanks for your reply. I got the same warning as shown in the previous comment.
Info: ECDSA quote path: /home/dylan/code/SGXDataCenterAttestationPrimitives/SampleCode/QuoteGenerationSample/quote.dat
Trusted quote verification:
Info: get target info successfully returned.
Info: sgx_qv_set_enclave_load_policy successfully returned.
Info: sgx_qv_get_quote_supplemental_data_size successfully returned.
Info: App: sgx_qv_verify_quote successfully returned.
Info: Ecall: Verify QvE report and identity successfully returned.
Warning: App: Verification completed with Non-terminal result: a008
===========================================
Untrusted quote verification:
Info: sgx_qv_get_quote_supplemental_data_size successfully returned.
Info: App: sgx_qv_verify_quote successfully returned.
Warning: App: Verification completed with Non-terminal result: a008Run on Ubuntu 18.04.5 LTS, Intel® Core™ i9-9900 CPU @ 3.10GHz × 16, Intel® UHD Graphics 630 (CFL GT2) .
BIOS information:
BIOS Information
Vendor: Dell Inc.
Version: 1.7.0
Release Date: 10/19/2020
Address: 0xF0000
Runtime Size: 64 kB
ROM Size: 32 MB
Characteristics:
PCI is supported
PNP is supported
BIOS is upgradeable
BIOS shadowing is allowed
Boot from CD is supported
Selectable boot is supported
EDD is supported
5.25"/1.2 MB floppy services are supported (int 13h)
3.5"/720 kB floppy services are supported (int 13h)
3.5"/2.88 MB floppy services are supported (int 13h)
Print screen service is supported (int 5h)
8042 keyboard services are supported (int 9h)
Serial services are supported (int 14h)
Printer services are supported (int 17h)
ACPI is supported
USB legacy is supported
BIOS boot specification is supported
Function key-initiated network boot is supported
Targeted content distribution is supported
UEFI is supported
BIOS Revision: 1.7System Information:
System Information
Manufacturer: Dell Inc.
Product Name: OptiPlex 7070
Version: Not Specified
Serial Number: 6P3JRZ2
UUID: 4C4C4544-0050-3310-804A-B6C04F525A32
Wake-up Type: Power Switch
SKU Number: 092E
Family: OptiPlexProcessor Information:
Processor Information
Socket Designation: U3E1
Type: Central Processor
Family: <OUT OF SPEC>
Manufacturer: Intel(R) Corporation
ID: ED 06 09 00 FF FB EB BF
Version: Intel(R) Core(TM) i9-9900 CPU @ 3.10GHz
Voltage: 0.9 V
External Clock: 100 MHz
Max Speed: 4200 MHz
Current Speed: 3069 MHz
Status: Populated, Enabled
Upgrade: Socket LGA1151
L1 Cache Handle: 0x0014
L2 Cache Handle: 0x0015
L3 Cache Handle: 0x0016
Serial Number: Not Specified
Asset Tag: Not Specified
Part Number: Not Specified
Core Count: 8
Core Enabled: 8
Thread Count: 16
Characteristics:
64-bit capable
Multi-Core
Hardware Thread
Execute Protection
Enhanced Virtualization
Power/Performance Control
fchinchilla
commented
3 years ago Is the internal graphics explicitly disabled in the BIOS? It appears to be on Auto and still enabled based on the info you provided.
DylanWangWQF
commented
3 years ago Is the internal graphics explicitly disabled in the BIOS? It appears to be on Auto and still enabled based on the info you provided.
Hi @fchinchilla . After I switch it from Auto to NVIDIA HD Graphics and use the VGA port, still hit the issue Warning: App: Verification completed with Non-terminal result: a008
fchinchilla
commented
3 years ago Hi. I am not familiar with the BIOS options on your system. It may mean that your BIOS is choosing to display output via NVIDIA gfx card, but the Intel gfx card is still active (for a multi-monitor setup, for example). If it's fully disabled then lspci will not show the device.
Can you double check lspci to see if it is still active?
DylanWangWQF
commented
3 years ago Hi. I am not familiar with the BIOS options on your system. It may mean that your BIOS is choosing to display output via NVIDIA gfx card, but the Intel gfx card is still active (for a multi-monitor setup, for example). If it's fully disabled then lspci will not show the device.
Can you double check lspci to see if it is still active?
