Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Question about SGX remote attestation

Sijie_D_
Beginner
7,396 Views

Hi,

I'm looking into the sample code shipped with the SGX windows sdk as well as the user guide document.

It seems that the last step of attestation is service provider receiving and verifying MSG3 which includes the REPORT_DATA generated by the quoting enclave.

I'm wondering, how could a service provider verify that the REPORT is actually generated by the quoting enclave, but not some fake report generated by some malware. I know that the report should be signed by the quoting enclave using hardware based EPID, but how could the service provider get the public key corresponding to the EPID?

In the sample code, it used a simulated Intel attestation service (IAS). Should the verification mentioned above done by IAS? Is the IAS a mandatory component of remote attestation framework?

 

0 Kudos
1 Solution
Surenthar_S_Intel
7,412 Views

Hi Shivani,

Here’s how the message flow works starting at MSG2:

Client receives MSG2 from the Service Provider

    MSG2 = gb || SPID || QUOTETYPE || SigSP(gb,ga) || CMACSMK(gb || SPID || QUOTETYPE || SigSP(gb,ga)) || SigRL

    Where || is concatenation. 

What this boils down to is MSG2 is constructed from this data:

    gb (the random data from the server) || SPID || QUOTETYPE || SigSP(gb,ga) followed by a CMAC of that data, followed by the revocation list.

Client processes MSG2 and generates MSG3

    MSG3 = CMAC(SMKCMAC, M) || M

    Where M = ga || PS_SECURITY_PROPERTY || QUOTE

So what is happening here is that MSG3 is a CMAC of ( the CMAC from MSG2 || M ) followed by M. It’s the CMAC from MSG2 that includes the random data generated by the server.

Thanks and Regards,

Surenthar Selvaraj

View solution in original post

0 Kudos
37 Replies
Simon_J_Intel
Employee
4,720 Views

A full explanation of the Intel Attestation architecture can be found at the recent blog post: https://software.intel.com/en-us/blogs/2016/03/09/intel-sgx-epid-provisioning-and-attestation-services 

 

 

0 Kudos
Min_X_
Beginner
4,720 Views

Hi,

For RemoteAttestation sample code in the SDK, in debug mode, when I invoke enclave_init_ra with b_pse as true, the sgx_create_pse_session() function will always fail. Is this normal? 

In addition, does the msg3 contain a quote attested by the local quoting enclave with the attestation key? If not, how can I get a valid quote with the sample RemoteAttestation project?

Thanks.

Min

0 Kudos
Luis_M_5
Beginner
4,720 Views

Hello,

I'm trying to use SGX Attestation development environment after registering and obtaining my SPID. Although I can sucessfully connect to the attestation server, I can't manage to guess the right way to query the services. SGX provisioning and attestation whitepaper refers to:

- GetSigRL[GID]
- VerifyQuote

as the two main interfaces available, but every creative attempt to access an URL related to those interfaces returns a 404. 

Could you please provide more information or an example about the attestation API?

Thanks,
Luis M.

0 Kudos
Kuppusamy_R_Intel
4,720 Views

Hi Min,

1. When I invoke enclave_init_ra with b_pse as true, the sgx_create_pse_session() function will always fail. Is this normal?

Answer : Some platforms do not have firmware support for platform services enclave, which would cause this function to fail. In this case, you should set b_pse=false and call enclave_init_ra again and make a code path where sgx_create_pse_session() is not called.

2. Does the msg3 contain a quote attested by the local quoting enclave with the attestation key?

Answer : Yes. You can see this in the sample RemoteAttestation project. The quote is produced by sgx_ra_proc_msg2(). As stated in the User's Guide: "The code in sgx_ra_ proc_msg2() builds S3 = CMAC(SMKCMAC,M)||M where M = ga||PS_SECURITY_PROPERTY|| QUOTE and returns it. Platform Services Security Information is included only if the app/enclave uses Platform Services"

Thanks,
Kuppusamy.R

 

 

0 Kudos
Kuppusamy_R_Intel
4,720 Views

Hi Luis,

As stated in https://software.intel.com/en-us/blogs/2016/03/09/intel-sgx-epid-provisioning-and-attestation-services: The attestation service is available to all SGX developers. For developers that have built their enclaves and are ready to access the Intel Attestation Verification Service referenced in the paper, please contact intel.developer.services@intel.com for additional information.

