Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Attestation error SGX_ERROR_MAC_MISMATCH

mperillo
Beginner
4,865 Views

Hi,

I am developing an enclave providing attestation feature. My code is based on the sample code of the RemoteAttestation project provided by Intel inside the SGX SDK.

 

The service provider side is a python script I am using just to test the attestation feature.

After receiving msg1 from SGX, the python script is generating msg2 (again, I am trying to replicate the service_provider of the RemoteAttestation in the python script). When msg2 is received by the SGX and given to the sgx_ra_proc_msg2 function, it returns SGX_ERROR_MAC_MISMATCH.

 

Given the python function AES_CMAC(secret,data)->Mac, I am computing the Mac inside msg2 in the following way:

tmp = AES_CMAC(0,dh_key), where dh_key is the Diffie Hellman key produced using part of msg1 from Enclave;

smk_key = AES_CMAC(tmp,'SMK');

Mac = AES_CMAC(smk_key, data), where data is the concatenation of: g_b (the public key of service provider for DHKE), SPID, quote_type (1), kdf_id (1), sig (the signature of the concatenation of keys g_b and g_b done under service provide secret key, the enclave has the public key hard-coded).

Note: all data are represented in little endian, as I understand that is what the enclave wants.

 

Two questions:

1. How can I solve this? Am I doing anything wrong?

2. Is there a way to debug inside sgx_ra_proc_msg2? I am compiling in debug hw mode, and tried to step inside the function with the sgx-gdb debugger but it didn't work.

 

General info: I am working with an SGX enabled cpu on Ubuntu 20.04.2 LTS, SGX SDK v2.13.

 

I attach the python script, I guess the error may be there.

0 Kudos
1 Solution
JesusG_Intel
Moderator
4,466 Views

Hello Massimo,

 

sgx-ra-sample is a great example to use to develop your remote attestation application. However, it does not support DCAP.

 

I was finally able to step into sgx_ra_proc_msg2_trusted in linux-sgx/sdk/tkey_exchange/tkey_exchange.cpp. Two issues tripped me up.

 

  1. Ensure that your Makefiles for your untrusted app and for your enclave both point to the debug SGX SDK.
  2. Most of the directories in linux-sgx/linux/installer/deb have files named package-name-dbgsym_${version}-${revision}_amd64.ddeb. Install the .ddeb files using

$ sudo dpkg -i *.ddeb

 

Follow these steps to debug and step into sgx_ra_proc_msg2_trusted:

1. Start debugging using sgx-gdb.

2. Set breakpoint in ukey_exchange.cpp within the function sgx_ra_proc_msg2 at the call to p_proc_msg2

(gdb) b ukey_exchange.cpp:151

3. Step into p_proc_msg2

(gdb) s

4. You are now in the proxy function for sgx_ra_proc_msg2_trusted in enclave_u.c.

5. Set breakpoint in tkey_exchange.cpp line 167, which is the actual sgx_ra_proc_msg2_trusted

(gdb) b tkey_exchange.cpp:167

6. Continue in enclave_u.c and it will break in tkey_exchange.cpp line 167, which is the first line in sgx_ra_proc_msg2_trusted

(gdb) c

7. And you're in!

 

See the attached screenshot where you will see I am stepped into sgx_ra_proc_msg2_trusted.

 

Sincerely,

Jesus G.

Intel Customer Support

 

View solution in original post

0 Kudos
23 Replies
JesusG_Intel
Moderator
4,160 Views

Hello Mperillo,


Did you follow the instructions for computing MSG2 from Code Sample: Intel® Software Guard Extensions Remote Attestation End-to-End Example?


You can debug the sgx_ra_proc_msg2 if you build the PSW from source with debug information: https://github.com/intel/linux-sgx#build-the-intelr-sgx-psw-and-intelr-sgx-psw-installer


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
mperillo
Beginner
4,139 Views

Hi Jesus G.,

 

thank you for your reply. I am already computing MSG2 following the link you sent me, my only error was on the way I was deriving SMK but I fixed it now. It still gives me the same error anyway.

 

I already have the debug symbols and development packages installed but I am not able to step inside sgx_ra_proc_msg2 with sgx-dbg (when I press 's' to step in, it works like a 'next' and goes to the next line in my code).  What am I doing wrong?

 

Regards,

Massimo

0 Kudos
JesusG_Intel
Moderator
4,117 Views

Hi Massimo,


Did you build the PSW from scratch locally? Installing the debug and symbol packages from the repo is not enough to be able to step into that function.


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
mperillo
Beginner
4,109 Views

Hi Jesus,

 

I now did build the PSW from scratch locally and am able to see debug logging and debug inside sgx api functions. The problem is that with this version of PSW installed I am now getting a SGX_ERROR_UNEXPECTED when I call sgx_ra_get_msg1, while that used to work before (with the prebuilt package installed). Debugging the function I see that the error comes from the following call stack sgx_ra_get_msg1->sgx_init_quote->oal_init_quote; this last call returns UAE_OAL_SUCCESS but sets result as AESM_UNEXPECTED_ERROR, leading to the error I got.

