topic Re:Remote Attestation Invalid Signature in Intel® Software Guard Extensions (Intel® SGX)

Remote Attestation Invalid Signature

mxl01 — Thu, 09 Sep 2021 13:23:06 GMT

Hello everyone,

I am trying to implement the Service Provider's side of the Remote Attestation flow in python. To debug the application, I use the same keys as in the RemoteAttestation Sample from the linux-sgx repo and so far, I am able to derive the same keys as in the sample. However, when I try to sign the Gb_Ga message in msg2, I receive a different signature than the one in the sample, although I follow the guide from the Code Sample . Actually, it irritates me that in the Sample Application, the following output is made which shows that the first half of the signature is not at all encrypted/ signed in any way.

A more descriptive representation of MSG2: RESPONSE TYPE: 0x2 RESPONSE STATUS: 0x0 0x0 RESPONSE BODY SIZE: 168 MSG2 gb - 64 bytes: { 0x6a, 0x83, 0xdc, 0x84, 0xd4, 0x4c, 0x8a, 0xbb, 0x5e, 0x42, 0xaf, 0xee, 0x8d, 0xe9, 0xf4, 0x57, 0x71, 0xfd, 0x73, 0x66, 0xd7, 0xfa, 0xad, 0xfa, 0xf2, 0x17, 0x14, 0xdd, 0x5a, 0xb9, 0x9e, 0x97, 0x79, 0xa7, 0x38, 0x72, 0xf2, 0xb8, 0xd6, 0xbe, 0x18, 0x91, 0x7f, 0xf7, 0xb5, 0xd3, 0xe5, 0x64, 0x9b, 0x12, 0x18, 0xaf, 0x39, 0x29, 0x6c, 0x24, 0x19, 0x38, 0x29, 0xb, 0xc6, 0xac, 0xc, 0x62 } MSG2 spid - 16 bytes: { 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x20, 0x58, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 } MSG2 quote_type : 1 MSG2 kdf_id : 1 MSG2 sign_gb_ga - 64 bytes: { 0x6a, 0x83, 0xdc, 0x84, 0xd4, 0x4c, 0x8a, 0xbb, 0x5e, 0x42, 0xaf, 0xee, 0x8d, 0xe9, 0xf4, 0x57, 0x71, 0xfd, 0x73, 0x66, 0xd7, 0xfa, 0xad, 0xfa, 0xf2, 0x17, 0x14, 0xdd, 0x5a, 0xb9, 0x9e, 0x97, 0x49, 0xa2, 0x2c, 0xc8, 0xd4, 0xba, 0xd1, 0x3b, 0xfe, 0x72, 0xd5, 0xc3, 0x18, 0x31, 0x10, 0xd, 0x72, 0xf4, 0x92, 0xff, 0xf, 0xa0, 0x3e, 0x6f, 0x97, 0xe4, 0xaa, 0x68, 0x80, 0x69, 0x60, 0xd6 } MSG2 mac - 16 bytes: { 0xaa, 0xc7, 0xa1, 0xbb, 0x94, 0xbf, 0x2d, 0x35, 0x5f, 0x32, 0x17, 0xe4, 0xfa, 0xca, 0x61, 0x79 } MSG2 sig_rl - ( null ) Call sgx_ra_proc_msg2_ex success.

If you compare line 7ff and line 25ff, the same values are present which does not make sense to me. Also, I noted that no solution has been found to a similar question , has there been any progress so far?

Could somebody explain how the signature is derived in the Remote Attestation Sample? The sample_libcrypto file does not provide real insight into the process.

Thanks in advance!

Re: Remote Attestation Invalid Signature

JesusG_Intel — Fri, 10 Sep 2021 03:44:05 GMT

Hello Mxl01,

Pay special attention to the instructions regarding little-endian byte order in the end-to-end example. I recommend doing a search on the page for "endian" so you can find all the references.

Did you look at the function process_msg01 in sp.cpp?

If you still cannot figure it out after fixing the endian issues, I recommend installing the debug versions of the SDK and PSW so you can step into the SGX runtimes using sgx-gdb. Follow these instructions to install the debug files:

1. Install Prerequisites then download the Intel SGX for Linux source code:

$ git clone https://github.com/intel/linux-sgx.git

$ cd linux-sgx && make preparation

2. Build the debug versions of the SDK and SDK installer:

$ make sdk DEBUG=1

$ make sdk_install_pkg DEBUG=1

3. Install the SGX SDK

$ cd linux/installer/bin

$ ./sgx_linux_x64_sdk_${version}.bin

$ source ${sgx-sdk-install-path}/environment

4. Build the debug versions of the PSW and PSW installers:

$ make psw DEBUG=1

$ make deb_psw_pkg DEBUG=1

5. Install the PSW components and their symbol files.

The generated PSW installers are located under linux/installer/rpm/libsgx-urts, linux/installer/rpm/libsgx-enclave-common, linux/installer/rpm/libsgx-uae-service, linux/installer/rpm/libsgx-epid, linux/installer/rpm/libsgx-launch, linux/installer/rpm/libsgx-quote-ex and linux/installer/rpm/sgx-aesm-service

6. Execute the following commands in each PSW installer directory:

$ sudo dpkg -i *.deb

$ sudo dpkg -i *.ddeb

Now you can use sgx-gdb to step into any SGX runtime function so you can see what is happening behind the scenes.

