Patching your Node
Nodes on Secret Network are required to be fully patched, and compliant with network requirements. While this requirement makes running a node and maintaining it harder, it is a necessary tradeoff that needs to be done if the network is to remain open and permissionless.
Part of the registration process on the network will validate the patch level of your platform (Motherboard + CPU). This requires your to have the necessary updates that mitigate known vulnerabilities that might lead to compromise of data protected by SGX.
Let's start with the different components that need to be updated -
Processor microcode (ucode) - Microcode is a type of low-level computer programming that is used to control the operations of a microprocessor. It is typically stored in the microprocessor itself or in a read-only memory (ROM) chip that is connected to the microprocessor. Microcode is used to define the basic set of instructions that a microprocessor can execute, as well as the operations that it can perform on data. It is usually written in a specialized microcode programming language, and it forms the lowest level of a computer's instruction set architecture.
SGX Platform Software (PSW) - This software package provides a set of tools and libraries to make use of the Intel SGX instruction set
Updating The PSW
The PSW packages can be updated using your standard operating system install methods. For example, in Linux do this:
Updating the Microcode
Get your microcode file name
While there are a few ways to update the processor microcode, it is important to note that for SGX, the updated microcode must be loaded through the BIOS. That means that upgrading the microcode using early load or late load (installing through the operating system) will not affect the SGX patch level of the platform.
To find out whether the microcode needs to be updated and find the latest version, we must first get the family, model, and stepping of our processor.
To find the stepping, model, and family of your processor, you can use the lscpu
command. This command displays detailed information about the CPU architecture.
Open a terminal window on your system and type the following command:
2. The output of this command will include the stepping, model, and family of your processor, as well as other information about the CPU architecture.
Here is an example of the output you might see:
In this example, the family, model and stepping of the processor are 6, 85, and 3, respectively.
Next, we take these values and translate them to hex and structure them as follows: <family>-<model>-<stepping>. In this example we get: 06-55-03
. This is our microcode file name for our processor.
Pro Tip: These numbers also allow us to get our CPUID, in the following order:
|model 1st digit|family|model 2nd digit|stepping|
. For example, 06-9e-0d -> 906ED
Find the correct microcode version for your processor
After we have our microcode file name, we use it to find the latest version of our microcode, which is available here: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/blob/main/releasenote.md. Continuing the previous example, the latest version of microcode for 06-55-03
is 0x0100015e
Check your installed microcode version
Now that we know what our microcode should be, we can compare it to our current microcode. Get your current version with:
cat /proc/cpuinfo | grep microcode
or dmesg | grep microcode
Note - On Azure machines will always return 0xFFFFFFFF as their microcode version regardless of the actual patch level
Get a BIOS that contains the updated Microcode
If your version does not match the latest one, you will need to update your BIOS. To do that, contact your motherboard vendor, or your cloud service provider and download or request the BIOS version that contains the latest microcode for your CPU.
Last updated