 

Why is this happening? Note that also the RemoteAttestation program in SampleCode folder of the sgxsdk is giving me the same problem, while it used to work with the PSW I used to have.

 

Note: I both tried to build the PSW from master branch and sgx_2.13_reproducible branch, getting the same problem.

 

Thanks,

Massimo

0 Kudos
JesusG_Intel
Moderator
4,094 Views

Hello Mperillo,


Ensure you have installed all of the components:


  • linux/installer/rpm/libsgx-urts
  • linux/installer/rpm/libsgx-enclave-common
  • linux/installer/rpm/libsgx-uae-service
  • linux/installer/rpm/libsgx-epid
  • linux/installer/rpm/libsgx-launch
  • linux/installer/rpm/libsgx-quote-ex
  • linux/installer/rpm/sgx-aesm-service


Then start the aesmd service:


$ sudo service aesmd start


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
mperillo
Beginner
4,073 Views

Hi Jesus G.,

 

Everything is installed and I started the aesmd service but the output doesn't change.

This is what the RemoteAttestation sample app prints for both ECDSA and EPID algorithms:

 

Call sgx_create_enclave success.
Call enclave_init_ra success.
Error, call sgx_ra_get_msg1_ex fail [main].
Call enclave_ra_close success.

 

There's something wrong  with the locally compiled PSW, as this was working with the prebuilt version.

 

Regards,

Massimo

0 Kudos
JesusG_Intel
Moderator
4,054 Views

Hello Mperillo,


Try this so we can see what's going on with your aesm:


  1. Build and install debug version aesm_service to capture a debug log.
  2. make clean;make deb_psw_pkg DEBUG=1 to build debug packages.
  3. Remove release aesm_service packages and install debug aesm_service packages.
  4. Then the debug log can be seen at /var/opt/aesmd/data/internal_log.txt using root.

0 Kudos
mperillo
Beginner
4,029 Views

Hello,

 

I attach you the internal_log file with the result of one execution of RemoteAttestation example. Before doing it I made a full reinstall of everything, now only ECDSA attestation is failing, while the EPID one is completing with success.

 

Do you see anything useful from the log file?

 

Thank you,

Massimo

0 Kudos
JesusG_Intel
Moderator
4,019 Views

Hello Mperillo,


In order to perform ECDSA attestation, your platform must support Flexible Launch Control and you must install the Intel  SGX Driver for DCAP, instead of the regular SGX OOT driver.


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
mperillo
Beginner
4,003 Views

Hi Jesus G.,

 

the plaform support Flexible Launch Control and the SGX Driver for DCAP is installed. I also tried to reinstall it building from scratch but nothing changes.

This is also confirmed by the fact that with the prebuilt installation of SGX driver, PSW and SDK the RemoteAttestation was working also with the ECDSA attestation. Further, the attestation code I was writing for my project does not have problems with msg1, but still fails on msg2. And I still can't debug inside sgx_ra_proc_msg2.

 

Regards,

Massimo

0 Kudos
JesusG_Intel
Moderator
3,993 Views

Hello Massimo,


Since we are now debugging ECDSA/DCAP, that log is not helpful. Please provide the error codes from the DCAP QuoteGeneration/QuoteVerification samples to start to figure that out.


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
JesusG_Intel
Moderator
3,992 Views

Hello Massimo,


ECDSA attestation does not work with the RemoteAttestation sample because the sample uses IAS for attestation, and IAS can verify only EPID quotes. To verify ECDSA quotes, you have to use the PCS/PCCS/DCAP stack. Here are some resources to help you:


Intel® Trusted Services API Management Developer Portal

https://github.com/intel/SGXDataCenterAttestationPrimitives

Intel SGX DCAP 1.11 Release | 01.org


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
JesusG_Intel
Moderator
3,971 Views

Hello Massimo,


Do you still need help with this issue?


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
mperillo
Beginner
3,959 Views

Hello Jesus G.,

 

I still did not fix anything and still cannot debug. Let's focus on debugging, why am I not able to debug sgx_ra_proc_msg2 by stepping into it? I installed everything as you said but it doesn' work. If there is some special thing to do give me a step by step guide, please.

 

Further question, will SGX be supported in the future? I've seen that it's not supported by 11th gen CPUs.

 

Thank you,

Massimo

0 Kudos
JesusG_Intel
Moderator
3,949 Views

Hello Massimo,

 

Below are instructions for building and installing the debug versions of the SGX SDK and PSW.

