How do I perform SGX mitigation on Azure CC virtual machine?

Question

How do I perform SGX mitigation on Azure CC virtual machine?

Joseph Noonan 20

I have a DCs2_V3 Azure Confidential Computing virtual machine running Ubuntu 20.04. I am getting the following error from my application:

AttestationError { message: "TCB contains unmitigated unaccepted advisory ids: ["INTEL-SA-00615"]

How do I apply mitigation for this advisor ID on Ubuntu 20.04. Where can I find instructions to do this?

Joseph Noonan 20 Reputation points

2024-12-12T13:09:59.4833333+00:00

I am using the Azure Confidential Computing image DC2_v3 running Ubuntu 20.04. I updated the OS and also did a sudo apt install intel-microcode0. I have the latest version of the Intel SGX SDX, and I have built and installed the OpenEnclave SDK with LIV mitigation. Do I need to regenerate the enclaves in order to dismiss this error?
Joseph Noonan 20 Reputation points

2024-12-12T13:16:08.22+00:00

I have a follow-up question. As I posted in the original question, I am using Ubuntu 20.04 running on an Azure CCM VM (family DC2_v3). I have run apt update and apt upgrade, and I also ran sudo apt install -y intel-microcode. I've installed the latest version of the Intel SGX SDK. The application uses the OpenEnclave SDK to build the enclaves. I rebuilt the OpenEnclave SDK to include the LIV mitigations. Do I need to rebuild the enclaves with these new items installed to dismiss this error?
Mounika Reddy Anumandla 6,845 Reputation points Microsoft External Staff Moderator

2024-12-16T04:53:03.7066667+00:00

Hi Joseph Noonan,

Hope you are doing well! Just checking to see if you had a chance to see my response to your question.

If you have any further queries, do let us know.

If the comment is helpful, please click "upvote" on this post.
Joseph Noonan 20 Reputation points

2024-12-16T15:59:08.15+00:00

This issue is resolved. Thanks for the help!!

Accepted answer

0 additional answers

Your answer

Joseph Noonan 20 Reputation points

2024-12-12T13:09:59.4833333+00:00

I am using the Azure Confidential Computing image DC2_v3 running Ubuntu 20.04. I updated the OS and also did a sudo apt install intel-microcode0. I have the latest version of the Intel SGX SDX, and I have built and installed the OpenEnclave SDK with LIV mitigation. Do I need to regenerate the enclaves in order to dismiss this error?
Joseph Noonan 20 Reputation points

2024-12-12T13:16:08.22+00:00

I have a follow-up question. As I posted in the original question, I am using Ubuntu 20.04 running on an Azure CCM VM (family DC2_v3). I have run apt update and apt upgrade, and I also ran sudo apt install -y intel-microcode. I've installed the latest version of the Intel SGX SDK. The application uses the OpenEnclave SDK to build the enclaves. I rebuilt the OpenEnclave SDK to include the LIV mitigations. Do I need to rebuild the enclaves with these new items installed to dismiss this error?
Mounika Reddy Anumandla 6,845 Reputation points Microsoft External Staff Moderator

2024-12-16T04:53:03.7066667+00:00

Hi Joseph Noonan,

Hope you are doing well! Just checking to see if you had a chance to see my response to your question.

If you have any further queries, do let us know.

If the comment is helpful, please click "upvote" on this post.
Joseph Noonan 20 Reputation points

2024-12-16T15:59:08.15+00:00

This issue is resolved. Thanks for the help!!

Answer 1

Mounika Reddy Anumandla 6,845 Microsoft External Staff Moderator

Hi Joseph Noonan,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

This advisory ID refers to a security vulnerability that affects certain Intel processors. Incomplete cleanup in specific special register write operations for some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access.

Mitigation for these vulnerabilities includes a combination of microcode updates and software changes, depending on the platform and usage model. Microcode updates should be issued by the original equipment manufacturer (OEM). For more information, see INTEL-SA-00615. Intel Advisory INTEL-SA-00615 addresses security vulnerabilities in Intel processors, https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html The overview, mitigation is also explained in the document: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/processor-mmio-stale-data-vulnerabilities.html
If you have any further queries, do let us know.

Mounika Reddy Anumandla 6,845 Reputation points Microsoft External Staff Moderator

2024-12-13T02:49:12.4033333+00:00

Hi Joseph Noonan,
Thank you for replying back with more information.
As per my understanding, it is a best practice in enclave development to rebuild your enclaves after making significant updates to the microcode or SDK. This ensures that your applications are up to date with the latest security measures and mitigations.
For more detailed guidance, you can refer to the Azure Confidential Computing documentation and the Intel Microcode Update Guidance.
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/microcode-update-guidance.html

If you have any further queries, do let us know.

If the comment is helpful, please click "upvote".
Mounika Reddy Anumandla 6,845 Reputation points Microsoft External Staff Moderator

2024-12-16T16:23:23.72+00:00

Hi Joseph Noonan,

If you found it helpful, could you kindly click the “Accept Answer on my post. This will help increase its visibility of this question for other members of the Microsoft Q&A community.

Thank you!

Share via

How do I perform SGX mitigation on Azure CC virtual machine?

0 additional answers

Your answer