Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

[IAS] Verify Attestation Evidence - quote encoding

Fredrik_T_
Beginner
‎05-31-2016 10:26 AM
1,224 Views
Solved Jump to solution

I receive a HTTP 400 Bad Request when verifying a simulation enclave quote via the endpoint

https://test-as.sgx.trustedservices.intel.com:443/attestation/sgx/v1/report

I suspect the encoding of the quote is the issue. [1] only states that isvEnclaveQuote in the request JSON body should be an "encoded quote". No further details are given. Or perhaps the problem is the simulation mode.

The reponse format and example 3.2.2.6 suggest that the encoding should be base64 (MIME, UTF-7?). However, my base64-encoded quote results in the 400 error.

Example

  • request id 67f2ec3a6bc24584babad97fcebe4205
  • request body
{"isvEnclaveQuote":"AQAAAAsAAAABAO7u7u7u7lFTVWRSRiByhNQxZhBFdUOmv+WcPUuMgFKq/T6jqBtaSCDzN2rmsvIDTTt6S0ineAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAAAAAAHAAAAAAAAADgGCOFYFVrCFQJGVDFQ0ERfuKsSGLSiR9LmG3ZFL/CNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABGNW2jbyeETOnoFM7d5+hpuMI0IFEq3+Xqp0yMIjPrfQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAqAIAAO7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7o+d8y5/NZ/o1rVIc2gBAADu7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u5dXZ3Hhlw9mNFPs0jToyZr"}

 

I base-64 encode the quote using libb64 like so:

char *c, *out;
c = out = malloc(quote_size * 2);
...
c += base64_encode_block((char*) quote, quote_size, c, &state);
c += base64_encode_blockend(c, &state);

The result looks similar to the beginning and end of the encoded examples.

 

[1] Intel® Software Guard Extensions: Intel® Attestation Service API

0 Kudos
1 Solution
Kuppusamy_R_Intel
Employee
‎06-08-2016 11:10 PM
1,224 Views
Solved Jump to solution

We are working on a sample to be posted to IDZ by end of June and one of the feature of the service provider is a simulation mode for IAS. This would allow folks to test attestation without contacting the real IAS

View solution in original post

0 Kudos
Copy link

Link Copied

6 Replies
Kuppusamy_R_Intel
Employee
‎06-05-2016 11:03 PM
1,224 Views
Solved Jump to solution

 

Simulation mode isn’t valid for Remote Attestation is because it’s untrusted code, not a true SGX enclave. If the IAS were to allow simulation enclaves to attest, then that would really undermine the security of the attestation service. The whole point of it is to be able to authoritatively say that an enclave was generated by trusted hardware.

0 Kudos
Copy link
Fredrik_T_
Beginner
‎06-06-2016 05:14 AM
1,222 Views
Solved Jump to solution

Thanks Kuppusamy. I still suggest specifying the encoding in more detail in the documentation.

A development IAS endpoint for simulation mode enclaves would be helpful.

0 Kudos
Copy link
Kuppusamy_R_Intel
Employee
‎06-07-2016 04:19 AM
1,222 Views
Solved Jump to solution

IAS endpoint is proving that the client is running its Software in an enclave on an SGX platform. 

0 Kudos
Copy link
Fredrik_T_
Beginner
‎06-07-2016 06:12 AM
1,222 Views
Solved Jump to solution

Yes, I understand that.

I was sugessting an IAS development endpoint that attests simulation enclaves (as provided by the SDK) for development, not productive, purposes.

0 Kudos
Copy link
Kuppusamy_R_Intel
Employee
‎06-08-2016 11:10 PM
1,225 Views
Solved Jump to solution

We are working on a sample to be posted to IDZ by end of June and one of the feature of the service provider is a simulation mode for IAS. This would allow folks to test attestation without contacting the real IAS

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.