Software Security Guidance
This information is designed for developers and systems experts looking to understand potential vulnerabilities and assess risk, with resources and recommendations for building more secure solutions.
Trusted Computing Base Recovery Attestation
Intel's Confidential Computing solutions make end-to-end protection of data possible. As silicon-rooted Trusted Execution Environment (TEE) technologies, Intel® Software Guard Extensions (Intel® SGX) and Intel® Trust Domain Extensions (Intel® TDX) offer solutions for protecting data in both applications and virtual machines. Intel SGX and Intel TDX support attestation so external parties can cryptographically verify the TEE as well as data processing inside the TEE.
When one or more Trusted Computing Base (TCB) components need to be updated on Intel® platforms to preserve active security properties, Intel uses a TCB Recovery (TCB-R) process where the latest signed ingredients that comprise the new TCB are added. Various involved parties need to take action to deploy such updates so that relying parties can compare their report with a signed report and make a trust decision through a process called attestation.
For guidance on the TCB-R process for Intel technologies, including policies and best practices for attestation, see the Trusted Computing Base Recovery of Intel Trusted Execution Environments article.
Affected Processors: Trusted Computing Base Recovery Attestation
This table shows all currently supported Intel platforms, including those that support Intel SGX or Intel TDX. For those that participate in TCB-R, the action required to perform a successful recovery is listed by disclosure, with the accompanying security advisory (SA) from Intel listed for more information.
Processors are listed by product family. For specific product names, see Product Specifications. Processors that have met the end-of-servicing-lifetime (EOSL) milestone may not be listed in the following table, and the mitigation status of EOSL processors may not be evaluated. For more information on processors that are no longer supported and not listed in the table, see Support.
| CPUID Family_Model |
Stepping | CPUID Hybrid Identification |
Code Name(s) / Microarchitecture(s) | Product Family | Segment | CPUID1 | MCU Update2 where applicable |
Microcode Keying CVE-2023-43490 INTEL-SA-01045 |
Register File Data Sampling (RFDS) (Floating Point/Integer / Single Instruction/Multiple Data) CVE-2023-28746 INTEL-SA-00898 |
On-chip Debug and Interface CVE-2023-32666 INTEL-SA-00986 |
Trusted Execution Configuration Register Access CVE-2023-22655 INTEL-SA-00960 |
Incomplete Branch Prediction Barrier CVE-2023-38575 INTEL-SA-00982 |
Improper Input Validation CVE-2023-45745 INTEL-SA-01036 |
Running Average Power Limit Derivative (RAPL) CVE-2024-23984 INTEL-SA-01103 |
Single-stepping Counter Bypass CVE-2024-27457 INTEL-SA-01099 |
Invalid DIMM and RFM CVE-2024-22185 INTEL-SA-01111 |
Incorrect Default CVE-2024-21820 INTEL-SA-01079 |
Resource Reuse CVE-2024-21850 INTEL-SA-01076 |
Incomplete Filtering CVE-2024-39283 INTEL-SA-01010 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Intel Guidance: Updating Microcode | TCB Counter:17 IPU 24.1 (Feb 2024) |
TCB Counter:17 IPU 24.1 (Feb 2024) |
TCB Counter:17 IPU 24.1 (Feb 2024) |
TCB Counter:17 IPU 24.1 (Feb 2024) |
TCB Counter:17 IPU 24.1 (Feb 2024) |
TCB Counter:18 IPU 24.3 / UPLR2 (Sept, Nov 2024) |
TCB Counter:18 IPU 24.3 / UPLR2 (Sept, Nov 2024) |
TCB Counter:18 IPU 24.3 / UPLR2 (Sept, Nov 2024) |
TCB Counter:18 IPU 24.3 / UPLR2 (Sept, Nov 2024) |
TCB Counter:18 IPU 24.3 / UPLR2 (Sept, Nov 2024) |
TCB Counter:18 IPU 24.3 / UPLR2 (Sept, Nov 2024) |
TCB Counter:18 IPU 24.3 / UPLR2 (Sept, Nov 2024) |
|||||||
| 06_3FH | 2 | NA | Haswell Server EP, EP4S3 | Intel® Xeon® E processor family | Server | 306F2 | 0x4A | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_3FH | 4 | NA | Haswell Server EX3 | Intel® Xeon® E processor family | Server | 306F4 | 0x1b | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_4FH | 1 | NA |
