Q1 2024 Intel Trusted Computing Base Recovery Guidance

Summary

Intel will be executing an Intel® Software Guard Extensions (Intel® SGX) Trusted Computing Base (TCB) Recovery starting in March 2024. Once complete, the TCB level will reflect enforced security updates and mitigations for Intel® SGX-enabled products in scope for IPU 2024.1 and both 4th Generation Intel® Xeon® Scalable Processors (formerly code-named Sapphire Rapids) and 5th Generation Intel Xeon Scalable Processors.

Additionally, Intel will execute an Intel® Trust Domain Extensions (Intel® TDX) Trusted Computing Base (TCB) Recovery starting in March 2024. Once complete, the TCB will reflect enforced security updates and mitigations for 4th and 5th Generation Intel® Xeon® Scalable Processors. 

Based on collaboration with and feedback from platform owners and ecosystem participants, Intel intends to maintain a rigorous and predictable schedule for security updates, while striving to minimize disruption due to TCB Recovery enforcement cycles. We continue to work to evolve options available to the ecosystem as part of Intel’s Datacenter Attestation Primitives (DCAP) software to enable additional customer-configurable policies based on their trust policies and tolerances (see the Appraisal Engine Developer Guide for additional details). 

Intel® Software Guard Extensions (Intel® SGX)

Mitigations in Scope of this TCB Recovery

The presence of mitigations for the following security advisories will be enforced in this TCB Recovery:

• 2024.1 IPU – Intel® Atom® Processor Advisory (INTEL-SA-00898 and Technical Paper). 
• 2024.1 IPU – Intel® Xeon® Processor Advisory (INTEL-SA-00960 and Technical Paper).
  • Note: For all affected products, when the microcode update is applied via the FIT table, the BIOS must also be updated. Otherwise, Intel SGX will not start.
• 2024.1 IPU – 4th Gen Intel® Xeon® Processor Advisory (INTEL-SA-00986).
• 2024.1 IPU – Intel® Xeon® D Processor Advisory (INTEL-SA-01045).

No new special responses (for example, CONFIGURATION_NEEDED) are introduced for the potential vulnerabilities mitigated in this cycle. Previous responses, and for which mitigations they appear for, can be found in the Security Center. Further TCB Recovery Guidance for developers is also available. 

Account / Partner Action Required

Partners who wish to gain confidence, via attestation, that the intended software is securely running within an enclave on an updated Intel SGX-enabled platform containing the latest patches, should complete the below recommendations. Each common partner type has a dedicated section. 

Platform Owners (including Cloud Service Providers (CSPs), Enterprise IT, Independent Software Vendors (ISVs) self-managing bare metal platforms, etc.)

• FIT load MCU (microcode update): This could include obtaining a new BIOS from your platform Original Equipment Manufacturer (OEM) / Original Device Manufacturer (ODM) that contains the microcode provided by Intel to mitigate issues in scope.
• For 3rd and 4th Generation Intel Xeon Scalable platforms, as well as Intel® Xeon® D Processors (code-named Idaville), you must re-register your platforms. This can be done either directly with the Intel® Software Guard Extensions Registration Service (Intel® SGX Registration Service), or indirectly with Intel® Provisioning Certification Service for ECDSA Attestation.  Reference the Remote Attestation for Multi-Package Platforms using Intel® SGX Datacenter Attestation Primitives (DCAP) documentation for further details. 
• Follow all prior configuration guidance for published mitigations as needed. For example, some platforms must be configured (via BIOS setup) with Intel® Hyper-Threading Technology (Intel® HT Technology) disabled to receive a particular Attestation response. 

Intel® SGX Software Vendors (such as ISVs)

Note: Intel always recommends updating to the latest SGX software. This includes, but is not limited to, the Intel® Software Guard Extensions Platform Software (Intel® SGX PSW), the Intel® Software Guard Extensions Datacenter Attestation Primitives (Intel® SGX DCAP), and the Intel® Software Guard Extensions Software Development Kit (Intel® SGX SDK). The versions specified below are not the latest. Instead, they are the oldest versions that allow the best possible attestation response. “Best possible attestation response” varies based on the attested platform (and its configuration), but in general that should be either OK (IAS) / UpToDate (Intel SGX PCS) or SW_HARDENING_NEEDED (IAS) / SWHardeningNeeded (Intel SGX PCS). Refer to the Security Center documentation for further details regarding attestation responses. 

