Enclave attestation returns empty evidence

Roman888 · ‎12-23-2024

I'm trying to setup this service

https://github.com/signalapp/ContactDiscoveryService-Icelake

It uses SGX+OpenEnclave

Renting Azure Confidential Compute, Ubuntu 20.04

Service started and perform initial self-attestation successfully without errors.

But when it receives request from IOS mobile client which initiate another one attestation I getting next error: "SGX operation failed: attestation data invalid: Evidence does not fit expected format".

After debugging I find out that mobile client perform enclave attestation and receives some "ereport" object with empty "evidence" field, and mobile client aborting connection with enclave with that error above. And there are no any errors from backend side, as I understood just some bad response from enclave and it failed validation on client side.

VM Installed libs:

libsgx-ae-id-enclave/unknown,now 1.22.100.3-focal1 amd64 [installed,automatic]
libsgx-ae-pce/unknown,now 2.25.100.3-focal1 amd64 [installed,automatic]
libsgx-ae-qe3/unknown,now 1.22.100.3-focal1 amd64 [installed,automatic]
libsgx-ae-qve/unknown,now 1.22.100.3-focal1 amd64 [installed,automatic]
libsgx-aesm-ecdsa-plugin/unknown,now 2.25.100.3-focal1 amd64 [installed]
libsgx-aesm-pce-plugin/unknown,now 2.25.100.3-focal1 amd64 [installed,automatic]
libsgx-aesm-quote-ex-plugin/unknown,now 2.25.100.3-focal1 amd64 [installed]
libsgx-dcap-default-qpl-dev/unknown,now 1.22.100.3-focal1 amd64 [installed]
libsgx-dcap-default-qpl/unknown,now 1.22.100.3-focal1 amd64 [installed]
libsgx-dcap-ql-dev/unknown,now 1.22.100.3-focal1 amd64 [installed]
libsgx-dcap-ql/unknown,now 1.22.100.3-focal1 amd64 [installed]
libsgx-dcap-quote-verify/unknown,now 1.22.100.3-focal1 amd64 [installed,automatic]
libsgx-enclave-common/unknown,now 2.25.100.3-focal1 amd64 [installed,automatic]
libsgx-headers/unknown,now 2.25.100.3-focal1 amd64 [installed,automatic]
libsgx-pce-logic/unknown,now 1.22.100.3-focal1 amd64 [installed,automatic]
libsgx-qe3-logic/unknown,now 1.22.100.3-focal1 amd64 [installed,automatic]
libsgx-quote-ex/unknown,now 2.25.100.3-focal1 amd64 [installed]
libsgx-urts/unknown,now 2.25.100.3-focal1 amd64 [installed,automatic]
linux-base-sgx/focal-updates,now 4.5ubuntu3.7 all [installed]
sgx-aesm-service/unknown,now 2.25.100.3-focal1 amd64 [installed]

I didn't install az-dcap-client instead of libsgx-dcap-default-qpl since with it application will fail on startup during initial self attestation with some error about bad ASN field format...

Also as I understand this lib will be discounted in future, and instead of it it's enough to use libsgx-dcap-default-qpl with correct sgx_default_qcnl.conf, here is mine:

{
    "pccs_url": "https://global.acccache.azure.net/sgx/certification/v4/",
    "use_secure_cert": false,
    "collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/",
    "pccs_api_version": "3.1",
    "retry_times": 6,
    "retry_delay": 5,
    "local_pck_url": "http://169.254.169.254/metadata/THIM/sgx/certification/v4/",
    "pck_cache_expire_hours": 48,
    "verify_collateral_cache_expire_hours": 48,
    "custom_request_options": {
        "get_cert": {
            "headers": {
                "metadata": "true"
            },
            "params": {
                "api-version": "2021-07-22-preview"
            }
        }
    }
}

With this config remote attestation sample are working from OE, and Intel.

Here is also my aesmd log which seems to be also ok:

And there is my certificate from this log, looks like also good:

So, please help, is my setup correct, or what's the problem with it?