Trusted Execution Configuration Register Access / CVE-2023-22655 / INTEL-SA-00960

Disclosure date:  2024-03-12 Published date:  2024-03-12

Severity rating: 6.1 Medium

Industry-wide severity ratings can be found in the National Vulnerability Database

Related Content

• INTEL-SA-00960
• CVE-2023-22655
• Intel Processor Microcode Packages for Linux*
• Intel Firmware Support Binaries

Introduction

On 3rd and 4th Generation Intel® Xeon® Scalable processors, malicious BIOS or System Management Mode (SMM, also referred to as runtime BIOS) firmware could be configured in such a way that the security protections of software running in confidential computing technology environments, such as Intel® Software Guard Extensions (Intel® SGX) or Intel® Trust Domain Extension (Intel® TDX), may be compromised. 

The BIOS and SMM firmware are outside of the Trusted Computing Base (TCB) of the above technologies, could potentially configure certain system registers incorrectly, resulting in potential data corruption or information exposure in confidential computing applications. 

Because BIOS is required to configure the system in order to enable Intel SGX and Intel TDX, in addition to microcode update, a BIOS update is also needed to mitigate the issue. For the mitigation to take effect, the microcode update must be Firmware Interface Table (FIT) loaded, and a system reboot is required.

Intel is providing a microcode update (MCU) which verifies that critical system registers are correctly configured to mitigate the Trusted Execution Configuration Register Access (TECRA) issue. If these configuration steps are not completed correctly, Intel SGX and Intel TDX will not be made available on the platform. Intel is also providing updated BIOS reference code, which includes the necessary changes for BIOS vendors. 

For Intel® SGX and Intel® TDX enabled platform, a mitigation is provided in IPU 2024.1 that write protects critical registers. For the subset of these critical registers that can still be assessed because of functional reasons, they are being monitored through a monitoring protocol. If these registers are mis-programmed it will result in a Machine Check Architecture (MCA). In IPU 2024.3, this monitoring is disabled for non-Intel SGX systems (a.k.a. non-confidential compute systems) for 3^rd Generation Intel Xeon Processors (formerly known as Ice Lake SP and Ice Lake D), 4th Generation Intel Xeon Processors (Sapphire Rapids), and 5th Generation Intel Xeon Processors (Emerald Rapids).

In Intel SGX and Intel TDX enabled platforms, these same system registers are not at risk of incorrect configuration from tenant operating systems (OSes) or hypervisors, as those registers are now protected by this mitigation.

This document provides guidance to BIOS vendors and other firmware developers on how to integrate such changes.  

Trusted Execution Configuration Register Access is assigned CVE-2023-22655 / CVSS 6.1 (Medium) CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:N.

Mitigation

Intel is releasing a microcode update and BIOS reference code update to remove access to registers that impact Intel SGX and Intel TDX configurations. The mitigation is effective with installation of the microcode update. In order to enable Intel SGX or Intel TDX on mitigated platforms properly, the BIOS updates must be deployed together with the microcode update. 

Refer to the latest BIOS reference code for an update on Design for Debug (DFx) access to certain registers which need to be included in customer’s BIOS. A system reboot is required for the mitigation to take effect. This microcode update has a security version number (SVN and SE_SVN) update.

MCU and BIOS Compatibility

If Intel SGX is enabled with an older BIOS (pre-IPU 2024.1) and later microcode (IPU 2024.1 and later), Intel SGX will not start due to the BIOS not programming registers properly. The latest BIOS programs register fields, which are validated with the corresponding microcode update. Once programmed properly, the microcode update will allow Intel SGX to be enabled.

BIOS

There are two changes in BIOS required for this mitigation to work:

• The updated BIOS reference code now uses a BIOS to P-code (B2P) mailbox application programming interface (API) for Intel® Ultra Path Interconnect (Intel® UPI)¹ to access the bios_kti_err_st register. This change only applies to 4th Generation Intel Scalable processors (formerly codenamed Sapphire Rapids). 
• BIOS reference code has removed the Design for Debug (DFx) access to certain registers to contain the security boundary. Refer to the latest BIOS reference code for details.

Note: BIOS should confirm that they are programming the PRMRR registers (BASE_0 and MASK) as specified in the BIOS reference code/BIOS writer's guide for both Intel SGX and non-Intel SGX cases.

Microcode Update

The latest microcode update verifies the following:

• Configuration registers are programmed accurately. 
• WAC registers are updated so that only trusted agents can access the configuration registers, meaning that:
  • Credit and coherency knobs cannot be updated by an untrusted agent. 
  • Machine Check Architecture (MCA) cannot be disabled by an untrusted agent. 

Affected Processors

Intel expects the following processors are affected by Trusted Execution Configuration Register Access. Mitigation for this issue on these processors requires systems to load the microcode and firmware versions listed below. Note that client processors are not affected by Trusted Execution Configuration Register Access. Processors which have reached their End of Servicing Lifetime are not listed here. Intel does not plan to evaluate whether any such processors are affected.

Footnotes

1. Intel® UPI was code named Keizer Technology Interconnect (KTI) during development.