Thanks,
Kuppusamy.R

 

0 Kudos
Kuppusamy_R_Intel
4,720 Views

Hi Sijie,

The service provider doesn't need to have the EPID key if it connects to IAS, which has this information for verification. IAS is not necessary if the service provider wants to do this work itself, but IAS is a free service and easy to use. From https://software.intel.com/en-us/articles/innovative-technology-for-cpu-based-attestation-and-sealing: “The challenger [service provider] uses an EPID public key certificate and revocation information or an attestation verification service to validate the signature over the Quote.

Thanks,
Kuppusamy.R

 

 

0 Kudos
Min_X_
Beginner
4,720 Views

Hi Kuppusamy,

First, I am running the code on a Window10 machine with SGX support. The PSW is also installed, and the aesm_service is running. So what are these Platform Services that sgx_create_pse_session() tries to create a session with? What's the implication if the pse_session is not initialized before a remote attestation?

Assuming the platform services include the local quoting enclave, if b_pse is set to false, and sgx_create_pse_session() is not invoked, then the application's enclave cannot establish a secure channel with the local quoting enclave, right? Then, how does the app enclave and the quoting enclave securely communicate with each other?

Thanks.

Min

0 Kudos
Sijie_D_
Beginner
4,720 Views

Hi Kuppusamy,

Thank you for the reply.

In your reply you mentioned that "IAS is not necessary if the service provider wants to do this work itself, but IAS is a free service and easy to use". While, what did you mean by "if the service provider wants to do this work itself"? Based on my understanding to SGX, the "this work" you mentioned corresponds to verifying the authenticity of the report generated by the quoting enclave. Well, if this is correct, I don't know how to do it without interacting with Intel IAS.

In my opinion, the report generated by the quoting enclave contains some hardware specific credential that can only be verified by Intel...

Or, maybe there are some serious mistakes on my understanding of the attestation picture. If it is true, please very kindly correct me.

Thanks a lot.

Sincerely,

Sijie

0 Kudos
Kuppusamy_R_Intel
4,720 Views

Hi Sijie,

yes your are right, the Intel Attestation Service is necessary for now

Thanks,
Kuppusamy.R

0 Kudos
Luis_M_5
Beginner
4,720 Views

Hi Kuppusamy,

thanks for your answer. I'm already registered at the development Intel Attestation Service, and received my SPID. Unfortunately, there is no public specification about how to verify a quote through the IAS. The interfaces "GetSigRL" and "VerifyQuote" are mentioned on some documents, but they are useless without the proper spec.

Could you please disclose the spec for the IAS HTTP API? Without it, the IAS can´t be used.

Thanks,
Luis

0 Kudos
Kuppusamy_R_Intel
4,720 Views


Hi Min,

The Quoting Enclave is independent of Platform Services, and PSE is not necessary for there to be a secure channel with the quoting enclave.

Thanks,
Kuppusamy.R

 

0 Kudos
Kuppusamy_R_Intel
4,720 Views

Hi Luis,

The information will be published very shortly. I don’t have a precise timeline yet.

Thanks,
Kuppusamy.R

0 Kudos
Kuppusamy_R_Intel
4,720 Views

Hi Luis,

Spec details of Intel® Attestation Service API document https://software.intel.com/sites/default/files/managed/3d/c8/IAS_1_0_API_spec_1_1_Final.pdf 

Thanks,
Kuppusamy.R

0 Kudos
Min_X_
Beginner
4,720 Views

Hi,

I am trying to get a quote for a simple Debug mode enclave. I first call the sgx_init_quote to get the target info of the QE. Then, I call the sgx_create_report with the QE's target info to generate a report of the enclave targeted for the QE. Finally, I call sgx_get_quote with the report to get the quote. One thing that confuses me is the sgx_spid_t parameter of the sgx_get_quote API, and I have no idea how this parameter can be derived.

With above design, the sgx_get_quote always fails with the SGX_ERROR_INVALID_PARAMETER error. Does anyone have any experience in using these two APIs? Do I miss something on correctly triggering a QE?

