Solved: Re: Re:Failed to load QE3: 0x4004

sz · ‎04-14-2021

when i run a SGX remote attestation example （EPID attestation mode），

it's failed:

error: aesm_service returned error: 12
error: load_enclave() failed with error -1

so i checked the aesm service with `service aesm service status` command,

it is said:

[load_qe ../qe_logic.cpp:641] Error, call sgx_create_enclave QE fail [load_qe], SGXError:4004.
Failed to load QE3: 0x4004

and

[ADMIN]EPID Provisioning failed due to network error.

I tried reinstall sgx driver、sgx PSW、sgx sdk,but there is no effect。

how can i fix this problem？thanks a lot！

JesusG_Intel · ‎05-17-2021

Hello sz,

Your logs were very helpful.

There appears to be a problem with the authenticated code modules (ACMs) being loaded on your platform. Contact your OEM for an updated or fixed BIOS.

I apologize we cannot give more details than this. Your OEM should provide you a fixed BIOS.

Sincerely,

Jesus G.

Intel Customer Support

View solution in original post

JesusG_Intel · ‎04-15-2021

Hello sz,

You may need to configure your proxy for the aesmd service.

https://github.com/intel/linux-sgx#configure-the-proxy-for-aesmd-service

Sincerely,

Jesus G.

Intel Customer Support

JesusG_Intel · ‎04-16-2021

Hello sz,

The instructions from https://github.com/intel/linux-sgx#configure-the-proxy-for-aesmd-service are:

The aesmd service uses the HTTP protocol to initialize some services.

If a proxy is required for the HTTP protocol, you may need to manually set up the proxy for the aesmd service.

You should manually edit the file /etc/aesmd.conf (refer to the comments in the file) to set the proxy for the aesmd service.

After you configure the proxy, you need to restart the service to enable the proxy.

As an example, my /etc/aesmd.conf file is:

#Line with comments only

#empty line with comment

#proxy type = direct #direct type means no proxy used

#proxy type = default #system default proxy

proxy type = manual #aesm proxy should be specified for manual proxy type

aesm proxy = http://proxy.url.com:123

#whitelist url = http://sample_whitelist_url

#default quoting type = ecdsa_256

#default quoting type = epid_linkable

#default quoting type = epid_unlinkable

Sincerely,

Jesus G.

Intel Customer Support

sz · ‎04-16-2021

That's very nice of you! Thanks @JesusG_Intel

But I think the key is `failed to load QE3`.

Is this issue（failed to load QE3） related to the configuration of aesmd.conf?

By the way,

I tried set the aesmd.conf,but it still went wrong.

May be I had a wrong config of aesmd.conf.

What is proxy value should be ?

I have no idea to set the right value of proxy.

JesusG_Intel · ‎04-19-2021

Hello sz,

Make sure you have installed all of these PSW components:

$ sudo apt-get install libsgx-launch libsgx-epid libsgx-quote-ex libsgx-uae-service libsgx-urts

You can check your system's proxy settings in your Network settings on your OS and enter the same proxy settings in the aesmd.conf file. You can also try uncommenting proxy type = default line. This will use the system's proxy instead of the manual entry.

Sincerely,
Jesus G.
Intel Customer Support

sz · ‎04-19-2021

Yes,I am sure there is on my system.

And I found the issue (fialed to load QE3) was appeared when I restarted the aesmd service（`service aesmd restart`）.

I tried set your lastest advice,it's still not work.

if we ignore (fialed to load QE3) and set proxy is default,the aesmd logs shows that:

this logs was created via run a remote attestation examples(use graphene EPID remote attestaion).

and the graphene said :

error: aesm_service returned error: 20
error: load_enclave() failed with error -1.

Recently,I tried install oot driver 、PSW、sgxsdk via github source code to make，also fail.

sz · ‎04-19-2021

Yes,I am sure there is on my system.

And I found the issue (fialed to load QE3) was appeared when I restarted the aesmd service（`service aesmd restart`）.

I tried set your lastest advice,it's still not work.

if we ignore (fialed to load QE3) and set proxy is default,the aesmd logs shows that:

this logs was created via run a remote attestation examples(use graphene EPID remote attestaion).

and the graphene said :

error: aesm_service returned error: 20
error: load_enclave() failed with error -1.