Sincerely,

Jesus G.

Intel Customer Support

Re: Remote Attestation Invalid Signature

mxl01 — Fri, 10 Sep 2021 07:59:48 GMT

I will look into this, thanks! Still, I do not think that the used signature procedure is sensible in the RemoteAttestation Sample from the linux-sgx repository, as no signature should yield back an unmodified first half of the original buffer. If you could clear this up, it would be helpful for debugging so I know where these values in line 25ff comes from.

Re:Remote Attestation Invalid Signature

JesusG_Intel — Fri, 10 Sep 2021 16:03:21 GMT

Hello Mxl01,

You are right, the first halves of Msg2 and the signed Msg2 should not be the same. That is your first indication that something is not right. Here are my outputs from running sgx-ra-sample.

---- Msg2 Details ----------------------------------------------------------

msg2.g_b.gx = b86a9353678fd85e255825c6fefb53d4fc307dc07cd86f41aec014be5db43e0e

msg2.g_b.gy = 61e30199bec58304a5da94419effbd7fa84057ebf56369fadcf44e8ea8e5f444

msg2.spid = 512a4762b082984ff983cb5e59bee669

msg2.quote_type = 0000

msg2.kdf_id = 0100

msg2.sign_ga_gb = 471991a397d91a27326f4dea2081dbc6d1c1b9ba0ebc2be220fa757f5a0d78b1f59dbc971a676737d78c0ca2c5a9ac8b7fc92c639ac0deb5914b33951333dc72

msg2.mac = 7a5cd6f10638431b706e43c346505fed

msg2.sig_rl_size = 00000000

msg2.sig_rl =

----------------------------------------------------------------------------

+++ msg2_size = 168

Re: Remote Attestation Invalid Signature

mxl01 — Mon, 13 Sep 2021 10:00:32 GMT

Hello JesusG_Intel,

I was talking about the RemoteAttestation sample from here , if you run that sample, you get two identical first halves of the key and the signature, which should not be the case. In the sgx-sample you described, however, I am not even able to run the ./run-client command as it tells me 'This system does not support Intel SGX.' although I think I have all needed sgx drivers installed and am able to run all sample applications from above link in hardware mode. Can you give me a hint why this problem occurs?

Re:Remote Attestation Invalid Signature

JesusG_Intel — Tue, 14 Sep 2021 23:05:30 GMT

Hello Mxl01,

We are still trying to figure out why the Remote Attestation sample outputs the same values for msg2_gb_gx and msg2_sign_gb_ga_x. They are different in the sgx-ra-sample.

The function in Remote Attestation that does the signing is service_provider.cpp:506 and starts printing at isv_app.cpp:122.

Let's figure out why you can't run the sgx-ra-sample.

1. Confirm your processor has SGX enabled.

Open a terminal and run: $ cpuid | grep -i sgx

2. Check the SGX driver:

$ ls /dev | grep sgx

2. Check the PSW, especially libsgx-uae-service

$ sudo apt list --installed | grep sgx

3. Run sudo apt-get update to ensure all your components are up-to-date.

4. Setup your proxy if necessary.

Edit the file /etc/aesmd.conf (refer to the comments in the file) to set the proxy for the aesmd service.

After you configure the proxy, you need to restart the service to enable the proxy.

5. Check aesmd

$ ps aux | grep -aesm

$ sudo systemctl stop aesmd

$ sudo systemctl start aesmd

$ cat /var/log/syslog | grep -i aesm

Re: Remote Attestation Invalid Signature

mxl01 — Thu, 16 Sep 2021 10:23:14 GMT

Hello JesusG_Intel,

thanks for your detailed response, my resulting terminal output is:

1. processor sgx enabled?

