topic Hi Sijie, in Intel® Software Guard Extensions (Intel® SGX)

Question about SGX remote attestation

Sijie_D_ — Sun, 17 Jan 2016 20:51:38 GMT

Hi,

I'm looking into the sample code shipped with the SGX windows sdk as well as the user guide document.

It seems that the last step of attestation is service provider receiving and verifying MSG3 which includes the REPORT_DATA generated by the quoting enclave.

I'm wondering, how could a service provider verify that the REPORT is actually generated by the quoting enclave, but not some fake report generated by some malware. I know that the report should be signed by the quoting enclave using hardware based EPID, but how could the service provider get the public key corresponding to the EPID?

In the sample code, it used a simulated Intel attestation service (IAS). Should the verification mentioned above done by IAS? Is the IAS a mandatory component of remote attestation framework?

A full explanation of the

Simon_J_Intel — Tue, 15 Mar 2016 21:33:37 GMT

A full explanation of the Intel Attestation architecture can be found at the recent blog post: https://software.intel.com/en-us/blogs/2016/03/09/intel-sgx-epid-provisioning-and-attestation-services

Hi,

Min_X_ — Tue, 19 Apr 2016 20:25:18 GMT

Hi,

For RemoteAttestation sample code in the SDK, in debug mode, when I invoke enclave_init_ra with b_pse as true, the sgx_create_pse_session() function will always fail. Is this normal?

In addition, does the msg3 contain a quote attested by the local quoting enclave with the attestation key? If not, how can I get a valid quote with the sample RemoteAttestation project?

Thanks.

Min

Hello,

Luis_M_5 — Wed, 20 Apr 2016 07:24:00 GMT

Hello,

I'm trying to use SGX Attestation development environment after registering and obtaining my SPID. Although I can sucessfully connect to the attestation server, I can't manage to guess the right way to query the services. SGX provisioning and attestation whitepaper refers to:

- GetSigRL[GID]
- VerifyQuote

as the two main interfaces available, but every creative attempt to access an URL related to those interfaces returns a 404.

Could you please provide more information or an example about the attestation API?

Thanks,
Luis M.

Hi Min,

Kuppusamy_R_Intel — Fri, 22 Apr 2016 05:06:01 GMT

Hi Min,

1. When I invoke enclave_init_ra with b_pse as true, the sgx_create_pse_session() function will always fail. Is this normal?

Answer : Some platforms do not have firmware support for platform services enclave, which would cause this function to fail. In this case, you should set b_pse=false and call enclave_init_ra again and make a code path where sgx_create_pse_session() is not called.

2. Does the msg3 contain a quote attested by the local quoting enclave with the attestation key?

Answer : Yes. You can see this in the sample RemoteAttestation project. The quote is produced by sgx_ra_proc_msg2(). As stated in the User's Guide: "The code in sgx_ra_ proc_msg2() builds S3 = CMAC(SMKCMAC,M)||M where M = ga||PS_SECURITY_PROPERTY|| QUOTE and returns it. Platform Services Security Information is included only if the app/enclave uses Platform Services"

Thanks,
Kuppusamy.R

Hi Luis,

Kuppusamy_R_Intel — Fri, 22 Apr 2016 05:12:18 GMT

Hi Luis,

As stated in https://software.intel.com/en-us/blogs/2016/03/09/intel-sgx-epid-provisioning-and-attestation-services: The attestation service is available to all SGX developers. For developers that have built their enclaves and are ready to access the Intel Attestation Verification Service referenced in the paper, please contact intel.developer.services@intel.com for additional information.

Thanks,
Kuppusamy.R

Hi Sijie,

Kuppusamy_R_Intel — Fri, 22 Apr 2016 09:41:00 GMT

Hi Sijie,

The service provider doesn't need to have the EPID key if it connects to IAS, which has this information for verification. IAS is not necessary if the service provider wants to do this work itself, but IAS is a free service and easy to use. From https://software.intel.com/en-us/articles/innovative-technology-for-cpu-based-attestation-and-sealing: “The challenger [service provider] uses an EPID public key certificate and revocation information or an attestation verification service to validate the signature over the Quote.”

Thanks,
Kuppusamy.R

Hi Kuppusamy,

Min_X_ — Fri, 22 Apr 2016 18:50:01 GMT

Hi Kuppusamy,

First, I am running the code on a Window10 machine with SGX support. The PSW is also installed, and the aesm_service is running. So what are these Platform Services that sgx_create_pse_session() tries to create a session with? What's the implication if the pse_session is not initialized before a remote attestation?

Assuming the platform services include the local quoting enclave, if b_pse is set to false, and sgx_create_pse_session() is not invoked, then the application's enclave cannot establish a secure channel with the local quoting enclave, right? Then, how does the app enclave and the quoting enclave securely communicate with each other?

Thanks.

Min

Hi Kuppusamy,

Sijie_D_ — Sat, 23 Apr 2016 19:51:38 GMT

Hi Kuppusamy,

Thank you for the reply.

In your reply you mentioned that "IAS is not necessary if the service provider wants to do this work itself, but IAS is a free service and easy to use". While, what did you mean by "if the service provider wants to do this work itself"? Based on my understanding to SGX, the "this work" you mentioned corresponds to verifying the authenticity of the report generated by the quoting enclave. Well, if this is correct, I don't know how to do it without interacting with Intel IAS.

In my opinion, the report generated by the quoting enclave contains some hardware specific credential that can only be verified by Intel...

Or, maybe there are some serious mistakes on my understanding of the attestation picture. If it is true, please very kindly correct me.

Thanks a lot.

