Getting GROUP_OUT_OF_DATE with Intel attestation server

Hello folks! My name is Max, I’m a crypto enthusiast and Go developer. I’m trying to set up my own secret node for the upcoming secret main net launch, to become a validator. Unfortunately, I’ve encountered an SGX-related problem that I cannot resolve and my ideas list is empty now.

I have 2 machines with SGX-enabled CPUs from Hetzner, and 1 machine from OVH:

  • Hetzner: Intel® Core™ i9-9900K CPU @ 3.60GHz
  • OVH: Intel® Xeon® E-2288G CPU @ 3.70GHz

I’m getting the exact same attestation error when trying to setup 0.7.0 testnet node:

$ SCRT_ENCLAVE_DIR=/usr/lib secretd init-enclave
INFO  [wasmi_runtime_enclave::registration::attestation] Attestation report: {"id":"300487276081224553918647267366511071135","timestamp":"2020-08-31T00:21:58.627896","version":4,"advisoryURL":"https://security-center.intel.com","advisoryIDs":["INTEL-SA-00320","INTEL-SA-00329","INTEL-SA-00220","INTEL-SA-00270","INTEL-SA-00293","INTEL-SA-00233"],"isvEnclaveQuoteStatus":"GROUP_OUT_OF_DATE","platformInfoBlob":"...","isvEnclaveQuoteBody":"..."}
WARN  [wasmi_runtime_enclave::registration::cert] TCB level of SGX platform service is outdated. You should check for firmware updates
Platform Okay!

Processor Firmware Update (ucodeUpdate). A security upgrade for your computing
device is required for this application to continue to provide you with a high degree of security. Please contact your device manufacturer’s support website for a BIOS update
for this system

I flashed BIOS on Hetzner nodes to the latest version (they provide a tool for that), updated microcode through deb packages, and of course manually. And OVH claims they have SGX support available, so I suppose they should keep the platform up-to-date with Intel attestation server.

My concern is that there are no Forum topics or Discord discussions about GROUP_OUT_OF_DATE error and how to mitigate it. As if nobody else having this problem.

I’d like to ask for advice, also let me know which Cloud/Dedicated service providers actually deliver SGX capability that will be able to pass Intel’s attestation in the context of running a Secret node.

Thanks!

2 Likes

Hey,

This is being actively discussed in the #infrastructure channel at https://chat.scrt.network

As far as i am aware you need to disable HV in BIOS and have an external GPU, that should take out some vulnerabilities.

I think people who can really help you with this our @moonstash @the-dusky @luigi1111 As they are actively testing new machines.

@moonstash it would be great to bring those vulnerabilities to this thread so people know what is supported. Also maybe the link to the active working machines at the moment.

Here’s a WIP list put together by the infrastructure committee - https://learn.scrt.network/sgx.html

1 Like