Expired SGX Attestation Collateral from Azure THIM

When using Azure DCAP Library from Azure SGX Virtual Machines, Azure THIM is providing SGX Attestation Collateral which have expired and more than 1 year old.

For getting SGX Attestation Collateral from Azure THIM, when following is run as a curl command,

curl -X GET "https://global.acccache.azure.net/sgx/certification/v4/tcb?fmspc=00606a000000&clientid=production_client" | jq

The received SGX attestation collateral contains, Issue Date as "2023-02-27T18:50:29Z" and Next Update Date as "2023-03-29T18:50:29Z" which is more than an year old.

Whereas when a corresponding command is run directly on Intel Provisioning Certification Service (PCS),

curl -X GET "https://api.trustedservices.intel.com/sgx/certification/v4/tcb?fmspc=00606a000000" | jq

The received SGX attestation collateral contains, Issue Date as "2024-08-19T07:31:12Z" and next update date as "2024-09-18T07:31:12Z"

When "next update" date mentioned on the attestation collateral has passed the "current date", the attestation collateral is considered expired. So, practically the attestation collateral being returned by Azure THIM is expired and more than an year old.

Can you please resolve Azure THIM to provide non-expired latest attestation collateral or suggest us a solution to be able to get non-expired latest attestation collateral from Azure THIM and accordingly consume the same through Azure DCAP library.

Looking forward to for your response.

Thanks, and Regards,

Akhil

Srinud 2,235 Reputation points Microsoft Vendor

2024-08-19T14:11:49.1066667+00:00

Hi Bala Siva Sai Akhil Malepati,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

Based on your query, I recommend referring to the link provided below:

https://video2.skills-academy.com/en-us/azure/security/fundamentals/trusted-hardware-identity-management#with-intel-xeon-e-processors-i-could-get-my-certificates-directly-from-the-intel-pcs-why-with-intel-xeon-scalable-processors-starting-from-the-4th-generation-do-i-need-to-get-the-certificates-from-trusted-hardware-identity-management-and-how-can-i-fetch-those-certificates
If you have any further queries, do let us know.

Thank you.
Bala Siva Sai Akhil Malepati 0 Reputation points

2024-08-19T20:51:41.57+00:00

Hi @Srinud,

Thanks for the response. The link you provided mentions and talks about why in some of the cases PCK Certificates need to be fetched from Azure THIM instead of Intel PCS. But my question is regarding the attestation collateral which provides recommendations on TCB levels.

As I mentioned in the question above, the attestation collateral received from Azure THIM is more than 1 year old, whereas Intel PCS is providing latest attestation collateral.

Can you please resolve Azure THIM to provide non-expired latest attestation collateral or suggest us a solution to be able to get non-expired latest attestation collateral from Azure THIM and accordingly consume the same through Azure DCAP library?

Looking forward to for your response.

Thanks, and Regards,

Akhil
Bala Siva Sai Akhil Malepati 0 Reputation points

2024-08-19T22:45:06.69+00:00
To add to above, I just checked regarding the direct usage of AZ DCAP Client, it uses v3 APIs underneath and those APIs are returning more than 3 years old attestation collateral (TCB info). The issue date is "2021-04-20T18:27:52Z" and next update date is "2021-05-20T18:27:52Z"

Example curl command to get SGX TCB info,

curl -X GET "https://global.acccache.azure.net/sgx/certification/v3/tcb?fmspc=00606a000000&clientid=production_client" | jq

For reference, attached the response of above curl command containing TCB info.

Corresponding Intel PCS API is returning latest TCB info with current date. Following is curl command for that for v3,

curl -X GET "https://api.trustedservices.intel.com/sgx/certification/v3/tcb?fmspc=00606a000000" | jq

The response from Intel PCS has latest TCB info with, issue date as "2024-08-19T21:47:55Z" and next update date is "2024-09-18T21:47:55Z"
Srinud 2,235 Reputation points Microsoft Vendor

2024-08-21T05:00:23.85+00:00

Hi Bala Siva Sai Akhil Malepati,

Thanks for getting back with the detailed explanation.

We are working with our internal team and will get back to you soon.
Srinud 2,235 Reputation points Microsoft Vendor

2024-08-22T11:43:04.5666667+00:00

Hi Bala Siva Sai Akhil Malepati,

Just checking in to see if you have got a chance to see the comment posted in resolving the issue.

If the information is helpful, please consider by clicking the "Upvote" on the post.

Thank you.

1 answer

Srinud 2,235 Reputation points Microsoft Vendor

2024-08-21T09:46:36.5433333+00:00
Hi Bala Siva Sai Akhil Malepati,

Thank you for your patience.