 

Install Prerequisites then download the Intel SGX for Linux source code:

$ git clone https://github.com/intel/linux-sgx.git

$ cd linux-sgx && make preparation

 

Build the debug versions of the SDK, SDK installer:

$ make sdk DEBUG=1

$ make sdk_install_pkg DEBUG=1

 

Install the SGX SDK

$ cd linux/installer/bin

$ ./sgx_linux_x64_sdk_${version}.bin

$ source ${sgx-sdk-install-path}/environment

 

Build the debug versions of the PSW and PSW installers:

$ make psw DEBUG=1

$ make deb_psw_pkg DEBUG=1

 

Install the PSW components:

The generated Intel(R) SGX PSW installers are located under

  • linux/installer/rpm/libsgx-urts
  • linux/installer/rpm/libsgx-enclave-common
  • linux/installer/rpm/libsgx-uae-service
  • linux/installer/rpm/libsgx-epid
  • linux/installer/rpm/libsgx-launch
  • linux/installer/rpm/libsgx-quote-ex
  • linux/installer/rpm/sgx-aesm-service

 

Go into each PSW installer directory and run

 

$ sudo apt install ./*.deb

 

Now you should be able to step into sgx_ra_proc_msg2, which is implemented in the SGX SDK in ukey_exchange.cpp.

 

Sincerely,

Jesus G.

Intel Customer Support

 

0 Kudos
mperillo
Beginner
3,920 Views

Hi Jesus G.,

 

Thank you, I can finally debug inside sgx_ra_proc_msg2 and try to understand where's the error. The error message is generated in an enclave call, precisely line 422 of function sgx_ra_proc_msg2_trusted. There is an sgx_ecall there that I cannot step into.

How can I debug inside the enclave?

 

Thank you,

Massimo

0 Kudos
JesusG_Intel
Moderator
3,898 Views

Hello Massimo,

 

Line 422 of tkey_exchange.cpp does not correspond to sgx_ra_proc_msg2_trusted. Line 422 is in sgx_ra_get_msg3_trusted. Which ecall are you trying to step into?

 

Either way, all of the functions in tkey_exchange.cpp are ecalls themselves so they are meant to be included in enclaves (they are trusted functions). If you look at the isv_enclave.edl in the RemoteAttestation sample, you will find from "sgx_tkey_exchange.edl" import *;

 

You can see the three ecalls declared in sgx_tkey_exchange.edl:

 

public sgx_status_t sgx_ra_get_ga

public sgx_status_t sgx_ra_proc_msg2_trusted

public sgx_status_t sgx_ra_get_msg3_trusted

 

If you compile the SDK with debug symbols and compiled the RemoteAttestation sample in debug mode, then you should be able to step into these functions.

 

In directory SampleCode/RemoteAttestation, run

$ readelf -Ws isv_enclave.so | grep sgx_ra

 

You will see the symbols for functions sgx_ra_proc_msg2_trusted and sgx_ra_get_msg3_trusted.

 

BTW, enclaves cannot call ecalls in other enclaves. Only untrusted applications can call ecalls.

 

Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
mperillo
Beginner
3,881 Views

Hello Jesus G.,

 

I am not yet inside the sgx_ra_proc_msg2_trusted functions, I am trying to step into it but am not able.

The program I am debugging is my code, and it is compiled in debug mode as the entire SDK following your instructions.

 

I can break outside sgx_ra_proc_msg2 function (the untrusted one from ukey_exchange.cpp), and step into it. This leads me to the ecall that I cannot step into (from what I see that ecall should be sgx_ra_proc_msg2_trusted). Please find attached a screen of my debugger output. The last call (sgx_ecall) is the one I cannot step into. I also tried to setup a breakpoint inside the tke_exchange.cpp file but sgx-gdb gives me the error 'No source file named tkey_exchange.cpp' and I am not able to break into that.

 

Thank you,

Massimo

 

Screenshot 2021-07-30 at 09.43.10.png

0 Kudos
JesusG_Intel
Moderator
3,867 Views

Hello Massimo,

 

I was able to break at the sgx_ecall within the proxy file enclave_u.c, and step into it as shown in the attached screenshot. I am using sgx-ra-sample. Before running your code, did you source the correct environment file for the debug version of the SDK?

 

It all works for me.

 

Sincerely,

Jesus G.

Intel Customer Support

 

0 Kudos
mperillo
Beginner
3,832 Views

Hello Jesus G.,

 

is that sgx-ra-sample code good? It looks like it is using a certificate that was once provided by Intel for the IAS, but now is deprecated as indicated here https://community.intel.com/t5/Intel-Software-Guard-Extensions/Problem-in-getting-IAS-certification/td-p/1131499. I don't have that certificate so I cannot use it. By the way, this is not that relevant.

 

Going to your debugging screenshot, you can see that you cannot debug the entire sgx_ra_proc_msg2_trusted function (I am able to debug as you did). You step directly to the last lines of it, where ms.ms_retval has already been set. In my case that return value is set to SGX_ERROR_MAC_MISMATCH, but if I cannot step before that value is set I don't know what is the error with the Mac of msg2.

 

Thank you,

Massimo

0 Kudos
Reply