Recently,I tried reinstall oot driver 、PSW、sgxsdk via github source code to make，also fail.

Thanks @JesusG_Intel .

JesusG_Intel · ‎04-20-2021

Hello sz,

I noticed that your network error went away after you set the proxy in aesmd.conf. Aesmd error 20 corresponds to AESM_UPDATE_AVAILABLE.

Run sudo apt list --installed | grep sgx to check which version of the PSW you have installed.

What is the output from sudo systemctl status aesmd?

What happens when you run the RemoteAttestation sample in the SGX SDK?

You provided output from Graphene, but what is the current state of sgx-ra-sample?

Sincerely,

Jesus G.

Intel Customer Support

sz · ‎04-21-2021

Thank you for your follow-up and many suggestions.

I just reinstall my computer's operating system because I think it might have something to do with the fact that I upgraded the Linux kernel(5.4 ---> 5.9),or may be not.

so I decided to start over this work.

Thanks a lot @JesusG_Intel !

JesusG_Intel · ‎04-21-2021

Hello sz,

That's a great idea. Please let us know if you continue to have problems after re-installing everything.

Sincerely,

Jesus G.

Intel Customer Support

sz · ‎04-21-2021

Thanks @JesusG_Intel ，

I'll try.

JesusG_Intel · ‎04-27-2021

Hello sz,

Were you successful in running the sgx-ra-sample after reinstalling everything from scratch?

Sincerely,

Jesus G.

Intel Customer Support

sz · ‎04-27-2021

Yes, I did have some troubles when I reinstalled the operating system...

When I run a Grahene Dcap remote attestation example(End-To-End Confidential PyTorch Workflow),
I got an error with aesm_service:

error: aesm_service returned error: 1
error: load_enclave() failed with error -1

I describe in more detail in this Issue https://github.com/intel/linux-sgx/issues/702 .

Thanks!

JesusG_Intel · ‎04-29-2021

Hello sz,

I looked at your issue on Github and noticed that you are trying to use the DCAP driver on a 10th Gen Intel Core processor. Your processor may not support Flexible Launch Control (FLC), which is required to use the DCAP driver. Use this article to find out if your processor supports FLC: https://www.intel.com/content/www/us/en/support/articles/000057420/software/intel-security-products.html

If your processor does not support FLC, which I suspect it does not, you must use the OOT driver available here: https://github.com/intel/linux-sgx-driver or the binary here: sgx_linux_x64_driver_2.11.0_0373e2e.bin (https://download.01.org/intel-sgx/sgx-linux/2.13/distro/ubuntu18.04-server/).

Sincerely,

Jesus G.

Intel Customer Support

sz · ‎04-29-2021

Thanks @JesusG_Intel

I checked the status.My computer really support FLC.

flc

JesusG_Intel · ‎05-03-2021

Hello sz,

The error you received in the screenshot above: "[ADMIN]EPID Provisioning protocol error reported by Backend (9)," translates to PVE_PROV_ATTEST_KEY_TCB_OUT_OF_DATE.

This means your TCB is out of date so you need to update your BIOS to the latest available version so that your platform can be properly provisioned.

The 404 errors you are getting may have to do with the fact that the PCCS cannot find certs for your platform because it has not been provisioned.

Sincerely,

Jesus G.

Intel Customer Support

sz · ‎05-07-2021

“The 404 errors you are getting may have to do with the fact that the PCCS cannot find certs for your platform because it has not been provisioned.”

But how？

I follow this Guide to install,all step was succeeded expect one：

in my system,it said:

root@ltinerary-QiTianM435-N000:/etc/intel/gitSource/graphene/Examples/pytorch-confidential# PCKIDRetrievalTool

Intel(R) Software Guard Extensions PCK Cert ID Retrieval Tool Version 1.10.100.4

Warning: platform manifest is not available or current platform is not multi-package platform.
Error: unexpected error happend during sending data to cache server.
pckid_retrieval.csv has been generated successfully, however the data couldn't be sent to cache server!

so I think this cause the 404 error.

But I can't found the reason why the data couldn't be sent to cache server.

Thanks.

JesusG_Intel · ‎05-10-2021

Hello sz,

Have you updated your BIOS to the latest version available from your OEM?

Sincerely,

Jesus G.

