Intel® Software Guard Extensions Remote Attestation Sample Code now available

Surenthar_S_Intel — Wed, 27 Jul 2016 07:20:31 GMT

Remote Attestation sample now live

https://software.intel.com/en-us/articles/intel-software-guard-extensions-remote-attestation-end-to-end-example

-Surenthar.

Wow, its good to hear new

Sam5 — Fri, 29 Jul 2016 06:31:17 GMT

Wow, its good to hear new sample application for remote attestation.

Thanks

Thanks so much for sharing,

Chenghong_W_ — Tue, 02 Aug 2016 01:31:17 GMT

Thanks so much for sharing, really helps my project.

Thanks,

Chenghong

Is there an equivalent of

Rodolfo_S_ — Tue, 09 Aug 2016 20:22:47 GMT

Is there an equivalent of this code available for the SGX SDK for Linux?

Cheers,

Rodolfo

At this time there are no

Surenthar_S_Intel — Wed, 10 Aug 2016 05:06:19 GMT

At this time there are no plans to provide a remote attestation sample for Linux OS

Hi Surenthar,

Zhicong_H_ — Fri, 21 Oct 2016 08:36:56 GMT

Hi Surenthar,

There is probably a small bug in the above sample code. It will never encrypt/decrypt the message if I run with simulated IAS.

In the Server code "Msg4Builder.cs":

private void BuildNonIasMessage4(SpSequenceCheck sigmaSequenceCheck)
        {
            ...
                msg4.respHeader.respStatus = BitConverter.GetBytes((UInt32)enStatusCodes.raErrNone);
            ...

                // This is the successful end of the sequence. 
                // Reset the state machine and return M4
                log.Info("*********** Remote Attestation Sequence Successful with Simulated IAS");
                log.Info("*********** Sending Msg4");
            ...
        }

Here when the attestation is successful ( I know the IAS is simulated and always returns success, but still the message sequence is successful as you commented in the code ), the msg4.respHeader.respStatus is set to raErrNone, which is defined in "Constants.cs":

public enum enStatusCodes : uint
    {
        raErrNone = 0x00,                    // 00, Success
        raErrReqRejected = 0x01,             // 01, External error, ALL  - request message was rejected
        raErrInternal = 0x02,                // 03, Internal error, for debug only
        raErrUnknown = 0x03,                 // 04, Internal error, a handshake error that is not expected.
        raErrMeasurement = 0x10,             // 10, Enclave measurement mismatch error from SP RA server
        raErrKeyCheckFail = 0x11,            // 11, SP RA server error checking ga in Msg3
        raErrCmacCheckFail = 0x12,           // 12, SP RA server error checking CMACsmk in Msg3
        raErrQuoteCheckFail = 0x13,          // 13, SP RA server error checking Quote in Msg3
        raErrREPORTDATACheckFail = 0x14,     // 14, SP RA server error checking REPORTDATA field for Msg3 replay
        raErrVerificationSigCheckFail = 0x15,// 15, SP RA server error checking verification report signature from IAS
        raErrIasGetSuccess = 0xC8,           // C8, (decimal 200) GET Operation success from IAS
        raErrIasCreated = 0xC9,              // C9, (decimal 201) Create Report successful from IAS
        raErrIasBadRequest = 0x190,          // 190, (decimal 400) Invalid Evidence Payload from IAS
        raErrIasUnauth = 0x191,              // 191, (decimal 401) Unauthorized response from IAS
        raErrIasNotFound = 0x194,            // 194, (decimal 404) Not Found response from IAS
        raErrIasInternal = 0x1F4,            // 1F4, (decimal 500) Internal Error from IAS
        raErrIasUnknown = 0x208              // 208, (decimal 520) Unknown IAS Error or Connection Error
    }

However, in the Client code "RemoteAttestation.cpp":

pplx::task<int> PostM3Request(){
	return pplx::create_task([]() -> pplx::task<http_response>{
		...
	}).then([](http_response response) -> int{
		if (response.status_code() == status_codes::OK)	{
			...
			responseHeader[L"respStatus"] = web::json::value::string(jsonDeserial.buildJsonObject(responseMessage.respHeader.getRespStatus(), 4));
			...
			jsonDeserial.deserializeRespHeader(Pvalue1, m4ResponseMessage.respHeader);
			int status = converter.byteArrayToInt(m4ResponseMessage.respHeader.respStatus);
			if (status == 200 || status == 201){
				jsonDeserial.deserializeM4RespBody(Pvalue0, m4ResponseMessage.respMsg4Body);
			}
			else if (status == 400){
				cout <<endl<< "M4 Post response error with status code " << status << endl 
					<<"Quote Attestation with IAS Failed. Check server logs for more info"<<endl;
				AbortProcess();
			}
			else {
				cout << "M4 Post response error with status code " << status << endl;
				AbortProcess();
			}
		}
		else {
			cout << "M4 Post response error with status code " << response.status_code() << endl;
			AbortProcess();
		}
		return 0;
	});
}

When the Client receives the msg4 from the Server, the "m4ResponseMessage.respHeader.respStatus" should be 0, right? Then the program will abort because you only accept "200" and "201". So I think here you should also accept "0", otherwise the program doesn't go through when I run with simulated IAS. BTW, after I changed it to accept "0", it indeeds encrypts/decrypts the message successfully.

Do I misunderstand the code somewhere, or is it really a bug?

Thanks,

Zhicong

Hi Surenthar,

Marcell_Feher__Choco — Fri, 04 Nov 2016 14:27:10 GMT

Hi Surenthar,

It appears to be possible to run the remote attestation example on Linux at least in Debug mode, but communicating with the real Intel EPID server. The only thing required after standard installation of the driver, PSW and SDK is to copy the sdk/sample_libcrypto folder into SampleCode/RemoteAttestation and make the project.

# Run from the extracted 'linux-sdk' folder
cp -R ./sdk/sample_libcrypto/ ./SampleCode/RemoteAttestation/ && cd ./SampleCode/RemoteAttestation/ && make SGX_MODE=HW SGX_DEBUG=1 && ./app

Best,

Marcell

Surenthar Selvaraj. (Intel) wrote:

At this time there are no plans to provide a remote attestation sample for Linux OS

topic Hi Surenthar, in Intel® Software Guard Extensions (Intel® SGX)

Intel® Software Guard Extensions Remote Attestation Sample Code now available

Wow, its good to hear new

Thanks so much for sharing,

Is there an equivalent of

At this time there are no

Hi Surenthar,

Hi Surenthar,