- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have created a self signed x.509 certificate (thc.key, thc.crt) and registered for the development environment (https://test-as.sgx.
>>> import requests
>>> ias = "https://test-as.sgx.trustedservices.intel.com:443/attestation/sgx/v2/sigrl/00000000"
>>> requests.get(ias, cert=('thc.crt', 'thc.key'))
<Response [404]>
>>>
So I got a "404 Not Found" which means according to the documentation "{gid} does not refer to a valid EPID group ID.". I know the group ID is valid because that's what the call to sgx_get_extended_epid_group_id returned.
On the bright side, I tried the same code with a another key and certificate and didn't get a 404 (I guess the handshake failed) so I'm assuming the registration is is fine.
Is there a problem with my request to IAS?
Thanks,
Ben
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ben:
Do you use SGX_MODE=SIM when compile the code ? I see your EPID group id is 00000000, but actually this should not be an all zero value. Check it.
Regards
you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi you w., Thanks for the response.
I actually do use SGX_MODE=SIM (my machine doesn't support SGX).
1. Should the result of sgx_get_extended_epid_group_id be different when SGX_MODE != SIM?
2. Is there a problem with running SGX software compiled for simulation against the IAS test environment?
I also read the following passage in the developer refernce (1.9):
"Currently, the only valid extended Intel(R) EPID group ID is zero. The
server should verify this value is zero. If the Intel(R) EPID group ID is not
zero, the server aborts remote attestation."
Thanks,
Ben
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Ben.
I believe you are confusing GID with extended group id.
When retrieving the SigRL from IAS you should use the GID obtained as part of MSG1, and not the extended group id.
A valid GID can only be obtained if your enclave is running in HW mode.
For more information, see this other thread: https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/671363
Regards,
Rodolfo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI Ben:
As Rodolfo S said, you have a misunderstanding of EPID group ID and Extended EPID group id. In Remote Attestation process, when you call do gen_msg0(), you get the Extended EPID group id and send it to SP. If this ID is zero that means SP use IAS to verify the quote. In function gen_msg1(), you call sgx_ra_get_msg1() this function gets the EPID group ID(GID), which is the value you should send to IAS.
In simulation mode you can't use IAS to verify quote, because the quote is note signed with a valid EPID private key. The EPID is obtained by PSW's PvE.
Regards
you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This question has also been addressed before: Intel Remote Attestation Service (IAS) does not support SGX simulation mode. It requires SGX enabled hardware. Please refer to this discussion thread for more information.
https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/635287
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page