> cpuid | grep -i sgx SGX: Software Guard Extensions supported = true SGX_LC: SGX launch config supported = false Software Guard Extensions (SGX) capability (0x12/0): SGX1 supported = true SGX2 supported = false SGX ENCLV E*VIRTCHILD, ESETCONTEXT = false SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false SGX attributes (0x12/1): SGX: Software Guard Extensions supported = true SGX_LC: SGX launch config supported = false Software Guard Extensions (SGX) capability (0x12/0): SGX1 supported = true SGX2 supported = false SGX ENCLV E*VIRTCHILD, ESETCONTEXT = false SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false SGX attributes (0x12/1): SGX: Software Guard Extensions supported = true SGX_LC: SGX launch config supported = false Software Guard Extensions (SGX) capability (0x12/0): SGX1 supported = true SGX2 supported = false SGX ENCLV E*VIRTCHILD, ESETCONTEXT = false SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false SGX attributes (0x12/1): SGX: Software Guard Extensions supported = true SGX_LC: SGX launch config supported = false Software Guard Extensions (SGX) capability (0x12/0): SGX1 supported = true SGX2 supported = false SGX ENCLV E*VIRTCHILD, ESETCONTEXT = false SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false SGX attributes (0x12/1): SGX: Software Guard Extensions supported = true SGX_LC: SGX launch config supported = false Software Guard Extensions (SGX) capability (0x12/0): SGX1 supported = true SGX2 supported = false SGX ENCLV E*VIRTCHILD, ESETCONTEXT = false SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false SGX attributes (0x12/1): SGX: Software Guard Extensions supported = true SGX_LC: SGX launch config supported = false Software Guard Extensions (SGX) capability (0x12/0): SGX1 supported = true SGX2 supported = false SGX ENCLV E*VIRTCHILD, ESETCONTEXT = false SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false SGX attributes (0x12/1): SGX: Software Guard Extensions supported = true SGX_LC: SGX launch config supported = false Software Guard Extensions (SGX) capability (0x12/0): SGX1 supported = true SGX2 supported = false SGX ENCLV E*VIRTCHILD, ESETCONTEXT = false SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false SGX attributes (0x12/1): SGX: Software Guard Extensions supported = true SGX_LC: SGX launch config supported = false Software Guard Extensions (SGX) capability (0x12/0): SGX1 supported = true SGX2 supported = false SGX ENCLV E*VIRTCHILD, ESETCONTEXT = false SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false SGX attributes (0x12/1):

2. sgx-driver check:

> ls /dev | grep sgx isgx

3. my components are up-to-date

4. I don't think I need to configure a proxy

5. aesmd:

> ps aux | grep -aesm root 67 0.0 0.0 0 0 ? SN 13:40 0:00 [ksmd] gdm 1490 0.0 0.0 323796 8600 tty1 Sl+ 13:40 0:00 /usr/libexec/gsd-smartcard max 2039 0.0 0.0 397532 8780 ? Ssl 13:41 0:00 /usr/libexec/gsd-smartcard aesmd 6235 0.0 0.0 352572 14576 ? Ssl 13:52 0:00 /opt/intel/sgx-aesm-service/aesm/aesm_service max 7028 0.0 0.0 17672 2864 pts/0 S+ 14:04 0:00 grep --color=auto -aesm

When checking the syslog, there is actually something interesting:

Sep 16 14:19:03 max-laptop systemd[1]: aesmd.service: Succeeded. Sep 16 14:19:09 max-laptop aesm_service[10163]: [ADMIN]White List update requested Sep 16 14:19:09 max-laptop aesm_service[10163]: [load_qe ../qe_logic.cpp:680] Error, call sgx_create_enclave QE fail [load_qe], SGXError:4004. Sep 16 14:19:09 max-laptop aesm_service[10163]: Failed to load QE3: 0x4004 Sep 16 14:19:09 max-laptop aesm_service[10163]: The server sock is 0x5644b9d506f0 Sep 16 14:19:10 max-laptop aesm_service[10163]: [ADMIN]White list update request successful for Version: 105

Error 0x4004 is (according to the developer reference) 'Enclave has no privilege to get a launch token.'

Is the launch token error the problem for my inability to launch the sgx-ra-sample client? Or does my system simply not have the sgx standards needed? Thanks in advance!

Re:Remote Attestation Invalid Signature

JesusG_Intel — Thu, 16 Sep 2021 20:35:34 GMT

Hello Mxl01,

It seems you are missing the PSW component: libsgx-uae-service. Install it with:

$sudo apt get libsgx-uae-service

Ensure you install all of the PSW components with:

$ sudo apt-get install libsgx-launch libsgx-urts libsgx-epid libsgx-quote-ex libsgx-uae-service

Here is how to follow the code in the sgx-ra-sample to find where it is not detecting SGX:

client.cpp:373 sgx_support = get_sgx_support();

sgx_detect_linux.c:44 if (! have_sgx_psw()) return sgx_support;

sgx_stub.c:196

int have_sgx_psw()

{

return (

_load_libsgx_uae_service() == NULL ||

_load_libsgx_urts() == NULL

) ? 0 : 1;

}

Sincerely,

Jesus G.

Intel Customer Support

Re:Remote Attestation Invalid Signature

JesusG_Intel — Tue, 21 Sep 2021 17:29:39 GMT

Hello Mxl01,

Were you able to install libsgx-uae-service and get the sgx-ra-sample running? We recommend using the sgx-ra-sample over the RemoteAttestation sample in the SDK.

Sincerely,

Jesus G.

Intel Customer Suppor

Re:Remote Attestation Invalid Signature

JesusG_Intel — Fri, 24 Sep 2021 14:55:38 GMT

Hello Mxl01,

I hope the information I provided was helpful to you. Since we haven't heard from you I will close this case. If you need further assistance with this issue, please open a new thread.

Sincerely,

Jesus G.

Intel Customer Support