The latest security information on Intel® products.
Intel® SGX Attestation Technical Details
One way to help ensure that Intel® SGX platforms have been appropriately updated is through the process of attestation. Attestation is the process of demonstrating that a software executable has been properly instantiated on a platform. Attestation allows a remote party to gain confidence that the intended software is securely running within an enclave on a fully patched, Intel SGX enabled platform.
The Intel SGX Trusted Computing Base (TCB) is comprised of the components in the platform that are required to implement the Intel SGX security objectives. Some of these components can be updated through a change in Intel SGX Platform Software, some via CPU firmware (that co-implements the Intel SGX instruction set along with the hardware), while other elements – such as the CPU logic – are immutable. Intel performs TCB Recovery operations to enable parties utilizing Intel SGX to determine whether updates for vulnerabilities have been applied on the platform from which attestation requests originate. Even with updates for vulnerabilities applied, an attestation may not result in an “UpToDate” response. This is because even up to date platforms may support different configurations, and these configurations may not be equivalent from a security standpoint. This applies whether the Intel Attestation Service (IAS) or the Intel® Software Guard Extensions Provisioning Certificate Service (Intel® SGX Provisioning Certification Service) is used. See Table 1 below for details.
For details on the IAS API and the PCS API, please refer to the IAS API Specification and the PCS API Specification, respectively. Additionally, further TCB Recovery Guidance for developers is available.
Table 1. Security Configurations and Responses:
Security Advisory |
Security Configuration |
Attestation Response (IAS)* |
tcbStatus (PCS)** |
|---|---|---|---|
Hyper-threading (HT) enabled/disabled |
CONFIGURATION_NEEDED if HT enabled (introduced) |
ConfigurationNeeded if HT enabled | |
Hyper-threading enabled/disabled |
CONFIGURATION_NEEDED if HT enabled (used) |
ConfigurationNeeded if HT enabled | |
Integrated graphics enabled/disabled |
CONFIGURATION_NEEDED if integrated graphics enabled (used) |
ConfigurationNeeded if integrated graphics enabled | |
Voltage MSR locked/unlocked |
CONFIGURATION_NEEDED if MSR unlocked (used) |
ConfigurationNeeded if MSR unlocked | |
SW mitigations present/absent*** |
SW_HARDENING_NEEDED (introduced) or CONFIGURATION_AND_SW_HARDENING_NEEDED (introduced). One or the other will always be returned for CPUs affected by Intel-SA-00334 (Load Value Injection or LVI). |
SWHardeningNeeded | |
| INTEL-SA-00615 | Hyper-threading enabled/disabled SW mitigations present/absent*** | SW_HARDENING_NEEDED (used) or CONFIGURATION_AND_SW_HARDENING_NEEDED (used). One or the other will always be returned for CPUs affected by Processor MMIO Stale Data | SWHardeningNeeded or ConfigurationAndSWHardeningNeeded if HT enabled |
| INTEL-SA-00657 | Hyper-threading enabled/disabled, SW mitigations present/absent*** | SW_HARDENING_NEEDED or CONFIGURATION_AND_SW_HARDENING_NEEDED if HT enabled | SWHardeningNeeded or ConfigurationAndSWHardeningNeeded if HT enabled |
| INTEL-SA-00767 | Hyper-threading enabled/disabled | CONFIGURATION_NEEDED if HT enabled | CONFIGURATION_NEEDED if HT enabled |
*In cases where more than one security advisory applies to the attesting platform, the attestation response may be CONFIGURATION_AND_SW_HARDENING_NEEDED.
** In cases where more than one security advisory applies to the attesting platform, the attestation response may be ConfigurationAndSWHardeningNeeded. In cases where one applies and the platform is also out of date, the tcbStatus may be OutOfDateConfigurationNeeded.
*** Intel IAS can’t assess whether the attesting enclave has the necessary SW mitigations and Intel PCS doesn’t provide attestation collateral that allows assessment of whether the attesting enclave has the necessary SW mitigations.
Implementing a Grace Period for Attestations
Depending on the Intel SGX-supported platform, there are different service mechanisms available to complete a remote attestation. As a reminder, a remote attestation is where the client’s quote is signed based on a known Trusted Compute Base and the relying party uses this quote to determine a client’s security patching status (ex: current as of a certain date, out of date, or current but running with a sub-optimal security configuration).
When a TCB recovery occurs and is enforced, immediately having the attestation status change to “out of date” could potentially deny service to a large percentage of a relying party’s user base running on platforms that haven’t been updated. Implementing a grace period for the various services gives the user base time to update before they are declared “out of date”.
For more information on grace periods, please reference the "Remote Attestation" and "Guidance to Infrastructure Partners" sections in the Trusted Computing Base Recovery of Intel Trusted Execution Environments technical paper.
Revision |
Date |
Description |
|---|---|---|
1.0 |
2018-2020 |
Initial release to communicate Security configurations and special attestation responses for SGX. From 2018 – 2020 Intel was creating a sperate Attestation details document for each SGX TCB recovery. |
2.0 |
April 2021 |
New format. This document will be used to communicate past and future security configurations and special attestation responses in tabular format. Attestation dates will now be included in the security advisory document not in this Attestation details document. |
| 3.0 | Sept 2021 | Add new section: Implementing a Grace Period for ECDSA-based Attestations |
| 4.0 | March 2022 | Added attestation response for INTEL-SA-00615. |
| 5.0 | August 2022 | Improve Security Configurations and Attestation Responses table. Remove details from Grace Period section since there’s a link to a Grace Period article. Added attestation response for INTEL-SA-00657. |
| 6.0 | February 2023 | Added attestation response for INTEL-SA-00767. The response will become effective following the schedule described here. |
| 7.0 | July 2023 | Updated Grace Period details and added TCB Recovery Guidance for Developers link to Technical Details. |
| 8.0 | November 2024 | Updated Grace Period section |
© Intel Corporation. Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries. Other names and brands may be claimed as the property of others.
Intel technologies may require enabled hardware, software or service activation. No product or component can be absolutely secure. Your costs and results may vary.
Report a Vulnerability
If you have information about a security issue or vulnerability with an Intel branded product or technology, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.
Please provide as much information as possible, including:
- The products and versions affected
- Detailed description of the vulnerability
- Information on known exploits
A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:
For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.
Need product support?
If you...
- Have questions about the security features of an Intel product
- Require technical support
- Want product updates or patches
Please visit Support & Downloads.