Hi @fchinchilla , here is the detailed information
lspci -v | grep VGA
01:00.0 VGA compatible controller: NVIDIA Corporation GP107 [GeForce GTX 1050] (rev a1) (prog-if 00 [VGA controller])dylan@labPC:~$ lspci -v
00:00.0 Host bridge: Intel Corporation Device 3e30 (rev 0d)
Subsystem: Dell Device 092e
Flags: bus master, fast devsel, latency 0
Capabilities: <access denied>
Kernel driver in use: skl_uncore
Kernel modules: ie31200_edac
00:01.0 PCI bridge: Intel Corporation Xeon E3-1200 v5/E3-1500 v5/6th Gen Core Processor PCIe Controller (x16) (rev 0d) (prog-if 00 [Normal decode])
Flags: bus master, fast devsel, latency 0, IRQ 122
Bus: primary=00, secondary=01, subordinate=01, sec-latency=0
I/O behind bridge: 00003000-00003fff
Memory behind bridge: a3000000-a40fffff
Prefetchable memory behind bridge: 0000000090000000-00000000a1ffffff
Capabilities: <access denied>
Kernel driver in use: pcieport
00:02.0 Display controller: Intel Corporation Device 3e98 (rev 02)
Subsystem: Dell Device 092e
Flags: bus master, fast devsel, latency 0, IRQ 146
Memory at a2000000 (64-bit, non-prefetchable) [size=16M]
Memory at 80000000 (64-bit, prefetchable) [size=256M]
I/O ports at 4000 [size=64]
Capabilities: <access denied>
Kernel driver in use: i915
Kernel modules: i915
00:08.0 System peripheral: Intel Corporation Xeon E3-1200 v5/v6 / E3-1500 v5 / 6th/7th Gen Core Processor Gaussian Mixture Model
Subsystem: Dell Xeon E3-1200 v5/v6 / E3-1500 v5 / 6th/7th Gen Core Processor Gaussian Mixture Model
Flags: fast devsel, IRQ 255
Memory at a433f000 (64-bit, non-prefetchable) [disabled] [size=4K]
Capabilities: <access denied>
00:12.0 Signal processing controller: Intel Corporation Cannon Lake PCH Thermal Controller (rev 10)
Subsystem: Dell Device 092e
Flags: fast devsel, IRQ 17
Memory at a433e000 (64-bit, non-prefetchable) [size=4K]
Capabilities: <access denied>
Kernel driver in use: intel_pch_thermal
Kernel modules: intel_pch_thermal
00:14.0 USB controller: Intel Corporation Cannon Lake PCH USB 3.1 xHCI Host Controller (rev 10) (prog-if 30 [XHCI])
Subsystem: Dell Device 092e
Flags: bus master, medium devsel, latency 0, IRQ 125
Memory at a4320000 (64-bit, non-prefetchable) [size=64K]
Capabilities: <access denied>
Kernel driver in use: xhci_hcd
00:14.2 RAM memory: Intel Corporation Cannon Lake PCH Shared SRAM (rev 10)
Subsystem: Intel Corporation Device 7270
Flags: fast devsel
Memory at a4336000 (64-bit, non-prefetchable) [disabled] [size=8K]
Memory at a433d000 (64-bit, non-prefetchable) [disabled] [size=4K]
Capabilities: <access denied>
00:15.0 Serial bus controller [0c80]: Intel Corporation Device a368 (rev 10)
Subsystem: Dell Device 092e
Flags: bus master, fast devsel, latency 0, IRQ 16
Memory at 7d800000 (64-bit, non-prefetchable) [size=4K]
Capabilities: <access denied>
Kernel driver in use: intel-lpss
Kernel modules: intel_lpss_pci
00:16.0 Communication controller: Intel Corporation Cannon Lake PCH HECI Controller (rev 10)
Subsystem: Dell Device 092e
Flags: bus master, fast devsel, latency 0, IRQ 145
Memory at a433b000 (64-bit, non-prefetchable) [size=4K]
Capabilities: <access denied>
Kernel driver in use: mei_me
Kernel modules: mei_me
00:17.0 SATA controller: Intel Corporation Cannon Lake PCH SATA AHCI Controller (rev 10) (prog-if 01 [AHCI 1.0])
Subsystem: Dell Device 092e
Flags: bus master, 66MHz, medium devsel, latency 0, IRQ 126
Memory at a4334000 (32-bit, non-prefetchable) [size=8K]
Memory at a433a000 (32-bit, non-prefetchable) [size=256]
I/O ports at 4090 [size=8]
I/O ports at 4080 [size=4]
I/O ports at 4060 [size=32]
Memory at a4339000 (32-bit, non-prefetchable) [size=2K]
Capabilities: <access denied>
Kernel driver in use: ahci
Kernel modules: ahci