Intel Customer Support

sz · ‎05-11-2021

root@fan-QiTianM435-N000:/opt/intel/sgx-dcap-pccs# dmidecode -t bios
# dmidecode 3.1
Getting SMBIOS data from sysfs.
SMBIOS 3.2.0 present.
# SMBIOS implementations newer than version 3.1.1 are not
# fully supported by this version of dmidecode.

Handle 0x0000, DMI type 0, 26 bytes
BIOS Information
	Vendor: LENOVO
	Version: M31KT24A
	Release Date: 01/15/2021
	Address: 0xF0000
	Runtime Size: 64 kB
	ROM Size: 16 MB
	Characteristics:
		PCI is supported
		BIOS is upgradeable
		BIOS shadowing is allowed
		Boot from CD is supported
		Selectable boot is supported
		BIOS ROM is socketed
		EDD is supported
		5.25"/1.2 MB floppy services are supported (int 13h)
		3.5"/720 kB floppy services are supported (int 13h)
		3.5"/2.88 MB floppy services are supported (int 13h)
		Print screen service is supported (int 5h)
		8042 keyboard services are supported (int 9h)
		Serial services are supported (int 14h)
		Printer services are supported (int 17h)
		ACPI is supported
		USB legacy is supported
		BIOS boot specification is supported
		Targeted content distribution is supported
		UEFI is supported
	BIOS Revision: 1.36

Handle 0x0067, DMI type 13, 22 bytes
BIOS Language Information
	Language Description Format: Long
	Installable Languages: 3
		en|US|iso8859-1
		fr|FR|iso8859-1
		zh|CN|unicode
	Currently Installed Language: zh|CN|unicode

Here is my BIOS infomation.

this version is the lenovo's latest version can provided.

and in this infomation,

I noticed `BIOS is upgradeable`,

Is that mean I still can upgrade the BIOS?

If so, then how can I upgrade my BIOS version from other channels?

Thanks @JesusG_Intel

JesusG_Intel · ‎05-11-2021

Hello sz,

Based on the release date, your BIOS is probably up-to-date.

Did you follow the suggestions from your Github issue, https://github.com/intel/linux-sgx/issues/702?

Please clear pccs db (do backup and rm pckcache.db), set the CachingFillMode of pccs to LAZY, and then restart pccs.
Run DCAP sample programs and provide the results.
Confirm whether you have already registered your platform to Intel.
Confirm whether you are using SBX platform.

Sincerely,

Jesus G.

Intel Customer Support

sz · ‎05-11-2021

The next information is based on the updated BIOS version.

yes I tried.

in step2,I got an error:

[set_extra_debug_info /etc/intel/gitSource/linux-sgx/psw/urts/enclave.cpp:591] Symbol 'g_peak_rsrv_mem_committed' is not found
[__create_enclave /etc/intel/gitSource/linux-sgx/psw/urts/urts_com.h:332] add tcs 0x7fb78250d000
[ecdsa_init_quote ../qe_logic.cpp:1241] Read ECDSA blob.
[read_persistent_data ../qe_logic.cpp:917] Couldn't find 'sgx_ql_read_persistent_data()' in the platform library. (null)
[ecdsa_init_quote ../qe_logic.cpp:1247] ECDSA Blob doesn't exist is persistent storage.  Try to use the cached version.
[ecdsa_init_quote ../qe_logic.cpp:1273] Invalid ECDSA Blob verificaton. 0xd004, generate a new key.
[ecdsa_init_quote ../qe_logic.cpp:1463] Generate and certify a new ECDSA attestation key
[ecdsa_init_quote ../qe_logic.cpp:1480] Get ATT Key.
[get_platform_quote_cert_data ../qe_logic.cpp:342] Found the sgx_ql_get_quote_config and sgx_ql_free_quote_config API.
[get_platform_quote_cert_data ../qe_logic.cpp:343] Request the Quote Config data.
[get_platform_quote_cert_data ../qe_logic.cpp:346] Error returned from the p_sgx_get_quote_config API. 0xe011
Error in sgx_qe_get_target_info. 0xe011

and In step3,I use this Primary key to config my pccs server.

But in step4,
How can I confirm I am using the SBX platform or not?

aesm_service returned error: 1 · Issue #702 · intel/linux-sgx (github.com)

Thanks a lot @JesusG_Intel