Intel regularly publishes security advisories at https://www.intel.com/content/www/us/en/security-center/default.html. The attestation of an enclave verifies the hash value of the enclave (
MrEnclave) and if the CPU, the platform, or the firmware is affected by security advisories. In case they are, attestation fails by default.
Each advisory has a unique advisory number. For example,
- INTEL-SA-00270: 2019.2 IPU – TSX Asynchronous Abort Advisory
- INTEL-SA-00161: Q3 2018 Speculative Execution Side Channel Update
In some cases, you need to wait for updated firmware. In case you consider that your application is not affected by the advisory, you can disable this in your security policy. Some of the security advisories are encountered in quite a few platforms, in which case our policy provides shortcuts to ignore them (like
hyperthreading). Others may be more severe or very recent. To ignore these advisories, they and their associated category (
outdated-tcb) need to be specified explicitly. For example:
security: attestation: tolerate: [outdated-tcb] ignore_advisories: [INTEL-SA-00161, INTEL-SA-00270]
When in debug-mode, all advisories can be ignored by using a wildcard, simplifying the workflow in testing environments:
security: attestation: tolerate: [debug-mode, outdated-tcb] ignore_advisories: "*"
As this silently also ignores newly released platform advisories, wildcards cannot be used in production mode.
For more details, please have a look at our policy description.