Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

Intel's DCAP Web API questions

Holodov__Dmitry
Beginner
‎01-21-2020 01:10 PM
797 Views

I have a few questions about Intel's Web API's for DCAP attestation: https://api.portal.trustedservices.intel.com/documentation

Question 1: Is the "Get PCK Certificate V2 (pckcert)" API broken? For some hosts it returns the correct certificate, on others it appears to return a certificate for the wrong TCB level. And certs for the wrong TCB level are not able to verify the QE's attestation key. The parameters I pass to the API come from type 3 QE Certificate Data generated on hosts that do not have the libdcap_quoteprov shared library installed.

Question 2: There is a "Get PCK Certificates V2 (pckcerts)" API that returns certificates for all TCB levels, but the documentation does not state if any order can be assumed about the returned certificates or what the algorithm is for picking the correct certificate from the results. Can someone describe the algorithm and also put it in the documentation?

Question 3: The sample data for "Get TCB Info V2" shows an array of advisory ID values for TCB levels that are not "UpToDate". I'm not finding these advisory IDs in live data. When can we expect them to be added?

Thanks! - Dmitry

0 Kudos

Link Copied

2 Replies
Holodov__Dmitry
Beginner
‎01-23-2020 09:55 AM
797 Views

For question 1: I'm still having issues validating the QE report signature with the PCK certificate only on certain DCAP hosts and only in quotes with type 3 certificate data. (Quotes with type-3 certificate data are created by Intel's libraries when libdcap_quoteprov.so.* is not present.) I'll continue to look into it. It might be something on my end. If someone has seen a similar issue or has ideas, please let me know.

I originally thought the "Get PCK Certificate V2" API might be returning a certificate from the wrong TCB level, but I no longer think that is the case. The certificate I was getting back from the single cert API had a different fingerprint than the one selected by libdcap_quoteprov.so + Intel's PCCS server which use the "Get PCK Certificates V2" API (note the "s"). While the certificates from the 2 different web services had different issue dates and overall fingerprints, the serial numbers and public keys inside the certificates were identical. I had never seen serial numbers reused for different certificates before, so that was another source of confusion when debugging.

0 Kudos
Copy link
Scott_R_Intel
Employee
‎01-24-2020 05:58 AM
797 Views

Hi Dmitry.

First, I'd recommend using the docs at 01.org as opposed to the web based docs... these are currently more complete, especially the Quote Lib Reference:  https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/

1.  This is by design... you can not always get the PCK cert exactly matching your HW TCB.  If you generate a PCK sig using the raw TCB of the platform (CertType = 3), you cannot verify the signature with the mapped down PCK Cert.

2.  You should not depend on the order of the returned certs.  You should only know that you will get 1 PCK Cert for each TCB Level in that platform's TCBInfo structure.  We do provide a Cert Selection Library as part of DCAP that has all cert selection logic, but that is really intended to run as part of the PCCS.

3.  The sample data should be treated as just that... a sample.  The advisories in there are not real.

Regards.

Scott

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.