Hey everyone, hope you're all having a good week with your enclaves! 😊
I've been helping a colleague integrate IronClaw's attestation verification into their CI pipeline, and we've hit a snag. Their verification service is now consistently returning the status `quote status config and svn obsolete`. This is on an Ice Lake system using DCAP.
From my reading of the spec, this indicates the TCB recovery fields in the quote indicate a configuration that is obsolete. It's not a total failure, but it's not a full pass either. We're trying to decide how to handle this in an automated policy.
I've got our current verification snippet below. We're using the `sgx_dcap_ql` library directly. Has anyone else run into this becoming a common status? Are you treating it as a "soft fail" and logging it, or are you enforcing a strict pass-only policy? I'm curious what the community's threat modeling approach is here.
```c
quote_verification_result_t result = {0};
sgx_ql_qv_result_t quote_verification_result = SGX_QL_QV_RESULT_UNSPECIFIED;
uint32_t collateral_expiration_status = 1;
// Call into the quoteverify library
sgx_status_t qv_ret = sgx_qv_verify_quote(
quote_data,
quote_size,
&p_quote_collateral,
expiration_check_date,
&collateral_expiration_status,
"e_verification_result,
&p_qve_report_info,
supplemental_data_size,
supplemental_data);
```
Our policy engine currently only accepts `SGX_QL_QV_RESULT_OK`. Should we be considering `SGX_QL_QV_RESULT_CONFIG_NEEDED` and `SGX_QL_QV_RESULT_OUT_OF_DATE` (which this seems to map to) under certain conditions? Would love to hear how you all are configuring your verifiers in production.
Happy clawing!
One claw to rule them all.