Another question is how to create "New Topic" on this forum, and I kept getting error saying that my post is filtered as spam.

Thanks.

Min

0 Kudos
Luis_M_5
Beginner
4,720 Views

Many thanks!

0 Kudos
Kuppusamy_R_Intel
4,720 Views

Hi Min,

sgx_get_quote generates a linkable or un-linkable QUOTE. 
Syntax 
sgx_status_t  sgx_get_quote( 
const sgx_report_t *p_report, 
sgx_quote_sign_type_t quote_type, 
const sgx_spid_t *p_spid, 
const sgx_quote_nonce_t *p_nonce, 
const uint8_t *p_sig_rl, 
uint32_t sig_rl_size, 
sgx_report_t *p_qe_report, sgx_quote_t *p_quote, 
uint32_t quote_size );   

Parameter sgx_spid_t[in] is ID of service provider. 

When user will get SGX_ERROR_INVALID_PARAMETER : The p_quote_size pointer is invalid or the other input parameters are corrupted/invalid. 

Thanks,
Kuppusamy.R

 

0 Kudos
Sijie_D_
Beginner
4,720 Views

Hi Kuppusamy and everyone who is exploring SGX,

I read through the Intel Attestation Service API and it helped a lot. But still, I can't get the correct response from the IAS.

I only have little experience with http service and not to say JSON... So, I can't figure out how to make a correct http request based on the information in the given document.

For example, based on my understanding to the document, the interaction between IAS and the service provider includes two main steps:

1. Set up a secure channel and do authentication on both sides. 2. Service provider send received evidence to IAS to have it verified.

But I can't figure out how to code to get them work correctly.

So, has any one successfully made connection with IAS and got some responses from it? Would you please share the sample code or even a step-by-step instruction on doing this? Any clue could help!

Many thanks!

Sijie

0 Kudos
Kuppusamy_R_Intel
4,720 Views

Hi Sijie D,

Hope, you have tried SGX sample application available with SGX SDK kit, 

https://software.intel.com/en-us/sgx-sdk/download  

Thanks,

Kuppusamy.R

 

 

 

0 Kudos
Konrad_R_Intel
Employee
4,720 Views

Hi,
I also have some problems with attestation.
Also I'm already registered at the development Intel Attestation Service, and received my SPID.
I tried to get quote to send it to IAS, but I can't create and verify report correctly - I get "SGX_ERROR_MAC_MISMATCH" as a result.
Below is more or less the code I'm using to generate it:

    sgx_report_data_t sgxReportData;  
    memset(sgxReportData.d, 0, SGX_REPORT_DATA_SIZE);  
    sgx_report_t sgxReport;  
    sgx_status_t reportStatus = sgx_create_report(nullptr, &sgxReportData, &sgxReport);  
    if (reportStatus != SGX_SUCCESS)  
    {  
        return reportStatus;  
    }  
    sgx_status_t verificationStatus = sgx_verify_report(&sgxReport);  
    if (verificationStatus != SGX_SUCCESS)  
    {  
        return verificationStatus;  
    }  

I'm 100% sure that function exits in line 12 with status SGX_ERROR_MAC_MISMATCH and reportStatus is SGX_SUCCESS.
This happens both in Prerelease and Simulation modes.
What am I doing wrong?

I also tried to do attestation using sample code from sgxsdk package, with no success.
Could I get a list of changes that have to be done in order to make it work?

0 Kudos
Mark_S_Intel2
Employee
4,125 Views

Konrad,

The call to sgx_create_report in line 4 is giving you a report to a null target.  This report cannot be verified, but can be used to get information for sgx_target_info_t in order to generate a new report targeted to your enclave.

Try copying sgx_target_info_t fields from sgxReport (the output of the first call to sgx_create_report) to a sgx_target_info_t structure and then calling sgx_create_report again using the sgx_target_info_t structure that you just created.  This will give you a report targeted to your own enclave.  This report should verify with sgx_verify_report(...).

Of course, this report will not be very useful.  The ultimate goal would be to target a report toward another enclave on the same platform so that the other enclave can use the report (after verifying it).

Mark

0 Kudos
Reply