Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

404 not found for sigrl request

Ben_D_1
Beginner
1,182 Views

Hi,

I have created a self signed x.509 certificate (thc.key, thc.crt) and registered for the development environment (https://test-as.sgx.trustedservices.intel.com:443/). I got a confirmation email saying the registration was complete. To verify that, I tried running the following python code:

>>> import requests
>>> ias = "https://test-as.sgx.trustedservices.intel.com:443/attestation/sgx/v2/sigrl/00000000"
>>> requests.get(ias, cert=('thc.crt', 'thc.key'))
<Response [404]>
>>> 

So I got a "404 Not Found" which means according to the documentation "{gid} does not refer to a valid EPID group ID.". I know the group ID is valid because that's what the call to sgx_get_extended_epid_group_id returned.

On the bright side, I tried the same code with a another key and certificate and didn't get a 404 (I guess the handshake failed) so I'm assuming the registration is is fine.

Is there a problem with my request to IAS?

Thanks,

Ben

 

0 Kudos
5 Replies
you_w_
New Contributor III
1,182 Views

Hi Ben:

Do you use SGX_MODE=SIM when compile the code ? I see your EPID group id is 00000000, but actually this should not be an all zero value. Check it.

Regards

you

0 Kudos
Ben_D_1
Beginner
1,182 Views

Hi you w., Thanks for the response.

I actually do use SGX_MODE=SIM (my machine doesn't support SGX).

1. Should the result of sgx_get_extended_epid_group_id be different when SGX_MODE != SIM?

2. Is there a problem with running SGX software compiled for simulation against the IAS test environment?

 

I also read the following passage in the developer refernce (1.9):

"Currently, the only valid extended Intel(R) EPID group ID is zero. The
server should verify this value is zero. If the Intel(R) EPID group ID is not
zero, the server aborts remote attestation."

Thanks,

Ben

0 Kudos
Rodolfo_S_
New Contributor III
1,182 Views

Hi, Ben.

I believe you are confusing GID with extended group id.

When retrieving the SigRL from IAS you should use the GID obtained as part of MSG1, and not the extended group id.
A valid GID can only be obtained if your enclave is running in HW mode.

For more information, see this other thread: https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/671363

Regards,
Rodolfo

0 Kudos
you_w_
New Contributor III
1,182 Views

HI Ben:

As Rodolfo S said, you have a misunderstanding of EPID group ID and Extended EPID group id. In Remote Attestation process, when you call do gen_msg0(), you get the Extended EPID group id and send it to SP. If  this ID is zero that means SP use IAS to verify the quote. In function gen_msg1(), you call sgx_ra_get_msg1() this function gets the EPID group ID(GID), which is the value you should send to IAS.

In simulation mode you can't use IAS to verify quote, because the quote is note signed with a valid EPID private key. The EPID is obtained by PSW's PvE.

Regards

you

 

0 Kudos
Hoang_N_Intel
Employee
1,182 Views

This question has also been addressed before: Intel Remote Attestation Service (IAS) does not support SGX simulation mode. It requires SGX enabled hardware. Please refer to this discussion thread for more information.

https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/635287

0 Kudos
Reply