Summary
How to mitigate result "GROUP_OUT_OF_DATE" from Intel Attestation Service (IAS)
Description
- Updated microcode to the latest version according to these instructions.
- Ran sgx_sign -version to confirm that Intel® Software Guard Extensions (Intel® SGX) SDK is the latest version.
- Ran remote attestation on sgx-ra-sample.
- Intel Attestation Service (IAS) returned several security advisories and GROUP_OUT_OF_DATE response that require an update to the latest microcode and latest Intel® Software Guard Extensions (Intel SGX) Software Development Kit (SDK).
Resolution
The microcode files available from the Intel Linux Processor Microcode Files GitHub repository are operating system (OS) microcode updates but Intel® Software Guard Extensions (Intel® SGX) mitigations require early load microcode available in BIOS.
Follow these steps to mitigate Intel SGX issues:
- Refer to your OEM to get the latest BIOS and inquire if it has the latest microcode with the required fixes implemented.
- Install the early load microcode that comes with the latest BIOS from the OEM.
Additional information
The article Loading Microcode from the OS contains more information on the different types of microcode.
The Intel® Software Guard Extensions (Intel® SGX) SDK information is included in the Quote that the platform sends to the relying third party.
| Note | If you already have the latest Intel® Software Guard Extensions (Intel® SGX) SDK and the latest Intel SGX PSW and are still encountering SA-00293, it may be because other vulnerabilities are still unmitigated. |