|
|
|
406F1 | 0b000041 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_55H | 3 | NA | Skylake Server | Intel® Xeon® Scalable processor family | Server | 50653 | 1000191 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_55H | 4 | NA |
|
|
1,2,3. Server 4. Desktop |
50654 | 2007006 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_55H | 6 | NA | Cascade Lake Server | 2nd Generation Intel® Xeon® Scalable processor family | Server | 50656 | 04003006 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_55H | 7 | NA |
|
|
|
50657 | 5003707 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_55H | B | NA | Cooper Lake | 3rd Generation Intel® Xeon® Scalable processor family | Server | 5065B | 7002904 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_56H | 3 | NA | Broadwell DE V2,V3 | Intel® Xeon® D processor family | Server | 50663 | 700001e | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_56H | 4 | NA | Broadwell DE Y0 | Intel® Xeon® D processor family | Server | 50664 | f00001b | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_56H | 5 | NA |
|
Intel® Xeon® D processor family | Server | 50665 | e000015 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_5CH | A | NA | Apollo Lake3 | Intel® Atom® Processor E3900 Series | Desktop Mobile Embedded |
506CA | 0x28 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_5EH | 3 | NA | 1. Skylake Xeon E33 2. Skylake H 3. Skylake S |
1. Intel® Xeon® E processor family 2. 6th Generation Intel® Core™ Processor Family |
1. Server Workstation Embedded 2. Mobile 3. Desktop |
506E3 | 0xf6 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_5FH | All | NA | Denverton (Goldmont) | Intel® Atom® C processor family | Server | 506F1 | 0x3e | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_6AH | 6 | NA | Ice Lake Xeon-SP | 3rd Gen Intel® Xeon® Scalable processor family |
|
606A6 | 0d0003E7 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | MCU_OSPL_SGX_TCBR | Not Affected | ACM_BIOS | MCU_BIOS_TCBR | Not Affected | Not Affected |
| 06_6CH | All | NA | Ice Lake Xeon D (Idaville) | Intel® Xeon® D Processor | Embedded | 606C1 | 10002B0 | MCU_OSPL_SGX_TCBR | Not Affected | Not Affected | MCU_BIOS_TCBR | Not Affected | Not Affected | MCU_OSPL_SGX_TCBR | Not Affected | ACM_BIOS | MCU_BIOS_TCBR | Not Affected | Not Affected |
| 06_7AH | 1 | NA | Gemini Lake |
|
Desktop Mobile Embedded |
706A1 | 0x40 | Not Affected | MCU_BIOS_TCBR (SGX) | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_7AH | 8 | NA | Gemini Lake |
|
|
706A8 | 0x24 | Not Affected | MCU_BIOS_TCBR (SGX) | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_7EH | 5 | NA | Ice Lake U Ice Lake Y |
10th Generation Intel® Core™ Processor Family | Mobile | 706E5 | 0xc6 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_86H | 5 | NA | Snow Ridge BTS (Tremont) | Intel® Atom® Processor P5900 |
Networking Server (Basestation) | 80665 | 4c000026 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_86H | 7 | NA | Parker Ridge / Snow Ridge NS/NX/BTS |
Intel Atom® Processor C5000 Intel Atom® Processor P5300 Intel® Atom® Processor P5700 Intel Atom® Processor P5900 |
Networking Server (Basestation) | 80667 | 4c000026 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_8CH | 1 | NA | Tiger Lake U2 | 11th Generation Intel® Core™ Processor Family | Mobile | 806C1 | 0xb8 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_8CH | 1 | NA | Tiger Lake U2 | 11th Generation Intel® Core™ Processor Family | Embedded | 806C1 | 0xb8 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_8CH | 2 | NA |
|
11th Generation Intel® Core™ Processor Family | Mobile | 806C2 | 0x38 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_8DH | 1 | NA | Tiger Lake H2 |
|
Mobile Workstation |
