Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1490 Discussions

PCKRetrievalTool: Error:Found the sgx_get_quote_config_func

Nappa__Antonio
Beginner
3,128 Views

Hello,

 

I am trying to setup a third party attestation service, when I use the PCKRetrievalTool I get Error:Found the sgx_get_quote_config_func. Any idea why I am getting the error?

 

Thank you.

0 Kudos
11 Replies
James_B_Intel1
Employee
3,128 Views

The PCKRetrievalTool needs to run without/before installing the Quote Provider Library (libdcap_quoteprov.so).  This tool needs to obtain the actual TCB of the platform but if the Quote Provider Library is found on the search path, it will fail as the Quote Provider Library will provide a TCB different than the platform's actual TCB.

Thanks

0 Kudos
Nappa__Antonio
Beginner
3,128 Views

I renamed all the instances of libdcap_quoteprov.so and now I am getting

[load_pce pce_wrapper.cpp:113] Error, call sgx_create_enclave for PCE fail [load_pce], SGXError:0001.
Error in sgx_qe_get_target_info. 0xe00d

I have looked around and I am again at the starting point.

 

Thanks

Ant

0 Kudos
James_B_Intel1
Employee
3,128 Views

This seems like maybe an installation problem.  Do you have the DCAP driver installed?  Do you have the PSW installed?  Looks like there may be a problem with enclave loading in general.  Can you check to see if you are able to load any enclaves?  Try moving the application enclave load to the beginning of the sample.

0 Kudos
Nappa__Antonio
Beginner
3,128 Views

Hello after a reinstall I have come pretty far in the process, now I am stuck at QuoteVerification:

 

I have generated a new quote from the QuoteGenerator and saved it into a file. I retrieved all the information from your exposed API, it was a bit of a mess to get the FMSPC out of the x509 but in the end I got a response from the server.

 

PCK certificate chain verification failed with status: STATUS_SGX_PCK_INVALID_ISSUER(15)
TCB info verification failed with status: STATUS_SGX_CRL_UNKNOWN_ISSUER(29)
Quote verification failed with status: STATUS_INVALID_PCK_CRL(41)

 

It seems weird that the issuer of the cert is unknown....

Thanks

Antonio

 

0 Kudos
James_B_Intel1
Employee
3,128 Views

This seems like the signing cert (intermediate cert) may not be inputted correctly.  When you get the root cert and signing cert (intermediate cert) from the Intel PCS, the order in the header is important:  They are delivered concatenated and the intermediate cert is the first cert.  Not sure if this is the problem.

Note:The SGX Trusted Root Cert will be the second cert in the cert chain returned in the get PCK Cert results (same for the TCBInfo and QEIdentity commands).
 

0 Kudos
James_B_Intel1
Employee
3,128 Views

Where/how are you getting the data for these verification parameters: --pckSignChain and --tcbSignChain?

0 Kudos
Nappa__Antonio
Beginner
3,128 Views

Hi James,

 

I have used the ones in the sampledata directory, which probably are wrong. I extracted all the certs from the tcb json but I don't know which is which, there are something like 8 in there. I am assuming that all the data I need comes from the web API which I subscribed to. If not then I lost some of the pieces.

 

Thanks,

Ant

0 Kudos
James_B_Intel1
Employee
3,128 Views

This is how you should populate the different input parameters to the Quote verification API:

  1. --trustedRootCaCert:  You can get this from any of the leaf certs/structures.  The root ca cert and the intermediate certs are put into the header of the response from the PCS.  They are concatenated in this order:  The SGX Trusted Root Cert will be the second cert in the cert chain returned in the get PCK Cert results (same for the TCBInfo and QEIdentity commands)
  2. –pckSignChain:  This is extracted from the CertType=5 quote.  The certification data in the quote is for CertType=5 is::  PCK Leaf Cert||Intermediate CA Cert|| Root CA Cert. See quote definition in:  Appendix A in https://download.01.org/intel-sgx/dcap-1.2/linux/docs/Intel_SGX_ECDSA_QuoteGenReference_DCAP_API_Linux_1.2.pdf
  3. –pckCert: This is extracted from the CertType=5 quote.  (Don’t get it from the getPCKCert Curl command even though that will work in most cases.  It is possible that the PCKCert you got from the PCS is no longer the one that will be in the Quote if the TCB of the platform changes).
  4. –tcbSignChain: This is the intermediate cert and root cert concatenated in the order received from the PCS server in the get TCBInfo response header.
  5. –tcbInfo: The TCBInfo json structure as returned by the PCS
  6. –qeIdentity:  The QEIdentity json structure as returned by the PCS.  The QVL doesn’t take a qeIdentitySignChain since it is the same as the tcbSignChain.
  7. –rootCaCrl:  This is where you need to use the following openssl command to parse trusted root ca cert and pull the file from the resulting URL.  This is a PEM file. openssl asn1parse -in trustedRootCaCert.pem | grep -A 1 'X509v3 CRL Distribution Points' | tail -1 | cut -d: -f 4 | cut -b21- | perl -ne 's/(..)/print chr(hex($1))/ge; END {print "\n"}'
  8. –intermediateCaCrl:  Use the PCS’s /sgx/certification/v1/pckcrl?ca=processor command. It’s a PEM file.
  9. –quote: ECDSA Quote with CertType=5 generated using DCAP or PSW using the installed Quote Provider Library.
0 Kudos
Nappa__Antonio
Beginner
3,128 Views

OK, I have reached the following step 

 

PCK certificate chain verification OK!
TCB info verification OK!
Quote verification failed with status: STATUS_INVALID_QE_REPORT_SIGNATURE(54)

When I use /SampleCode/QuoteGenerationSample after installing DCAP .deb package and successfully generate the quote after including the .so in the LD_LIBRARY_PATH I get as CertType = 3 which of course doesn't verify the quote.

Is there any other configuration I need to make to generate an ECDSA quote? (CertType = 5)

Thanks

0 Kudos
James_B_Intel1
Employee
3,128 Views

OK, this is the error I would expect when you generate a PCK signature using the raw TCB of the platform instead of the TCB matching the PCK Cert used to verify.  This is the normal case when you have a CertType=3 quote (PCK Signature based on the raw TCB of the platform).  To fix this, you need to have the QPL  and PCCS installed and configured properly to retrieve the PCK Cert and TCB needed to generate the quote.  You will need to follow the instructions here:

1. Quote Provider Library (QPL) and Provisioning Certifcate Caching Service (PCCS) install.  Instructions here:  https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/QuoteGeneration

2. QPL configuration of /etc/sgx_default_qcnl.conf.  Instructions here:  https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/QuoteGeneration/qpl

a. Use the localhost config (default) and change the USE_SECURE_CERT=FALSE to use the self-signed cert.  (Need to generate a self-signed cert)

3. PCCS configuration in ./config.json.  Instructions here here:  https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/QuoteGeneration/pccs

a. Configure with the API key you got from the Intel PCS

 

0 Kudos
Nappa__Antonio
Beginner
3,128 Views

I made it work! Thanks everyone! A small note:

libsgx_default_qcnl_wrapper.so

needs also to be in the LD_LIBRARY_PATH.

Antonio

0 Kudos
Reply