Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1521 Discussions

I am not able to get FMSPC number

Nizomjon
Beginner
‎04-28-2025 08:30 PM
299 Views

1. Generated pckid.csv file by using

echo "Please enter Intel's PCS Service API key" && read -r API_KEY && PCKIDRetrievalTool -f /tmp/pckid.csv && pckid=$(cat /tmp/pckid.csv) && ppid=$(echo "$pckid" | awk -F "," '{print $1}') && cpusvn=$(echo "$pckid" | awk -F "," '{print $3}') && pcesvn=$(echo "$pckid" | awk -F "," '{print $4}') && pceid=$(echo "$pckid" | awk -F "," '{print $2}') && curl -v "https://api.trustedservices.intel.com/sgx/certification/v4/pckcert?encrypted_ppid=${ppid}&cpusvn=${cpusvn}&pcesvn=${pcesvn}&pceid=${pceid}" -H "Ocp-Apim-Subscription-Key:${API_KEY}" 2>&1 | grep -i "SGX-FMSPC"

2. To get FMSPC number : 

curl -v "https://api.trustedservices.intel.com/sgx/certification/v4/pckcert?encrypted_ppid={}&cpusvn={}&pcesvn={}&pceid={}" -H "Ocp-Apim-Subscription-Key:{YOUR_API_KEY}"

I got :

* Trying 4.255.75.174:443...
* TCP_NODELAY set
* Connected to api.trustedservices.intel.com (4.255.75.174) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=California; O=Intel Corporation; CN=api.trustedservices.intel.com
* start date: Apr 4 00:00:00 2025 GMT
* expire date: Jul 3 23:59:59 2025 GMT
* subjectAltName: host "api.trustedservices.intel.com" matched cert's "api.trustedservices.intel.com"
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Organization Validation Secure Server CA
* SSL certificate verify ok.
> GET /sgx/certification/v4/pckcert?encrypted_ppid=bcc3eeb707b5ebf9da89ba47cf8125ce6ae544db29e0f1a6000a6a2e4c2f970040c4e89ebbf4cf0c4925fd56edc629cccf341706fd2ecb541159db07f4ca8a9be55d8c79d53ff408965294ea27945bcd825003eb6a30dc70a46b9e27da14ee690f8030e95c7587a152bffdcd8a788c67d99434e3f7d24987c31a8bc2df846c74ecc9513bd451490cbff806309578b3d87879a323f62b0f53024cbd0ff0a59173f1043a098b378474cdab7c44872a84ca3dd1710c3191ab28bca430005aaad5831462eba4b622932fe281dbb15803f00b7c1409f17c804e0cd3a355a4805544fb87d1cddfb9cdb90e4f3a8f016b27e1be40bc9d810007ef8a6fece22b5d0a9f897cbea35337092861dde32ac3b9510b1edd3bd91592db3c29f7a55ff72ff2b3cf83eb46ba68683a5637578ba3cad38b53975ebac96f0acd59f96101fa693a220d5e8287d68d2ca82fbcdc93d8421ceef7690605c6b984f8c70e969296fd5fed0797297788a5a170a5bd9e07afa1e6aa81123d782b839d4e1c0a96e7c7901bdf56&cpusvn=10101110ffff01000000000000000000&pcesvn=1000&pceid=0000 HTTP/1.1
> Host: api.trustedservices.intel.com
> User-Agent: curl/7.68.0
> Accept: */*
> Ocp-Apim-Subscription-Key:xxxxxxxx
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Content-Length: 0
< Request-ID: acf883f01fcd4087a364e89197c37bf9
< Date: Tue, 29 Apr 2025 03:29:28 GMT
<
* Connection #0 to host api.trustedservices.intel.com left intact


I am getting 404 Not Found error,


Please can you help me ?

Labels (1)
Labels:
0 Kudos

Link Copied

3 Replies
Scott_R_Intel
Moderator
‎04-29-2025 05:52 AM
238 Views

Hello.

 

From your instructions, it looks like you're trying to retrieve a PCK Cert (not an FMSPC).  There are a number of reasons you may get a 404 for this, but the most common is that you have not yet registered the platform with the Intel Registration Service.  Please see this section of our TDX Enabling Guide that talks about this:  Infrastructure Setup - Intel® TDX Enabling Guide

 

Regards.

0 Kudos
Copy link
Nizomjon
Beginner
‎04-29-2025 02:44 PM
216 Views

Hi Scott,

Thank you for your reply,

Infrastructure Setup : for Ubuntu 24.04, but my Azure Confidential Computing VM is Ubuntu 22, 

 

I am trying to instal Raiko project from Taiko team, 

https://github.com/taikoxyz/raiko/blob/main/docs/README_Docker_and_RA.md

They give us guidelines to setup Raiko in SGX capable machine,

"

  1. Retrieve your machine's FMSPC by running the following command:
"
echo "Please enter Intel's PCS Service API key" && read -r API_KEY && PCKIDRetrievalTool -f /tmp/pckid.csv && pckid=$(cat /tmp/pckid.csv) && ppid=$(echo "$pckid" | awk -F "," '{print $1}') && cpusvn=$(echo "$pckid" | awk -F "," '{print $3}') && pcesvn=$(echo "$pckid" | awk -F "," '{print $4}') && pceid=$(echo "$pckid" | awk -F "," '{print $2}') && curl -v "https://api.trustedservices.intel.com/sgx/certification/v4/pckcert?encrypted_ppid=${ppid}&cpusvn=${cpusvn}&pcesvn=${pcesvn}&pceid=${pceid}" -H "Ocp-Apim-Subscription-Key:${API_KEY}" 2>&1 | grep -i "SGX-FMSPC"

I suppose to get these variables : 

MR_ENCLAVE
MR_SIGNER
V3_QUOTE_BYTES

Thanks,


0 Kudos
Copy link
Scott_R_Intel
Moderator
‎05-06-2025 09:48 AM
148 Views

Hello again.

 

Thanks, I understand the issue now.  Since you're running in ACC, you will not be able to download platform PCK Certs directly from Intel PCS due to the fact that ACC uses indirect platform registration.  To download the PCK Cert for your ACC VM, you would need to use Microsoft's THIM service.

 

But, I tested your command with THIM and it doesn't appear to work the same as Intel PCS...  The "SGX-FMSPC" parameter doesn't seem to be returned from THIM as it is from Intel PCS.  So, that command line doesn't work in ACC, unfortunately.  For your reference to see the output using THIM (no API key required, BTW):

 

PCKIDRetrievalTool -f /tmp/pckid.csv && pckid=$(cat /tmp/pckid.csv) && ppid=$(echo "$pckid" | awk -F "," '{print $1}') && cpusvn=$(echo "$pckid" | awk -F "," '{print $3}') && pcesvn=$(echo "$pckid" | awk -F "," '{print $4}') && pceid=$(echo "$pckid" | awk -F "," '{print $2}') && qeid=$(echo "$pckid" | awk -F "," '{print $5}') && curl -v "https://global.acccache.azure.net/sgx/certification/v4/pckcert?encrypted_ppid=${ppid}&cpusvn=${cpusvn}&pcesvn=${pcesvn}&pceid=${pceid}&qeid=${qeid}"

 

To get the FMSPC in ACC, you would need to download the PCK Cert from THIM then parse it (it's an x509 cert), including the SGX extensions.  Included in those SGX extensions is the following:  "<FMSPC OID>: <FMSPC value>"

 

You can read more about the PCK Cert format in this doc:  https://api.trustedservices.intel.com/documents/Intel_SGX_PCK_Certificate_CRL_Spec-1.5.pdf

 

Regards.

 

0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.