806D1 | 0x52 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_8DH | 1 | NA | Tiger Lake H2 |
|
Embedded | 806D1 | 0x52 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_8EH | 9 | NA |
|
1. 8th Generation Intel® Core™ Processor Family 2,3,4. 7th Generation Intel® Core™ Processor Family |
Mobile | 806E9 | 0xf6 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_8EH | A | NA |
|
8th Generation Intel® Core™ Processor Family | Mobile | 806EA | 0xf6 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_8EH | B | NA | Whiskey Lake U | 8th Generation Intel® Core™ Processors | Mobile | 806EB | 0xf6 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_8EH | C | NA |
5. Amber Lake Y |
|
Mobile | 806EC | 0xfc | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_8FH | 5, 6, 7, 8 | CPUID.0x7.EDX[15] =0 | Sapphire Rapids Sapphire Rapids Edge Enhanced (Golden Cove) |
4th Generation Intel® Xeon® Scalable processors 5th Generation Intel® Xeon® Scalable processors 4th Generation Intel® Xeon® Platinum processors 4th Generation Intel® Xeon® Gold Processors 4th Generation Intel® Xeon® Silver Processors 4th Generation Intel® Xeon® Bronze Processors 4th Gen Intel Xeon Scalable Processors with Intel® vRAN Intel® Xeon® W workstation processors |
Server workstation | 806F5, 806F6, 806F7, 806F8 | 0x2b000603 | Not Affected | Not Affected | MCU_BIOS_TCBR | MCU_BIOS_TCBR | MCU_OSPL_SGX_TCBR | TDX_M | MCU_OSPL_SGX_TCBR MCU_OSPL_TDX_TCBR |
TDX_M | ACM_BIOS | MCU_BIOS_TCBR | ACM_BIOS (TDX) | TDX_M |
| 06_8FH | 5, 6, 8 | CPUID.0x7.EDX[15] =0 | Sapphire Rapids (Golden Cove) |
Intel® Xeon® CPU Max Series processors (High Bandwidth Memory HBM) | Server | 806F5, 806F6, 806F8 | 0x2b000603 | Not Affected | Not Affected | MCU_BIOS_TCBR | MCU_BIOS_TCBR | MCU_OSPL_SGX_TCBR | TDX_M | MCU_OSPL_SGX_TCBR MCU_OSPL_TDX_TCBR |
TDX_M | ACM_BIOS | MCU_BIOS_TCBR | ACM_BIOS (TDX) | TDX_M |
| 06_96H | All | NA | Elkhart Lake (Tremont) | Intel® Atom® Processors | Embedded | 90660, 90661 | 0x1A | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_97H | 2 | CPUID.0x7.EDX[15] =1 | Alder Lake S (Golden Cove, Gracemont)2 | 12th Generation Intel® Core™ Processor Family | Embedded, Desktop | 90672 | 0x37 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_97H | 5 | CPUID.0x7.EDX[15] =1 | Alder Lake S (Golden Cove, Gracemont)2 | 12th Generation Intel® Core™ Processor Family Intel® Pentium® Gold Processor Family Intel® Celeron® Processor Family |
Desktop Embedded |
90675 | 0x37 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_97H | 5 | CPUID.0x7.EDX[15] =0 CPUID.0x1A.EAX[31:24] = 40 | Catlow (Golden Cove) | Intel Pentium Processor G7400/G7400T |
Server | 90675 | 0x37 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_9AH | 3 | CPUID.0x7.EDX[15] =1 |
|
|
Mobile Embedded |
906A3 | 0x435 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_9AH | 4 | CPUID.0x7.EDX[15] =1 |
|
12th Generation Intel® Core™ Processor Family Intel® Pentium® Gold Processor Family Intel® Celeron® Processor Family |
Mobile Embedded |
906A4 | 0x435 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_9AH | 4 | CPUID.0x7.EDX[15] =0 | Arizona Beach (Gracemont) |
Intel® Atom® Processors | Embedded | 906A4 | 0x07 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | 06_9CH | All | NA | Jasper Lake (Tremont) | Intel® Atom® Processors | Desktop Mobile Embedded |
906C0 | 24000026 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_9EH | 9 | NA |
|
|
|
906E9 | 0xf8 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_9EH | A | NA |
|
|
1. Mobile 2. Workstation AMT Server Server 3,4. Desktop |
906EA | 0xf8 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_9EH | B | NA | Coffee Lake S |
|
Desktop | 906EB | 0xf6 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_9EH | C | NA | Coffee Lake S | 9th Generation Intel® Core™ Processor Family | Desktop | 906EC | 0xf8 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_9EH | D | NA |
