The Trusted Computing Base (TCB) consists of all computing components that cannot be externally verified and must therefore be trusted. In the case of SGX (and TDX), the TCB includes the SGX attestation software, microcode updates (MCUs), and authenticated code modules. (For an overview of TCB components, see here).
When security vulnerabilities are detected or reported to Intel, the company initiates a TCB recovery process. This involves issuing new Platform Certification Key (PCK) certificates to reflect the updated TCB components and updating the attestation collateral for verification. Additionally, Intel runs a service that provides the latest TCBinfo as JSON-formatted data.
What is the issue?
Data hosted on the web is vulnerable to compromise and should not be relied upon as the sole source of truth for security. To ensure integrity, Intel signs all TCB recovery data. It is essential to verify that the TCB information provided by the service (e.g., this) has been legitimately signed by Intel and not by an unauthorized party.
How did we resolve this security gap?
Following a suggestion of Andrew Miller, Poetic Technologies has deployed a smart-contract on Neutron to verify Intel’s signature on TCB recovery data. While we still depend on Intel for TCB-R updates, this approach safeguards against attempts to inject fraudulent TCB recovery data that could enable malicious exploitation of vulnerabilities.
To keep the on-chain TCB-Info database up to date, we run a service that queries Intel’s API every hour, precisely at minute 0, and updates the database accordingly.
Reducing trust assumptions
Since the update process involves a non-verifiable intermediary (i.e., the updater infrastructure), a valid concern arises: why should anyone trust it?
Currently, the only updater is being run by Poetic Tech. However, we encourage other interested parties to run their own updaters to ensure decentralization and reduce reliance on a single host.
How to deploy your own updater?
Clone this repository (note the non-main branch).
cd crates/utils/tcbinfo-updater
cargo build --release
cargo run --release -- "https://neutron-rpc.publicnode.com:443" "neutron-1" "neutron1e65rs0zs2n2vraqqgaqn6l5fg0yyj38au7z6xnsl55pzs7nugc0q2ta7js" "tcbinfo-updater" "1000000"
The string arguments are the rpc-node, chain-id, contract address (of the TCB verifier contract), contract alias and gas.
To automate the process, set up a cron job to execute the last command at regular intervals.
What’s next?
This contract only verifies signatures on standard updates. Supporting early update signatures is straightforward, just not done yet.
We welcome any kind of feedback, including additional feature requests.