Sincerely,

Sijie

Hi Sijie,

Kuppusamy_R_Intel — Tue, 26 Apr 2016 11:30:00 GMT

Hi Sijie,

yes your are right, the Intel Attestation Service is necessary for now

Thanks,
Kuppusamy.R

Hi Kuppusamy,

Luis_M_5 — Tue, 26 Apr 2016 13:53:33 GMT

Hi Kuppusamy,

thanks for your answer. I'm already registered at the development Intel Attestation Service, and received my SPID. Unfortunately, there is no public specification about how to verify a quote through the IAS. The interfaces "GetSigRL" and "VerifyQuote" are mentioned on some documents, but they are useless without the proper spec.

Could you please disclose the spec for the IAS HTTP API? Without it, the IAS can´t be used.

Thanks,
Luis

Hi Min,

Kuppusamy_R_Intel — Wed, 27 Apr 2016 05:01:02 GMT

Hi Min,

The Quoting Enclave is independent of Platform Services, and PSE is not necessary for there to be a secure channel with the quoting enclave.

Thanks,
Kuppusamy.R

Hi Luis,

Kuppusamy_R_Intel — Thu, 28 Apr 2016 07:43:06 GMT

Hi Luis,

The information will be published very shortly. I don’t have a precise timeline yet.

Thanks,
Kuppusamy.R

Hi Luis,

Kuppusamy_R_Intel — Fri, 29 Apr 2016 04:32:52 GMT

Hi Luis,

Spec details of Intel® Attestation Service API document https://software.intel.com/sites/default/files/managed/3d/c8/IAS_1_0_API_spec_1_1_Final.pdf

Thanks,
Kuppusamy.R

Hi,

Min_X_ — Tue, 03 May 2016 02:03:04 GMT

Hi,

I am trying to get a quote for a simple Debug mode enclave. I first call the sgx_init_quote to get the target info of the QE. Then, I call the sgx_create_report with the QE's target info to generate a report of the enclave targeted for the QE. Finally, I call sgx_get_quote with the report to get the quote. One thing that confuses me is the sgx_spid_t parameter of the sgx_get_quote API, and I have no idea how this parameter can be derived.

With above design, the sgx_get_quote always fails with the SGX_ERROR_INVALID_PARAMETER error. Does anyone have any experience in using these two APIs? Do I miss something on correctly triggering a QE?

Another question is how to create "New Topic" on this forum, and I kept getting error saying that my post is filtered as spam.

Thanks.

Min

Many thanks!

Luis_M_5 — Tue, 03 May 2016 09:54:24 GMT

Many thanks!

Hi Min,

Kuppusamy_R_Intel — Wed, 04 May 2016 11:44:00 GMT

Hi Min,

sgx_get_quote generates a linkable or un-linkable QUOTE.
Syntax
sgx_status_t sgx_get_quote(
const sgx_report_t *p_report,
sgx_quote_sign_type_t quote_type,
const sgx_spid_t *p_spid,
const sgx_quote_nonce_t *p_nonce,
const uint8_t *p_sig_rl,
uint32_t sig_rl_size,
sgx_report_t *p_qe_report, sgx_quote_t *p_quote,
uint32_t quote_size );

Parameter sgx_spid_t[in] is ID of service provider.

When user will get SGX_ERROR_INVALID_PARAMETER : The p_quote_size pointer is invalid or the other input parameters are corrupted/invalid.

Thanks,
Kuppusamy.R

Hi Kuppusamy and everyone who

Sijie_D_ — Mon, 09 May 2016 18:15:00 GMT

Hi Kuppusamy and everyone who is exploring SGX,

I read through the Intel Attestation Service API and it helped a lot. But still, I can't get the correct response from the IAS.

I only have little experience with http service and not to say JSON... So, I can't figure out how to make a correct http request based on the information in the given document.

For example, based on my understanding to the document, the interaction between IAS and the service provider includes two main steps:

1. Set up a secure channel and do authentication on both sides. 2. Service provider send received evidence to IAS to have it verified.

But I can't figure out how to code to get them work correctly.

So, has any one successfully made connection with IAS and got some responses from it? Would you please share the sample code or even a step-by-step instruction on doing this? Any clue could help!

Many thanks!

Sijie

Hi Sijie D,

Kuppusamy_R_Intel — Tue, 10 May 2016 12:07:43 GMT

Hi Sijie D,

Hope, you have tried SGX sample application available with SGX SDK kit,

https://software.intel.com/en-us/sgx-sdk/download

Thanks,

Kuppusamy.R

Hi,

Konrad_R_Intel — Thu, 12 May 2016 13:17:00 GMT

Hi,
I also have some problems with attestation.
Also I'm already registered at the development Intel Attestation Service, and received my SPID.
I tried to get quote to send it to IAS, but I can't create and verify report correctly - I get "SGX_ERROR_MAC_MISMATCH" as a result.
Below is more or less the code I'm using to generate it:

    sgx_report_data_t sgxReportData;  
    memset(sgxReportData.d, 0, SGX_REPORT_DATA_SIZE);  
    sgx_report_t sgxReport;  
    sgx_status_t reportStatus = sgx_create_report(nullptr, &sgxReportData, &sgxReport);  
    if (reportStatus != SGX_SUCCESS)  
    {  
        return reportStatus;  
    }  
    sgx_status_t verificationStatus = sgx_verify_report(&sgxReport);  
    if (verificationStatus != SGX_SUCCESS)  
    {  
        return verificationStatus;  
    }

I'm 100% sure that function exits in line 12 with status SGX_ERROR_MAC_MISMATCH and reportStatus is SGX_SUCCESS.
This happens both in Prerelease and Simulation modes.
What am I doing wrong?

I also tried to do attestation using sample code from sgxsdk package, with no success.
Could I get a list of changes that have to be done in order to make it work?