Posted on Discord by @amela
On Sep 19, Intel will force a SGX TCB recovery that will affect all confidential compute nodes (Cipher and Sapphire): https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/resources/q3-2023-intel-tcb-recovery-guidance.html#key-dates To ensure your compute nodes running Intel SGX will continue to have valid remote attestation reports, they need vendor-prepared BIOS upgrades, which include the relevant Intel microcode updates.
Please reach out to your hosting providers or original equipment manufacturers (OEMs) (if running your own servers) to get BIOS updates for IPU 2023.3 as soon as they are available. To test if your nodes are using the relevant Intel microcode, please run our attestation-tool (version 0.2.0) on your server. It will tell you if your SGX node will work after Sep 19. attestation-tool: https://github.com/oasisprotocol/tools/tree/main/attestation-tool binary: Release Attestation Tool 0.2.0 · oasisprotocol/tools · GitHub To use the attestation-tool first, ensure that SGX driver is available and that AESMD is running. Then, run the binary as a user that has access to your SGX device (/dev/isgx or /dev/sgx* ) and the AESMD socket (/run/aesmd/aesm.socket ).
You can find more detailed instructions in the attestation-tool’s README file. After that, please let me know if your server is ready for the upgrade. You can do that by pasting the tool’s output + name of your cloud provider + server type on the 【
】node-operators channel, or send me a DM with this info. Thanks all. PS: Feel free to check the attestation-tool’s source code and build it yourself