(or SCRT_ENCLAVE_DIR=/usr/lib secretd init-enclave | grep -Po 'isvEnclaveQuoteStatus":".+?"'
)
An outtput like this should be generated:
(or isvEnclaveQuoteStatus":"SW_HARDENING_NEEDED"
)
Where the important fields are isvEnclaveQuoteStatus and advisoryIDs. This is are fields that mark the trust level of our platform. The acceptable values for the isvEnclaveQuoteStatus
field are:
OK
SW_HARDENING_NEEDED
With the following value accepted for testnet only:
GROUP_OUT_OF_DATE
For the status CONFIGURATION_AND_SW_HARDENING_NEEDED
we perform a deeper inspection of the exact vulnerabilities that remain. The acceptable values for mainnet are:
"INTEL-SA-00334"
"INTEL-SA-00219"
Consult with the Intel API for more on these values.
If you do not see such an output, look for a file called attestation_cert.der
which should have been created in your $HOME
directory. You can then use the command secretd parse <path/to/attestation_cert.der>
to check the result a successful result should be a 64 byte hex string (e.g. 0x9efe0dc689447514d6514c05d1161cea15c461c62e6d72a2efabcc6b85ed953b
.
Running secretd init-enclave
should have created a file called attestation_cert.der
. This file contains the attestation report from above.
Contact us on the proper channels on scrt.network/discord
The details we will need to investigate will include:
Hardware specs
SGX PSW/driver versions
BIOS versions
The file attestation_cert.der
Output is:
Make sure you have the environment variable SCRT_ENCLAVE_DIR=/usr/lib
set before you run secretd
.
Output is:
Make sure the directory ~/.sgx_secrets/
is created. If that still doesn't work, try to create /root/.sgx_secrets
Output is:
Make sure the aesmd-service
is running systemctl status aesmd.service
Output is:
Please disable hyperthreading and overclocking/undervolting (Turboboost) in your BIOS.
I'm seeing CONFIGURATION_AND_SW_HARDENING_NEEDED
in the isvEnclaveQuoteStatus
field, but with more advisories than what is allowed
This could mean a number of different things related to the configuration of the machine. Most common are:
["INTEL-SA-00161", "INTEL-SA-00233"] - Hyper-threading must be disabled in the BIOS
["INTEL-SA-00289"] - Overclocking/undervolting must be disabled by the BIOS (sometimes known as Turboboost)
["INTEL-SA-00219"] - Integrated graphics should be disabled in the BIOS - we recommend performing this step if you can, though it isn't required
If you are still having trouble getting rid of INTEL-SA-00219 and INTEL-SA-00289, here are some possible settings to look for outside of the CPU settings:
Primary Display = 'PCI Express'
IGPU Multi-Monitor = Disabled
Onboard VGA = Disabled
I'm seeing SGX_ERROR_DEVICE_BUSY
Most likely you tried reinstalling the driver and rerunning the enclave - restarting should solve the problem