VM on DC1sv3 azure dcap client fetches outdated tcb/qe info from https://global.acccache.azure.net/sgx/certification/v4

Hagai Rotshild 0 Reputation points
2023-05-15T08:55:35.2866667+00:00

I setuped a VM by using confidential computing resource DC1sv3 and install Ubuntu22.04LTS Gen2 on it. I also installed Azure DCAP Client 1.12 on it with openenclave sdk.

i'm retrieving the TCBInfo/qe info as collateral for Remote Attestation of enclaves, but i'm getting outdated info

tried to mimic the action with curl and i can see the outdated info for example this is the azure dcap client request:

https://global.acccache.azure.net/sgx/certification/v4/tcb?fmspc=00606a000000&clientid=production_client&api-version=2018-10-01-preview

which results in :

{"tcbInfo":{"id":"SGX","version":3,"issueDate":"2023-02-14T23:29:37Z","nextUpdate":"2023-03-16T23:29:37Z","fmspc":"00606a000000","pceId":"0000","tcbType":0,"tcbEvaluationDataNumber":14,"tcbLevels":[{"tcb":{"sgxtcbcomponents":[{"svn":7,"category":"BIOS","type":"Early Microcode Update"},{"svn":9,"category":"OS/VMM","type":"SGX Late Microcode Update"},{"svn":3,"category":"OS/VMM","type":"TXT SINIT"},{"svn":3,"category":"BIOS"},{"svn":255},{"svn":255},{"svn":1},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":13},"tcbDate":"2022-08-10T00:00:00Z","tcbStatus":"SWHardeningNeeded","advisoryIDs":["INTEL-SA-00615","INTEL-SA-00657"]},{"tcb":{"sgxtcbcomponents":[{"svn":7,"category":"BIOS","type":"Early Microcode Update"},{"svn":9,"category":"OS/VMM","type":"SGX Late Microcode Update"},{"svn":3,"category":"OS/VMM","type":"TXT SINIT"},{"svn":3,"category":"BIOS"},{"svn":255},{"svn":255},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0* TLSv1.2 (IN), TLS header, Supplemental data (23):

},{"svn":0}],"pcesvn":13},"tcbDate":"2022-08-10T00:00:00Z","tcbStatus":"ConfigurationAndSWHardeningNeeded","advisoryIDs":["INTEL-SA-00615","INTEL-SA-00657"]},{"tcb":{"sgxtcbcomponents":[{"svn":4,"category":"BIOS","type":"Early Microcode Update"},{"svn":4,"category":"OS/VMM","type":"SGX Late Microcode Update"},{"svn":3,"category":"OS/VMM","type":"TXT SINIT"},{"svn":3,"category":"BIOS"},{"svn":255},{"svn":255},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":11},"tcbDate":"2021-11-10T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00586","INTEL-SA-00614","INTEL-SA-00615","INTEL-SA-00657"]},{"tcb":{"sgxtcbcomponents":[{"svn":4,"category":"BIOS","type":"Early Microcode Update"},{"svn":4,"category":"OS/VMM","type":"SGX Late Microcode Update"},{"svn":3,"category":"OS/VMM","type":"TXT SINIT"},{"svn":3,"category":"BIOS"},{"svn":255},{"svn":255},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":10},"tcbDate":"2020-11-11T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00477","INTEL-SA-00586","INTEL-SA-00614","INTEL-SA-00615","INTEL-SA-00657"]},{"tcb":{"sgxtcbcomponents":[{"svn":4,"category":"BIOS","type":"Early Microcode Update"},{"svn":4,"category":"OS/VMM","type":"SGX Late Microcode Update"},{"svn":3,"category":"OS/VMM","type":"TXT SINIT"},{"svn":3,"category":"BIOS"},{"svn":255},{"svn":255},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":5},"tcbDate":"2018-01-04T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00106","INTEL-SA-00115","INTEL-SA-00135","INTEL-SA-00203","INTEL-SA-00220","INTEL-SA-00233","INTEL-SA-00270","INTEL-SA-00293","INTEL-SA-00320","INTEL-SA-00329","INTEL-SA-00381","INTEL-SA-00389","INTEL-SA-00477","INTEL-SA-00586","INTEL-SA-00614","INTEL-SA-00615","INTEL-SA-00657"]}]}

as you can see the "issueDate":"2023-02-14T23:29:37Z","nextUpdate":"2023-03-16T23:29:37Z"

are outdated which results in a failure againt exp check.

how i can retrieve updated info?

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,370 questions
{count} votes

1 answer

Sort by: Most helpful
  1. vipullag-MSFT 25,441 Reputation points
    2023-05-15T11:32:34.4033333+00:00

    Hello Hagai Rotshild

    Welcome to Microsoft Q&A Platform, thanks for posting your query here.

    It seems that you are retrieving outdated TCBInfo/qe info as collateral for Remote Attestation of enclaves. The THIM service by default provides an older tcbinfo, and updating to the latest tcbinfo from Intel would cause attestation failures for those customers who haven't migrated to the latest Intel SDK, and could result in outages.

    If you still want to retrieve the latest TCBInfo/qe info, you can try to update the Azure DCAP Client to the latest version, which is currently 1.11.2. You can download the latest DCAP packages for Ubuntu 20.04 and 18.04 from the following links:

    Ubuntu 20.04: https://packages.microsoft.com/ubuntu/20.04/prod/pool/main/a/az-dcap-client/az-dcap-client_1.11.2_amd64.deb
    Ubuntu 18.04: https://packages.microsoft.com/ubuntu/18.04/prod/pool/main/a/az-dcap-client/az-dcap-client_1.11.2_amd64.deb

    After updating the Azure DCAP Client, you can try to retrieve the TCBInfo/qe info again and see if it is updated.

    Hope this helps.

    0 comments No comments