|
|
|
906ED | 0x100 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_A5H | 2 | NA | Comet Lake H | 10th Generation Intel® Core™ Processor Family Intel® Xeon® W processor family |
Mobile Workstation |
A0652 | 0xfc | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_A5H | 3 | NA | Comet Lake S | 10th Generation Intel® Core™ Processor Family Intel® Pentium® Gold Processor Family Intel® Celeron® Processor Family Intel® Xeon® W processor family |
Desktop Workstation |
A0653 | 0xfc | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_A5H | 5 | NA | Comet Lake S | 1: 10th Generation Intel® Core™ Processor Family 2: Intel® Xeon® W processor family |
Desktop Workstation |
A0655 | 0xfc | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_A6H | All | NA | Comet Lake U62 | 10th Generation Intel® Core™ Processor Family Intel® Xeon® W processor family |
Mobile Desktop |
A0660 A0661 |
0xfc | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_A7H | 1 | NA | Rocket Lake | 11th Generation Intel® Core™ Processor Family Intel® Xeon® E-2300 Processor Family Intel® Xeon® W-1300 processor family |
1:Desktop 2: Server 3: Workstation |
A0671 | 0x62 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_AAH | 1 | CPUID.0x7.EDX[15] =1 | Meteor Lake (Redwood Cove, Crestmont) | Intel® Core™ Ultra family | Desktop Mobile |
A06A4 | 0x1e | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_ADH | 0 | CPUID.0x7.EDX[15] =0 | Granite Rapids (Redwood Cove) | Intel® Xeon® Scalable processor family | Server | A06D0 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | |
| 06_AFH | 2 | CPUID.0x7.EDX[15] =0 | Sierra Forest (Crestmont) | Intel® Xeon® 6 processors | Server | A06F2 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | |
| 06_B7H | 1 | CPUID.0x7.EDX[15] =1 | Raptor Lake S Raptor Lake HX (Raptor Cove/Gracemont) |
13th Generation Intel® Core™ Processor Family 14th Generation Intel® Core™ Processor Family Intel® Pentium® Gold Processor Family Intel® Celeron® Processor Family |
Desktop | B0671 | 0x125 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_B7H | 1 | CPUID.0x7.EDX[15] =0 CPUID.0x1A.EAX[31:24] = 40 | Catlow (Raptor Cove) | Intel® Xeon® E processor family | Server | B0671 | 0x129 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_BAH | 2,3 | CPUID.0x7.EDX[15] =1 | Raptor Lake P Raptor Lake H Raptor Lake U (Raptor Cove/Gracemont) |
13th Generation Intel® Core™ Processor Family 14th Generation Intel® Core™ Processor Family Intel® Pentium® Gold Processor Family Intel® Celeron® Processor Family |
Mobile | B06A2, B06A3 | 0x4123 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_BDH | 1 | CPUID.0x7.EDX[15] =1 | Lunar Lake (Lion Cove, Skymont) |
Intel® Core™ Ultra 5, 7, 9 | Mobile | B06D1 | 0x116 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_BEH | 0 | CPUID.0x7.EDX[15] =0 | Alder Lake-N (Gracemont) |
Intel® Core™ Processor N series Intel® Processor N-series Intel Atom® Processor X Series |
Mobile Embedded |
B06E0 | 0x18 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_BFH | 2, 5 (C0) | CPUID.0x7.EDX[15] =1 | Raptor Lake S (Raptor Cove/Gracemont) | 13th Generation Intel® Core™ Processor Family 14th Generation Intel® Core™ Processor Family Intel® Processor U-series |
Mobile | B06F2 B06F5 |
0x37 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_C6H | 2 | CPUID.0x7.EDX[15] =1 | Arrow Lake (Lion Cove, Skymont) |
Intel® Core™ Ultra 5,7,9 | Desktop | C0662 | 0x110 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected |
| 06_CFH | 2 | CPUID.0x7.EDX[15] =0 | Emerald Rapids (Raptor Cove) | 5th Generation Intel® Xeon® Scalable processors | Server | C06F2 | 0x21000283 | Not Affected | Not Affected | Not Affected | Not Affected | Not Affected | TDX_M | MCU_OSPL_SGX_TCBR MCU_OSPL_TDX_TCBR |
TDX_M | ACM_BIOS | MCU_BIOS_TCBR | Not Affected | Not Affected |
Key
MCU: Mitigation requires a microcode update. It is runtime effective.
