Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Problem in getting IAS certification

Wang__Yayu
Beginner
2,099 Views

Hello,

I'm trying to run a remote attestation sample(https://github.com/intel/sgx-ra-sample).

In the settings file, it requires an IAS_REPORT_SIGNING_CA_FILE argument.

I think I have to create a self-signed certification and then validate it.

When I look for a tutorial, I find the url link

https://software.intel.com/en-us/articles/how-to-create-self-signed-certificates-for-use-with-intel-sgx-remote-attestation-using, which many metioned,

is redirected to https://api.portal.trustedservices.intel.com/EPID-attestation, but there is no information about how to create the certification.

Do I miss the information in https://api.portal.trustedservices.intel.com/EPID-attestation, or there are other method to generate this certification?

Thanks.

0 Kudos
10 Replies
Rodolfo_S_
New Contributor III
2,099 Views

Hi there.

It seems that Intel is no longer using certificate-based authentication in their development environment.
Instead, new users should use Intel's new key-based authentication using API keys.

In the API portal you can find two links for creating unlinkable or linkable quotes (look, respectively, for the buttons "Subscribe (unlinkable)" and "Subscribe (unlinkable)").

Once you subscribe, Intel will automatically generate an SPID and a couple of keys (primary and secondary). You will be able to find this information following these steps:

1. If you subscribed to the unlinkable service, access this page (for linkable quotes, use this link);
2. Click "Product DEV Intel® Software Guard Extensions Attestation Service (Unlinkable) subscription" (see this image);
3. In the page that loads, you can find your SPID and the keys generated by Intel (see this image).

With that information, you will be able to use IAS following the API documentation found here.

 

Best regards,
Rodolfo

0 Kudos
Toffalini__Flavio
2,099 Views

Hi!

I have exactly the same problem. Thus, I make a follow-up.

I followed the first three steps indicated by Rodolfo S. I mean, I did the following things:

1. If you subscribed to the unlinkable service, access this page (for linkable quotes, use this link);
2. Click "Product DEV Intel® Software Guard Extensions Attestation Service (Unlinkable) subscription" (see this image);
3. In the page that loads, you can find your SPID and the keys generated by Intel (see this image).

If I understood correctly. Now, I should sign the enclave.

I had a look at this guide: https://api.trustedservices.intel.com/documents/sgx-attestation-api-spec.pdf

But I don't really figure out how to sign the enclave. Or what I have to do in general.

Is there any how-to more precise, please?

Flavio

0 Kudos
Rodolfo_S_
New Contributor III
2,099 Views

Hi Flavio,

I believe you might have confused two steps there. The certificate mentioned in this thread is used for communicating with the Intel Attestation Service (IAS) to validate a QUOTE that was generated by an SGX enclave.
Usually, this communication would not be made by the application being attested, but rather by the client of the application (the attester), so it has nothing to do with signing the enclave.

Signing an enclave is a completely different step, that comes at the final step of the development process. To sign an enclave, one should use the sgx_sign tool using a private key as described in the Developer Reference documentation.

Regards,

Rodolfo

0 Kudos
Toffalini__Flavio
2,099 Views

Hi!

My bad. I misunderstood what I was looking for.

Let me rephrase my problem:
I would execute the remote attestation example described here: https://github.com/intel/sgx-ra-sample

I already compiled the project and now I am filling "settings" file with SPID, Primary, and Secondary Keys.

I found these three values already. Now I need the certificate for this parameter:

IAS_REPORT_SIGNING_CA_FILE=

As far as I understood, this guide https://api.trustedservices.intel.com/documents/sgx-attestation-api-spec.pdf should help me retrieve this file.

Am I correct?

If not, may I ask help to get the certificate, please?

0 Kudos
Spisak-Spisacki__Krz
2,099 Views

IAS_REPORT_SIGNING_CA_FILE property has been used during a process of authenticating with Intel Attestation Service when it was done using certificate file. This method is now deprecated as described here: https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/815572 . Instead you should register for Intel® Software Guard Extensions Attestation Service and use SPID & keys as you've already done.

It seems that https://github.com/intel/sgx-ra-sample is slightly out-of-date. I believe that you should just manually remove logic related to IAS_REPORT_SIGNING_CA_FILE and you should be fine. It seems that there are some more problems with this project though, such as https://github.com/intel/sgx-ra-sample/issues/28

@Intel can we count on some update to this project? Specifically I'm interested in https://github.com/intel/sgx-ra-sample/issues/28 .

0 Kudos
Scott_R_Intel
Employee
2,099 Views

Hello all.

The IAS_REPORT_SIGNING_CA_FILE is not used for IAS authentication...  it is required to verify the IAS report's signature sent to you by IAS.  You can see this logic in the IAS_Request::report sample method here:  https://github.com/intel/sgx-ra-sample/blob/master/iasrequest.cpp

I have submitted a ticket to add a download link to the IAS Attestation Portal page for this cert file.  It should hopefully be available by tomorrow.

Regards.

Scott

0 Kudos
Toffalini__Flavio
2,099 Views

Thanks all,

Now I understand why I didn't find it.

I join to Spisak-Spisacki, Krzysztof call.

Could @Intel release a full, and up-to-date, example of remote attestation, please?

Besides the formal description in the white paper (which is useful), I am interested in the operational steps needed to deploy and test an RA.

