Intel Software Guard Extensions Software and Trusted Computing Base Recovery Guidance

Published: 08/03/2022  

Last Updated: 11/02/2022

Intel SGX TCB Recovery Plans for Stale Data Read from Legacy xAPIC

An Intel SGX TCB recovery is planned for the enclave read scenario in Stale Data Read from Legacy xAPIC (Intel-SA-00657). Key dates are below:

  • The Development Environment for Intel® Software Guard Extensions (Intel® SGX) Attestation Service utilizing Intel® Enhanced Privacy ID (Intel® EPID) (IAS-DEV) will enforce the presence of microcode and software updates on in-scope Intel® SGX platforms November 8, 2022.
  • The Production Environment for Intel® SGX Attestation Service utilizing Intel® EPID (IAS-LIV) will enforce the presence of microcode and software updates on in-scope Intel® SGX platforms November 29, 2022.
  • For customers not using Intel EPID attestation, but are instead constructing their own attestation infrastructure using the Intel® SGX Provisioning Certification Service (Intel® SGX PCS), new Endorsements / Reference Values (i.e. PCK Certificates and verification collateral) based on prior Intel Product Updates (IPU) / 3rd Generation Intel® Xeon® Scalable Processors, Codename IceLake-SP Post Launch Releases will be available November 29, 2022. These customers decide when to enforce the microcode and software update as part of their appraisal policies.  

Intel® Xeon® Scalable processors code name Ice Lake: PLR3 Microcode Installation Sighting and Guidance

Description

If the 3rd Generation Intel® Xeon® Scalable Processors, code name Icelake-SP Post Launch Release 3 (PLR3) microcode update (MCU) is loaded at reset (otherwise known as FIT-loaded1) and the platform then executes the TCB Recovery Boot Flow2, a microcode (MCheck) error occurs that causes Intel® Software Guard Extensions (Intel® SGX) to be disabled.

Additional Details

Most Intel SGX customers leverage the Initial Platform Establishment (IPE) flow3. However, an Intel SGX customer that needs to collect / gather PCK certificates into a cache may be utilizing the TCB Recovery Boot Flow (to be able to maintain the same set of PCK certificates after an MCU). Alternatively, another usage may be customers leveraging the Sealing capability (encrypting enclave secrets for persistent storage to disk).

Workaround

Use an Operating System Patch Load (OSPL, otherwise known as Runtime Microcode Update4) for PLR3 (0x375) MCU. 

Status

Intel recommends updating microcode for affected 3rd Generation Intel® Xeon® Scalable Processors to PLR3 out of band microcode patch (0x37b) or later. Currently, Intel does not recommend loading the PLR3 MCU at reset (FIT load). Care must be taken to preserve the contents of Intel SGX UEFI NVRAM variables to retain the ability to restore your previous SGX state. For additional questions or support, please contact Intel at SGX_program@intel.com.

 

Footnotes

  1. Refer to the Microcode Update Guidance for further details.
  2. For additional details on the TCB Recovery Boot Flow, refer to the Remote Attestation for Multi-Package Platforms using the Intel® SGX Datacenter Attestation Primitives (Intel® SGX DCAP) document, section 2.2. 
  3. Refer to section 2.2.1 of the Intel SGX DCAP document.
  4. Refer to the Microcode Update Guidance for further details.

Notices and Disclaimers

Intel processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.  

Intel technologies may require enabled hardware, software, or service activation. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.  

Product and Performance Information

1

Performance varies by use, configuration and other factors. Learn more at www.Intel.com/PerformanceIndex.