MCU_BIOS_TCBR: Mitigation requires an updated BIOS carrying new microcode only loadable in flash to be reflected in Intel SGX and Intel TDX attestation and TCB-R completion.
MCU_OSPL_SGX_TCBR: Mitigation eligible for Intel SGX runtime update. After OS Patch Loading (OSPL), tear down all enclaves, perform EUPDATESVN, and then relaunch any enclave. The new microcode update will be attestable and TCB-R will be complete. No further action is required for non-Intel SGX.
If the operating system enabling for the runtime update is not available, that is, EUPDATESVN is not supported by the operating system, attestation is possible with a warm reset. After a warm reset, and if OSPL is done prior to the loading of the first enclave, then neither EUPDATESVN support nor MCU_BIOS update is required.
If the above options are not feasible, treat this as MCU_BIOS_TCBR. For more information, see Microcode Update Guidance.
MCU_OSPL_TDX_TCBR: Mitigation eligible for Intel TDX runtime update. A new microcode update will be attestable. No further action is required for non-Intel TDX.
If the operating system enabling for the runtime update is not available, that is, TDPRESERVING is not supported by the virtual machine monitor (VMM), attestation is possible with a warm reset. After a warm reset, and if OSPL is done prior to the loading of the first enclave, then neither TDPRESERVING support nor MCU_BIOS update is required.
If the above options are not feasible, treat this as MCU_BIOS_TCBR. For more information, see Microcode Update Guidance.
ACM_BIOS: Mitigation requires an Authenticated Code Module (ACM) update, which is part of a BIOS update. A BIOS update and cold reset are required.
ACM_SINIT: Mitigation requires an update to Intel® Trusted Execution Technology, which can be updated at runtime for effectiveness, and is applicable to a VMM or host operating system. All virtual machines (VM) will be lost. A cold reset is required for attestation and complete TCB-R.
TDX_M: Mitigation requires an Intel TDX module update. When TDPRESERVING is supported by the VMM, mitigation is eligible for an Intel TDX module runtime update. A new Intel TDX module update will be attestable. No further action is required for non-Intel TDX.
If TDPRESERVING is not supported by the VMM, a warm reset is required for attestation. After a warm reset, the VMM loads the new Intel TDX module to complete TCB-R.
SGX_E: Mitigation requires updating and reloading an Intel SGX architectural enclave. A warm reset is not necessary for attestability and TCB-R completion.
Not Affected: Products are not affected or mitigated through hardware and may not be enumerated.
No Planned Mitigation: An issue exists but no mitigation is planned.
TCB-R 18 Dates
Unless otherwise specified, Intel service updates are targeted around 11 p.m. Pacific time.
November 12, 2024 (public disclosure): web parameter [update] = "early" specified with Intel® Software Guard Extensions Provisioning Certification Service and Intel® Trust Domain Extensions Provisioning Certification Service
Availability of new verification collateral for all in-scope Intel SGX and Intel TDX platforms supporting Elliptic Curve Digital Signature Algorithm (ECDSA) attestation. New verification collateral and Provisioning Certification Key (PCK) certificates are issued by the respective Intel SGX and Intel TDX Provisioning Certification Services.
November 12, 2025 (public disclosure plus 12 months): web parameter [update] = "standard" or no value specific (default value) with Intel SGX Provisioning Certification Service and Intel TDX Provisioning Certification Service
Availability of verification collateral published 12 months prior for all in-scope Intel SGX and Intel TDX platforms supporting ECDSA attestation.
