Platform doesn't support registration.

cl8 · ‎12-18-2024

I am trying to use the DCAP Remote Attestation but I have encountered some problems. I followed the quick guide Quick guide but I couldn't install the driver because of the inKernel driver that I already have.

I am using Ubuntu Desktop 20.04 in an Intel® Core™ i7-10750H. I have succesfully used SGX to run my enclaves but the problems are with the attestation.

I get the following error using PCKIDRetrievalTool:

Error: unexpected error occurred while sending data to cache server.
pckid_retrieval.csv has been generated successfully, however the data couldn't be sent to cache server!

I am registered in Intel and have the keys that I need, which I already configured in the PCCS.

Also, when looking into the /var/log/mpa_registration.log

[18-12-2024 01:49:53] INFO: SGX Registration Agent version: 1.22.100.3
[18-12-2024 01:49:53] ERROR: readUEFIVar: failed to open uefi variable /sys/firmware/efi/efivars/SgxRegistrationConfiguration-18b3bc81-e210-42b9-9ec8-2c5a7d4d89b6 ,error: No such file or directory
[18-12-2024 01:49:53] ERROR: getRegistrationServerInfo: SgxRegistrationConfiguration UEFI variable was not found.
[18-12-2024 01:49:53] ERROR: getRegistrationServerInfo failed, error: 4
[18-12-2024 01:49:53] INFO: Platform doesn't support registration.

I have seen some answers about updating my BIOS but I alredy have the latest version. Also, I can not reset the SGX from BIOS because that is not an option in my BIOS menu. I can only think of two possibilities now: I need to install a different sgx driver or my processor can not be registered and, therefore, can not be attested.

Scott_R_Intel · ‎12-18-2024

Hello.

Consumer "Core" based products do not require registration and therefore won't have the UEFI variables. Only products based on Xeon Scalable Cores require registration. For example, 3rd, 4th, and 5th Gen Xeon Scalable CPUs (aka Ice Lake Server, Sapphire Rapids, Emerald Rapids).

But, I'm not sure why you're getting an error from PCCS. Can you check the PCCS log to see if any errors in it?

cat /opt/intel/sgx-dcap-pccs/logs/pccs_server.log

Regards.

cl8 · ‎12-19-2024

Hello,

The pccs_server.log was useful to realize the mistake was in the proxy server, thank you. Now PCKIDRetrievalTool works correctly but I am trying the SampleCode in SGXDataCenterAttestationPrimitives, the example QuoteGenerationSample returns this error:

[APP] Info: sgx_qe_set_enclave_load_policy is valid in in-proc mode only and it is optional: the default enclave load policy is persistent
[APP] Info: set the enclave load policy as persistent
[APP] Step1: Call sgx_qe_get_target_info:
[QCNL] Error: Load JSON config error: Missing a name for object member. (offset 131).
[QCNL] Error: Encountered CURL error: (60) SSL peer certificate or SSH remote key was not OK
[QPL] Error: Failed to get quote config. Error code is 0xb033
[get_platform_quote_cert_data ../qe_logic.cpp:388] Error returned from the p_sgx_get_quote_config API. 0xe065
Error in sgx_qe_get_target_info. 0xe065

I looked into the file /etc/sgx_default_qcnl.conf but I can not see any problems in the configuration. The only thing I changed was the pccs_url to my own and use_secure_cert to false. Using SGX_AESM_ADDRI=1 ./app in the example, makes it work, but I am not sure what running the app "out-of-proc" means.

Scott_R_Intel · ‎12-19-2024

"out-of-proc" means the quote is being generated by the aesm - out of your app's process. After changing use_secure_cert to false, you need to restart aesm to re-read the config file if using out-of-proc (it's only read at start up/first use of the QCNL). With in-proc, the QCNL reads it at runtime when your app starts up.