Getting GROUP_OUT_OF_DATE with Intel attestation server

Secret Nodes
1

Hello folks! My name is Max, I’m a crypto enthusiast and Go developer. I’m trying to set up my own secret node for the upcoming secret main net launch, to become a validator. Unfortunately, I’ve encountered an SGX-related problem that I cannot resolve and my ideas list is empty now.

I have 2 machines with SGX-enabled CPUs from Hetzner, and 1 machine from OVH:

  • Hetzner: Intel® Core™ i9-9900K CPU @ 3.60GHz
  • OVH: Intel® Xeon® E-2288G CPU @ 3.70GHz

I’m getting the exact same attestation error when trying to setup 0.7.0 testnet node:

$ SCRT_ENCLAVE_DIR=/usr/lib secretd init-enclave
INFO  [wasmi_runtime_enclave::registration::attestation] Attestation report: {"id":"300487276081224553918647267366511071135","timestamp":"2020-08-31T00:21:58.627896","version":4,"advisoryURL":"https://security-center.intel.com","advisoryIDs":["INTEL-SA-00320","INTEL-SA-00329","INTEL-SA-00220","INTEL-SA-00270","INTEL-SA-00293","INTEL-SA-00233"],"isvEnclaveQuoteStatus":"GROUP_OUT_OF_DATE","platformInfoBlob":"...","isvEnclaveQuoteBody":"..."}
WARN  [wasmi_runtime_enclave::registration::cert] TCB level of SGX platform service is outdated. You should check for firmware updates
Platform Okay!

Processor Firmware Update (ucodeUpdate). A security upgrade for your computing
device is required for this application to continue to provide you with a high degree of security. Please contact your device manufacturer’s support website for a BIOS update
for this system

I flashed BIOS on Hetzner nodes to the latest version (they provide a tool for that), updated microcode through deb packages, and of course manually. And OVH claims they have SGX support available, so I suppose they should keep the platform up-to-date with Intel attestation server.

My concern is that there are no Forum topics or Discord discussions about GROUP_OUT_OF_DATE error and how to mitigate it. As if nobody else having this problem.

I’d like to ask for advice, also let me know which Cloud/Dedicated service providers actually deliver SGX capability that will be able to pass Intel’s attestation in the context of running a Secret node.

Thanks!

2 Likes
2

Hey,

This is being actively discussed in the #infrastructure channel at https://chat.scrt.network

As far as i am aware you need to disable HV in BIOS and have an external GPU, that should take out some vulnerabilities.

I think people who can really help you with this our @anon60841010 @the-dusky @luigi1111 As they are actively testing new machines.

@anon60841010 it would be great to bring those vulnerabilities to this thread so people know what is supported. Also maybe the link to the active working machines at the moment.

3

Here’s a WIP list put together by the infrastructure committee - https://learn.scrt.network/sgx.html

1 Like