I am trying to setup a third party attestation service, when I use the PCKRetrievalTool I get Error:Found the sgx_get_quote_config_func. Any idea why I am getting the error?
The PCKRetrievalTool needs to run without/before installing the Quote Provider Library (libdcap_quoteprov.so). This tool needs to obtain the actual TCB of the platform but if the Quote Provider Library is found on the search path, it will fail as the Quote Provider Library will provide a TCB different than the platform's actual TCB.
I renamed all the instances of libdcap_quoteprov.so and now I am getting
[load_pce pce_wrapper.cpp:113] Error, call sgx_create_enclave for PCE fail [load_pce], SGXError:0001. Error in sgx_qe_get_target_info. 0xe00d
I have looked around and I am again at the starting point.
This seems like maybe an installation problem. Do you have the DCAP driver installed? Do you have the PSW installed? Looks like there may be a problem with enclave loading in general. Can you check to see if you are able to load any enclaves? Try moving the application enclave load to the beginning of the sample.
Hello after a reinstall I have come pretty far in the process, now I am stuck at QuoteVerification:
I have generated a new quote from the QuoteGenerator and saved it into a file. I retrieved all the information from your exposed API, it was a bit of a mess to get the FMSPC out of the x509 but in the end I got a response from the server.
PCK certificate chain verification failed with status: STATUS_SGX_PCK_INVALID_ISSUER(15) TCB info verification failed with status: STATUS_SGX_CRL_UNKNOWN_ISSUER(29) Quote verification failed with status: STATUS_INVALID_PCK_CRL(41)
It seems weird that the issuer of the cert is unknown....
This seems like the signing cert (intermediate cert) may not be inputted correctly. When you get the root cert and signing cert (intermediate cert) from the Intel PCS, the order in the header is important: They are delivered concatenated and the intermediate cert is the first cert. Not sure if this is the problem.
Note:The SGX Trusted Root Cert will be the second cert in the cert chain returned in the get PCK Cert results (same for the TCBInfo and QEIdentity commands).
I have used the ones in the sampledata directory, which probably are wrong. I extracted all the certs from the tcb json but I don't know which is which, there are something like 8 in there. I am assuming that all the data I need comes from the web API which I subscribed to. If not then I lost some of the pieces.
This is how you should populate the different input parameters to the Quote verification API:
OK, I have reached the following step
PCK certificate chain verification OK! TCB info verification OK! Quote verification failed with status: STATUS_INVALID_QE_REPORT_SIGNATURE(54)
When I use /SampleCode/QuoteGenerationSample after installing DCAP .deb package and successfully generate the quote after including the .so in the LD_LIBRARY_PATH I get as CertType = 3 which of course doesn't verify the quote.
Is there any other configuration I need to make to generate an ECDSA quote? (CertType = 5)
OK, this is the error I would expect when you generate a PCK signature using the raw TCB of the platform instead of the TCB matching the PCK Cert used to verify. This is the normal case when you have a CertType=3 quote (PCK Signature based on the raw TCB of the platform). To fix this, you need to have the QPL and PCCS installed and configured properly to retrieve the PCK Cert and TCB needed to generate the quote. You will need to follow the instructions here:
1. Quote Provider Library (QPL) and Provisioning Certifcate Caching Service (PCCS) install. Instructions here: https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/QuoteGeneration
2. QPL configuration of /etc/sgx_default_qcnl.conf. Instructions here: https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/QuoteGeneration/qpl
a. Use the localhost config (default) and change the USE_SECURE_CERT=FALSE to use the self-signed cert. (Need to generate a self-signed cert)
3. PCCS configuration in ./config.json. Instructions here here: https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/QuoteGeneration/pccs
a. Configure with the API key you got from the Intel PCS