Intel® SGX Data Center Attestation Primitives
Attestation is the process of demonstrating that a software executable has been properly instantiated on a platform. Intel® SGX attestation allows a remote party to gain confidence that the intended software is securely running within an enclave on an Intel® SGX enabled platform.
- Upgraded Intel® Integrated Performance Primitives (IPP) Cryptography library to version 2021 Update 3.
- Upgraded Intel® SGX Architecture Enclaves based on new IPP crypto library.
- Added support in Intel® Quote Provider Library (QPL) to retrieve SGX ECDSA quote verification endorsements from Intel® Provisioning Certificate Service (PCS). User can configure PCCS or PCS in QPL’s config file
- Updated SGX ECDSA quote verification library (QVL) and quote verification enclave (QvE) to support CRL in different encoding.
- Updated SGX ECDSA quote verification library (QVL) and quote verification enclave (QvE) to hardcode Intel® root public key instead of root certificate.
- Fixed bugs
- Intel® Xeon® E Processor based Server
- Intel® SGX option enabled in BIOS with the Flexible Launch Control support
Supported Linux* OS distributions:
- Ubuntu* 18.04 LTS 64-bit Desktop and Server version
- Ubuntu* 20.04 LTS 64-bit Desktop and Server version
- Red Hat* Enterprise Linux* Server 8.2 (for x86_64)
- CentOS 8.2 64bits
Note: It is highly recommended to use the listed Linux* OS distributions. Other distributions have not been tested.
KNOWN ISSUES AND LIMITATIONS
- Multi-package system only. If PCCS is configured to use LAZY mode, and the platform doesn’t have the latest uCode patch, PCCS may return 462 error when the client requests for PCK certificate. Applying the latest uCode patch can fix this issue, or if you don't have the latest patch, you can change PCCS to REQ mode temporarily, and use the PCK ID retrieval tool to register the platform.
- RHEL only. When installing PCCS on Redhat, you may see errors when executing "sudo -u pccs ./install.sh". To workaround this issue, please go to /opt/intel/sgx-dcap-pccs/ directory, change the owner of all files and sub-folders to user "pccs" with "sudo chown -R pccs:pccs *", and run the install script again.
- Provisioning Certificate Caching Server (PCCS) 1.10.100 doesn’t support upgrade installation on RHEL and CentOS. Please uninstall the old version and install v1.10.100 PCCS. Details please refer to DCAP installation guide
- Provisioning Certificate Caching Server (PCCS) in Intel® DCAP 1.9 release only support Provisioning Certification Service (PCS) V3 API. If you want to use previous PCS API version such as V2, please use PCCS in previous DCAP release.
- In order to make DCAP 1.9 software stack work with previous version PCCS, please configure correct PCCS URL in Quote Provider Library (QPL) configuration file, make sure the PCCS version number is also lower than 3. For sample, “PCCS_URL=https://localhost:8081/sgx/certification/v2/”
- During the current release we have learned that the DKMS infrastructure uses the driver version as an arbitrary string and not as a numeric value. As a result, installing an old version on top of a new version will work, moreover, when more than one version is installed and a kernel update occurs there is no guarantee that the new version will be used in the new kernel – apparently either of the existing versions may be used To address these issues, the 1.10 driver installer will uninstall a previously installed driver if exists.
Note: The uninstall may fail if the driver is in use by an enclave or the AESM, in this case the user will be notified and will be required to manually uninstall the driver.