• If leveraging the Intel® Software Guard Extensions Attestation Service Utilizing Intel® Enhanced Privacy ID (commonly referred to as IAS), update your Intel® Software Guard Extensions Platform Software (Intel® SGX Platform Software) to at least v2.17 (for Linux* OS) or v2.16 (for Windows* OS) on all your Intel SGX Virtual Machines (VMs) / bare metal OS installs. This is unchanged since the previous TCB Recovery. 
• If leveraging Intel® SGX Provisioning Certification Service (Intel® SGX PCS), update your Intel® SGX DCAP software to at least v1.14. This is unchanged since the previous TCB Recovery. 
• Update your Intel SGX SDK for Linux OS to at least v2.17, or your Intel SGX SDK for Windows OS to v2.16; Intel recommends incrementing all your enclaves’ ISVSVNs, and then recompile, re-sign, and re-deploy your enclaves.
• If performing your own attestation service/quote verification, make sure your verification code can manage all security configurations and special responses from IAS / Intel SGX PCS and Intel SGX DCAP QVL (Quote Verification Library).  

Important Note: As stated in the Summary, no new special responses (for example, CONFIGURATION_NEEDED) are introduced for the potential vulnerabilities mitigated with IPU 2024.1.

Attestation Service/Quote Generation/Verification Owners

• If you own or control your infrastructure, for 3rd and 4th Generation Intel Xeon Scalable platforms, as well as Intel Xeon D Processors (code-named Idaville), you must re-register your platforms. This can be done either directly with the Intel SGX Registration Service, or indirectly with Intel SGX PCS. Reference this documentation for details.  Otherwise, follow the procedure specified by your infrastructure provider.
• Download new platform Provisioning Certification Key (PCK) certificates for your platforms. If you own or control your infrastructure, you can download the PCK certificates directly from Intel SGX PCS. Otherwise, follow the procedure specified by your infrastructure provider. 
• If running a Provisioning Certification Caching Service (PCCS), download and cache new attestation verification collateral (for example, TCB Info and QEIdentity) for the updated TCB levels. Otherwise, follow the procedure specified by your infrastructure provider.

TCB Recovery - Key Dates for IAS and Intel SGX DCAP Customers

For platforms in scope for the TCB Recovery, Intel’s services will be updated following the public disclosure of IPU 2024.1. Key dates for production updates are below.

Unless otherwise specified, updates are targeted around 11 pm Pacific Standard Time. Dates listed below are defaults; customers electing to leverage the optional “update” URL parameter may have earlier dates (reference the service documentation for additional detail: Intel SGX PCS API Documentation / IAS API Documentation). As previously communicated, IAS customers should also be aware of the IAS End-of-Life (EOL) Timeline.

IAS Customers

• March 26, 2024 – Development Enforcement: The Development Environment for IAS (IAS-DEV) will enforce the presence of microcode and software updates on platforms in scope.
  • Platforms in scope (listed by CPUID): 706A1, 706A8 (Product Lookup)
• June 25, 2024 – Production Enforcement: The Production Environment for IAS (IAS-LIV) will enforce the presence of microcode and software updates on platforms in scope (see above).

Intel SGX DCAP Customers

• June 25, 2024 – Availability of new Endorsements / Reference Values (i.e., verification collateral) for all in-scope Intel SGX platforms supporting Elliptic Curve Digital Signature Algorithm (ECDSA) attestation (via the Provisioning Certification Service).

Intel® Trust Domain Extensions (Intel® TDX)

Mitigations in Scope for this TCB Recovery

The presence of mitigations for the following security advisories will be enforced in this TCB recovery:

• 2024.1 IPU – Intel® Xeon® Processor Advisory (INTEL-SA-00960 and Technical Paper).
  • Note: For all affected products, when the microcode update is applied via the FIT table, the associated BIOS changes must also be updated. Otherwise, Intel® Trust Domain Extensions will not be available on the product.
• 2024.1 IPU – Intel® Processor Return Predictions Advisory (INTEL-SA-00982).
• 2024.1 IPU – 4th Gen Intel® Xeon® Processor Advisory (INTEL-SA-00986).

Account / Partner Action Required

Guidance (including any pertinent pass-through messaging) will be communicated to applicable Intel TDX customers separately. 

TCB Recovery - Key Dates for Intel TDX DCAP Customers

For platforms in scope for the TCB Recovery, Intel’s services will be updated following the public disclosure of IPU 2024.1. Key dates for production updates are below.

Unless otherwise specified, updates are targeted around 11 pm Pacific Standard Time. Dates listed below are defaults; customers electing to leverage the optional “update” URL parameter may have earlier dates (reference the services documentation for additional details). 

Intel SGX DCAP Customers

• June 25, 2024 – Availability of new Endorsements / Reference Values (i.e., verification collateral) for all in-scope Intel TDX platforms supporting Elliptic Curve Digital Signature Algorithm (ECDSA) attestation (via the Provisioning Certification Service).