Action Required
Mitigation updates for Intel SGX and Intel TDX can be found in the Best-Known Configuration (BKC) kit in Intel's Resource and Document Center (RDC). For specific RDC numbers, see the guidance documents in the Intel Platform Update collection.
Platforms with Intel TDX |
Obtain the latest BIOS for your product from your original equipment manufacturer (OEM) and original device manufacturer (ODM). Ensure that it has the latest components shown in the following list integrated from the BKC kit on the RDC:
|
Platforms with Intel SGX |
Obtain the latest BIOS for your product from your original equipment manufacturer (OEM) or original device manufacturer (ODM), ensuring it has the latest components listed as follows integrated from the BKC kit on the RDC:
Follow all prior Best-Known Configuration Guidance for published mitigations. |
Software Using Intel SGX |
Note No new special responses are introduced for the potential vulnerabilities mitigated with Intel Platform Update 2024.3 and UPLR2 disclosed November 2024. |
Enabling Quote Generation |
If you own or control the infrastructure:
If you do not own or control the infrastructure:
|
Enabling Quote Verification |
If you own or control the infrastructure:
If you do not own or control the infrastructure:
|
Errata (TCB-R 18)
Intel has identified an issue with Intel® Software Guard Extensions ECDSA Quote Verification Library (Intel® SGX ECDSA Quote Verification Library) where the list of advisory IDs (commonly known as the Security Advisory List) reported by the library may not be complete: Advisory IDs assigned to Intel TDX module identity may be missing. The issue does not affect the accuracy of the tcbStatus (that is, UpToDate, OutOfDate) or the tcbDate value reported by the library, only the completeness of the advisory IDs list. Intel has implemented a workaround to this issue in certain instances of the verification collateral (TCB Info) returned by the Intel SGX Provisioning Certification Service. For more details, see the Quote Verification Library (QVL) Errata blog.
Attestation Appraisal
While Intel SGX and Intel TDX developers generally condition program operations on up-to-date attestation verification responses, they may have different needs based on their risk tolerance, specific use cases, and other factors.
Intel offers several software paths for a customer to use enhanced attestation appraisal techniques. These techniques are intended to facilitate the evaluation of Intel SGX and Intel TDX hardware platforms before, during, and after an upgrade cycle or Intel public disclosure. At the same time, they allow for infrastructure provider and customer trust policies and tolerances.
- Intel® Tiber™ Trust Authority
- Intel® SGX Data Center Attestation Primitives (Intel SGX DCAP) software with attestation appraisal source code, samples, and documentation are available:
- Intel SGX DCAP on GitHub
- Appraisal Engine sample (located in the Intel SGX DCAP software branch)
- Appraisal Engine Developer Guide
Footnotes
1 CPUID description: Example CPUID = 906EB. Family = 06 / Extended Model = 9 / Model Number = E / Stepping ID = B. See Intel Software Developer’s Manual Version 071, Volume 2A, Figure 3-6 for reference.
2 Intel recommends ensuring all security mitigations provided by Intel are applied and systems are running the latest firmware/MCU versions available. MCU updates may still be required for enumeration even when processors are not affected. Contact OS/VMM vendors for the latest software updates.
Linux users: The microcode image is named after the family/model/stepping. You can locate these from /proc/cpuinfo. Example: For Family 06, Model 85, Stepping 4 (values in decimal), the corresponding microcode file is 06-55-04 located in /lib/firmware/intel-ucode/ (values in hexadecimal)."
Look at the microcode version number at the official public Intel microcode website. Calculate Family-Model-Stepping before downloading the appropriate microcode.
Windows users: Read the version with the following PowerShell command: reg query HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /v "Update Revision"
Or use the Intel® Processor Identification Utility tool to check the microcode version and compare it against the latest microcode listed above.
For more information, see:
- How to Find the Microcode Version Currently Running on Your Processor
- A Brief Guide to Our Latest Processor and Naming Updates
3 This product has reached its End of Servicing Update date. For further information, see Support. For customers interested in extending updates beyond the end of servicing date, contact your Intel representative for details.