search

intel / sgx-ra-sample

Other
178 stars 65 forks source link

Enclave Trust is NOT TRUSTED and COMPLICATED. The client is out of date. #47

Open tarun14110 opened 4 years ago

tarun14110 commented 4 years ago

I have updated my BIOS to the latest version. In the debug mode my client receives

---- IAS Advisories -------------------------------------------------------- https://security-center.intel.com

INTEL-SA-00219

I am using a DELL optiplex tower 7070 and updated the BIOS to latest version to 1.3.1 https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=g5cnt&oscode=wt64a&productcode=optiplex-7070-desktop

This version has patched the security bug INTEL-SA-00219 that client is receiving in the report from IAS. Do you have any idea what I'm doing wrong here?

mechalas commented 4 years ago

The "complicated" response means you are getting a CONFIGURATION_NEEDED response from IAS. That generally means you have a BIOS configuration that weakens the security posture of the platform. My best guess would be that Hyper-Threading is enabled.

mechalas commented 4 years ago

Sorry, forgot to address the other half of this question. The "NotTrusted" response can be due to running in strict trust mode, which is a policy decision that says not to trust enclave that result in a CONFIGURATION_NEEDED response from IAS. Can you verify whether you are using strict trust mode (the -X or --strict-trust-mode option to sp)?

XNinety9 commented 3 years ago

Not sure if this is still needed, but there might be a CPU microcode update to solve your problem.

ra-sample server sides puts you on the track with the IAS report section (with VERBOSE=1 in settings file):

---- IAS Report - JSON - Optional Fields -----------------------------------
platformInfoBlob  = 150200650400090000111102040101070000000000000000000B00000B000000020000000000000BD5CEC3CBEF4141216C86BC247F206D1F3538F5D0C9A774D1FAD6EE660CFF7EB7276320BC64F5DBBFFBE24
revocationReason  =
pseManifestStatus =
pseManifestHash   =
nonce             =
epidPseudonym     = 33maxfdWgzGUWtwXpFFBbsUN/L+rN1vE+PnIAW3C0Qy+jlE9TRWxtW1sQ7Jse7B14eJbI5HTElG7qEnB+1Q14k4IjCFn5wjW7DpueFL2+w82mx5Afa+cNdxrx2nrlA3e5DM=
advisoryURL       = https://security-center.intel.com
advisoryIDs       = INTEL-SA-00161,INTEL-SA-00219,INTEL-SA-00289,INTEL-SA-00381,INTEL-SA-00389,INTEL-SA-00320,INTEL-SA-00329
----------------------------------------------------------------------------

The "advisoryIDs" refers to some mitigations that are needed for your CPU to be trusted.

TO upgrade your microcode, either use a BIOS upgrade from your vendor and/or Intel CPU microcode updates repo: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files

It may not, however, solve your problem. I use an i7-7567U Intel NUC, the one that's recommended as an SGX testbench. I upgraded everything, my CPU is still "NOT TRUSTED and COMPLICATED"