Article ID: 000057653 Content Type: Error Messages Last Reviewed: 07/26/2021

Remote Attestation Reports Security Vulnerabilities even when Latest Microcode is Installed

Environment

Intel® Xeon® CPU E3 seriesLatest Intel® Software Guard Extensions (Intel® SGX) SDKMicrocode version 0xd6 or later

BUILT IN - ARTICLE INTRO SECOND COMPONENT
Summary

How to mitigate result "GROUP_OUT_OF_DATE" from Intel Attestation Service (IAS)

Description
  • Updated microcode to the latest version according to these instructions.
  • Ran sgx_sign -version to confirm that Intel® Software Guard Extensions (Intel® SGX) SDK is the latest version.
  • Ran remote attestation on sgx-ra-sample.
  • Intel Attestation Service (IAS) returned several security advisories and GROUP_OUT_OF_DATE response that require an update to the latest microcode and latest Intel® Software Guard Extensions (Intel SGX) Software Development Kit (SDK).
Resolution

The microcode files available from the Intel Linux Processor Microcode Files GitHub repository are operating system (OS) microcode updates but Intel® Software Guard Extensions (Intel® SGX) mitigations require early load microcode available in BIOS.

Follow these steps to mitigate Intel SGX issues:

  1. Refer to your OEM to get the latest BIOS and inquire if it has the latest microcode with the required fixes implemented.
  2. Install the early load microcode that comes with the latest BIOS from the OEM.
Additional information

The article Loading Microcode from the OS contains more information on the different types of microcode.

The Intel® Software Guard Extensions (Intel® SGX) SDK information is included in the Quote that the platform sends to the relying third party.

NoteIf you already have the latest Intel® Software Guard Extensions (Intel® SGX) SDK and the latest Intel SGX PSW and are still encountering SA-00293, it may be because other vulnerabilities are still unmitigated.

 

Related Products

This article applies to 1 products