Even though in a debug environment.

Thanks a lot,
Flavio

0 Kudos
Anandakumar
New Contributor II
2,099 Views

Hi all!,

you can use the below cert file for IAS signing CA cert,

-----BEGIN CERTIFICATE-----
MIIFSzCCA7OgAwIBAgIJANEHdl0yo7CUMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJDQTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExGjAYBgNV
BAoMEUludGVsIENvcnBvcmF0aW9uMTAwLgYDVQQDDCdJbnRlbCBTR1ggQXR0ZXN0
YXRpb24gUmVwb3J0IFNpZ25pbmcgQ0EwIBcNMTYxMTE0MTUzNzMxWhgPMjA0OTEy
MzEyMzU5NTlaMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEUMBIGA1UEBwwL
U2FudGEgQ2xhcmExGjAYBgNVBAoMEUludGVsIENvcnBvcmF0aW9uMTAwLgYDVQQD
DCdJbnRlbCBTR1ggQXR0ZXN0YXRpb24gUmVwb3J0IFNpZ25pbmcgQ0EwggGiMA0G
CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCfPGR+tXc8u1EtJzLA10Feu1Wg+p7e
LmSRmeaCHbkQ1TF3Nwl3RmpqXkeGzNLd69QUnWovYyVSndEMyYc3sHecGgfinEeh
rgBJSEdsSJ9FpaFdesjsxqzGRa20PYdnnfWcCTvFoulpbFR4VBuXnnVLVzkUvlXT
L/TAnd8nIZk0zZkFJ7P5LtePvykkar7LcSQO85wtcQe0R1Raf/sQ6wYKaKmFgCGe
NpEJUmg4ktal4qgIAxk+QHUxQE42sxViN5mqglB0QJdUot/o9a/V/mMeH8KvOAiQ
byinkNndn+Bgk5sSV5DFgF0DffVqmVMblt5p3jPtImzBIH0QQrXJq39AT8cRwP5H
afuVeLHcDsRp6hol4P+ZFIhu8mmbI1u0hH3W/0C2BuYXB5PC+5izFFh/nP0lc2Lf
6rELO9LZdnOhpL1ExFOq9H/B8tPQ84T3Sgb4nAifDabNt/zu6MmCGo5U8lwEFtGM
RoOaX4AS+909x00lYnmtwsDVWv9vBiJCXRsCAwEAAaOByTCBxjBgBgNVHR8EWTBX
MFWgU6BRhk9odHRwOi8vdHJ1c3RlZHNlcnZpY2VzLmludGVsLmNvbS9jb250ZW50
L0NSTC9TR1gvQXR0ZXN0YXRpb25SZXBvcnRTaWduaW5nQ0EuY3JsMB0GA1UdDgQW
BBR4Q3t2pn680K9+QjfrNXw7hwFRPDAfBgNVHSMEGDAWgBR4Q3t2pn680K9+Qjfr
NXw7hwFRPDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkq
hkiG9w0BAQsFAAOCAYEAeF8tYMXICvQqeXYQITkV2oLJsp6J4JAqJabHWxYJHGir
IEqucRiJSSx+HjIJEUVaj8E0QjEud6Y5lNmXlcjqRXaCPOqK0eGRz6hi+ripMtPZ
sFNaBwLQVV905SDjAzDzNIDnrcnXyB4gcDFCvwDFKKgLRjOB/WAqgscDUoGq5ZVi
zLUzTqiQPmULAQaB9c6Oti6snEFJiCQ67JLyW/E83/frzCmO5Ru6WjU4tmsmy8Ra
Ud4APK0wZTGtfPXU7w+IBdG5Ez0kE1qzxGQaL4gINJ1zMyleDnbuS8UicjJijvqA
152Sq049ESDz+1rRGc2NVEqh1KaGXmtXvqxXcTB+Ljy5Bw2ke0v8iGngFBPqCTVB
3op5KBG3RjbF6RRSzwzuWfL7QErNC8WEy5yDVARzTA5+xmBc388v9Dm21HGfcC8O
DD+gT9sSpssq0ascmvH49MOgjt1yoysLtdCtJW/9FZpoOypaHx0R+mJTLwPXVMrv
DaVzWh5aiEx+idkSGMnX
-----END CERTIFICATE-----

I got this Root signing cert from IAS report response! its working!

thank me later :P

 

0 Kudos
Scott_R_Intel
Employee
2,099 Views

Hello all.

Though we're still working on getting the IAS attestation portal web page updated to add links to the cert(s), you can now download the IAS_REPORT_SIGNING_CA_FILE directly from Intel:

https://certificates.trustedservices.intel.com/Intel_SGX_Attestation_RootCA.pem

Regards.

Scott

0 Kudos
Toffalini__Flavio
2,099 Views

Now it seems working a little more :) Thanks Scott R and NATARAJAN, ANANDAKUMAR. Both CAs are the same.

Now I have another problem.

When the client performs a sgx_create_pse_session(), I receive a SGX_ERROR_SERVICE_UNAVAILABLE (0x4001).

The thing is smelly because afaik, this means that aesmd service is not working.

However, service aesmd status is fine. And the enclave is loaded properly.

I guess I have to open a new thread for this issue though :)

PS: I am working on a Ubuntu 18.04 and I already tried to re-install PWS and re-compile the project.

0 Kudos
Reply