Could please confirm if you are using Microsoft Azure Attestation (MAA) for performing SGX attestation?

As i checked with our internal team here is the response:

THIM stores all the Trusted Computing Base (TCBs) published by Intel to date in its storage and, by default, provides the minimum TCB that is supported based on the version and the FMSPC of the machine. In this case, THIM is returning the minimum supported TCB value, which is 14, whereas Intel provides a TCB value of 16, the latest TCB value released by Intel.

The default TCB baseline from THIM lags the latest baseline offered by Intel to prevent any attestation failure scenarios for ACC customers who require more time for patching platform software (PSW) updates. If a customer prefers to perform the SGX attestation against the latest TCB offered by Intel, they can perform timely roll out of platform software (PSW) updates and use the custom TCB baseline enforcement feature offered by Microsoft Azure Attestation (MAA)

MAA offers the custom TCB baseline enforcement feature which empowers customers to perform SGX attestation against a desired TCB baseline. It is always recommended for Azure Confidential Computing (ACC) SGX customers to install the latest PSW version supported by Intel and configure their SGX attestation policy with the latest TCB baseline supported by Azure.

Please find more details here - Custom TCB baseline enforcement for Azure Attestation users | Microsoft Learn

If the information is helpful, please consider by clicking the "Accept Answer & Upvote" on the post.
Please sign in to rate this answer.
Mahesh Goud Juvvadi 975 Reputation points Microsoft Vendor

2024-08-23T10:19:55.4266667+00:00

Hi Bala Siva Sai Akhil Malepati,

I wanted to check if you had the opportunity to review the information which was provided by @Srinud in previous posted answer.

If you feel that your quires have been resolved, please accept the answer by clicking the "Upvote" and "Accept Answer" on the post.

Thank you.

Bala Siva Sai Akhil Malepati 0 Reputation points

2024-08-26T03:52:38.17+00:00

Thanks for providing a detailed explanation and answer. I am using Azure THIM directly which is the default behavior when using Azure DCAP Client (https://github.com/microsoft/Azure-DCAP-Client). Azure THIM should have enforced latest attestation collateral, otherwise how can Azure THIM be used for any practical use cases and more specifically how would anyone use Azure DCAP Client for any production use case to enforce latest attestation collateral? Older collateral and especially collateral which is more than 3 years old is practically almost unusable.

Srinud 2,235 Reputation points Microsoft Vendor

2024-08-26T10:56:59.2666667+00:00

Hi Bala Siva Sai Akhil Malepati,

Thank you for sharing your information.

We are working on it and will get back to you soon.

Srinud 2,235 Reputation points Microsoft Vendor

2024-08-27T14:44:19.78+00:00

Hi Bala Siva Sai Akhil Malepati,

Thank you for your patience!

Could please share below information to troubleshoot further.

Once collateral is fetched from THIM, how is SGX attestation being performed? Is your using Microsoft Azure Attestation, or 3P offered attestation services like Intel Amber or your performing attestation by yourself?

Please confirm is your using Open Enclave SDK to talk to the attestation service?

Thank you.

Srinud 2,235 Reputation points Microsoft Vendor

2024-08-29T17:54:17.6766667+00:00

Hi Bala Siva Sai Akhil Malepati,

Could you please go through the last comment and provide us the required information to drive the thread further.

If you need any further assistance, please don't hesitate to reach out to us. We are happy to assist you.

Bala Siva Sai Akhil Malepati 0 Reputation points

2024-09-03T21:59:54.0333333+00:00

Hi @Srinud,

Missed to reply here. Following is the information you requested,

Using Intel DCAP Library (https://github.com/intel/SGXDataCenterAttestationPrimitives) to perform the quote verification which internally fetches the collateral from Azure THIM through Azure DCAP Client (https://github.com/microsoft/Azure-DCAP-Client)

Not using Open Enclave SDK but rather using Intel DCAP Library mentioned above

Thanks, and Regards

Akhil

Srinud 2,235 Reputation points Microsoft Vendor

2024-09-05T10:10:57.7233333+00:00

Hi Bala Siva Sai Akhil Malepati,

Thank you for sharing your information.

We are working with our internal team and will get back to you as soon as we have an update.

Srinud 2,235 Reputation points Microsoft Vendor

2024-09-13T03:04:52.1866667+00:00

Hi Bala Siva Sai Akhil Malepati,

Thank you for your patience!
This issue needs deeper investigation and Azure technical support team will be able to help with this. I would recommend you open an azure support case. If you don't have the ability to open a technical support ticket, please let me know and I can help you further with this.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Expired SGX Attestation Collateral from Azure THIM

1 answer

Your answer