00:1b.0 PCI bridge: Intel Corporation Device a340 (rev f0) (prog-if 00 [Normal decode])
Flags: bus master, fast devsel, latency 0, IRQ 123
Bus: primary=00, secondary=02, subordinate=02, sec-latency=0
Memory behind bridge: a4200000-a42fffff
Capabilities: <access denied>
Kernel driver in use: pcieport
00:1c.0 PCI bridge: Intel Corporation Device a33b (rev f0) (prog-if 00 [Normal decode])
Flags: bus master, fast devsel, latency 0, IRQ 124
Bus: primary=00, secondary=03, subordinate=04, sec-latency=0
Capabilities: <access denied>
Kernel driver in use: pcieport
00:1f.0 ISA bridge: Intel Corporation Device a306 (rev 10)
Subsystem: Dell Device 092e
Flags: bus master, medium devsel, latency 0
00:1f.3 Audio device: Intel Corporation Cannon Lake PCH cAVS (rev 10)
Subsystem: Dell Device 092e
Flags: bus master, fast devsel, latency 32, IRQ 148
Memory at a4330000 (64-bit, non-prefetchable) [size=16K]
Memory at a4100000 (64-bit, non-prefetchable) [size=1M]
Capabilities: <access denied>
Kernel driver in use: snd_hda_intel
Kernel modules: snd_hda_intel, snd_sof_pci
00:1f.4 SMBus: Intel Corporation Cannon Lake PCH SMBus Controller (rev 10)
Subsystem: Dell Device 092e
Flags: medium devsel, IRQ 255
Memory at a4338000 (64-bit, non-prefetchable) [size=256]
I/O ports at efa0 [size=32]
Kernel modules: i2c_i801
00:1f.5 Serial bus controller [0c80]: Intel Corporation Cannon Lake PCH SPI Controller (rev 10)
Subsystem: Dell Device 092e
Flags: fast devsel
Memory at fe010000 (32-bit, non-prefetchable) [size=4K]
00:1f.6 Ethernet controller: Intel Corporation Ethernet Connection (7) I219-LM (rev 10)
Subsystem: Dell Ethernet Connection (7) I219-LM
Flags: bus master, fast devsel, latency 0, IRQ 127
Memory at a4300000 (32-bit, non-prefetchable) [size=128K]
Capabilities: <access denied>
Kernel driver in use: e1000e
Kernel modules: e1000e
01:00.0 VGA compatible controller: NVIDIA Corporation GP107 [GeForce GTX 1050] (rev a1) (prog-if 00 [VGA controller])
Subsystem: Dell GP107 [GeForce GTX 1050]
Flags: bus master, fast devsel, latency 0, IRQ 147
Memory at a3000000 (32-bit, non-prefetchable) [size=16M]
Memory at 90000000 (64-bit, prefetchable) [size=256M]
Memory at a0000000 (64-bit, prefetchable) [size=32M]
I/O ports at 3000 [size=128]
Expansion ROM at 000c0000 [disabled] [size=128K]
Capabilities: <access denied>
Kernel driver in use: nouveau
Kernel modules: nvidiafb, nouveau
01:00.1 Audio device: NVIDIA Corporation GP107GL High Definition Audio Controller (rev a1)
Subsystem: Dell GP107GL High Definition Audio Controller
Flags: bus master, fast devsel, latency 0, IRQ 17
Memory at a4080000 (32-bit, non-prefetchable) [size=16K]
Capabilities: <access denied>
Kernel driver in use: snd_hda_intel
Kernel modules: snd_hda_intel
02:00.0 Non-Volatile memory controller: Toshiba America Info Systems Device 011a (prog-if 02 [NVM Express])
Subsystem: Toshiba America Info Systems Device 0001
Flags: bus master, fast devsel, latency 0, IRQ 16, NUMA node 0
Memory at a4200000 (64-bit, non-prefetchable) [size=16K]
Capabilities: <access denied>
Kernel driver in use: nvme
Kernel modules: nvme
03:00.0 PCI bridge: Texas Instruments XIO2001 PCI Express-to-PCI Bridge (prog-if 00 [Normal decode])
Flags: bus master, fast devsel, latency 0
Bus: primary=03, secondary=04, subordinate=04, sec-latency=32
Capabilities: <access denied>Thanks for the info. If GFX has been disabled, then the other thing to look at would be https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00289.html
There is a thread with more in-depth discussion here https://community.intel.com/t5/Intel-Software-Guard-Extensions/Remote-attestation-still-returns-quot-configuration-needed-quot/td-p/1186063