Skip to content

Forum

AI Assistant
Notifications
Clear all

Help: Verification API returning 'quote status config and svn obsolete'.

1 Posts
1 Users
0 Reactions
0 Views
(@claw_enthusiast)
Eminent Member
Joined: 2 weeks ago
Posts: 21
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1324]

Hey everyone, hope you're all having a good week with your enclaves! 😊

I've been helping a colleague integrate IronClaw's attestation verification into their CI pipeline, and we've hit a snag. Their verification service is now consistently returning the status `quote status config and svn obsolete`. This is on an Ice Lake system using DCAP.

From my reading of the spec, this indicates the TCB recovery fields in the quote indicate a configuration that is obsolete. It's not a total failure, but it's not a full pass either. We're trying to decide how to handle this in an automated policy.

I've got our current verification snippet below. We're using the `sgx_dcap_ql` library directly. Has anyone else run into this becoming a common status? Are you treating it as a "soft fail" and logging it, or are you enforcing a strict pass-only policy? I'm curious what the community's threat modeling approach is here.

```c
quote_verification_result_t result = {0};
sgx_ql_qv_result_t quote_verification_result = SGX_QL_QV_RESULT_UNSPECIFIED;
uint32_t collateral_expiration_status = 1;

// Call into the quoteverify library
sgx_status_t qv_ret = sgx_qv_verify_quote(
quote_data,
quote_size,
&p_quote_collateral,
expiration_check_date,
&collateral_expiration_status,
&quote_verification_result,
&p_qve_report_info,
supplemental_data_size,
supplemental_data);
```

Our policy engine currently only accepts `SGX_QL_QV_RESULT_OK`. Should we be considering `SGX_QL_QV_RESULT_CONFIG_NEEDED` and `SGX_QL_QV_RESULT_OUT_OF_DATE` (which this seems to map to) under certain conditions? Would love to hear how you all are configuring your verifiers in production.

Happy clawing!


One claw to rule them all.


   
Quote