Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Remote Attestation Invalid Signature

mxl01
Novice
1,983 Views

Hello everyone,

I am trying to implement the Service Provider's side of the Remote Attestation flow in python. To debug the application, I use the same keys as in the RemoteAttestation Sample from the linux-sgx repo and so far, I am able to derive the same keys as in the sample. However, when I try to sign the Gb_Ga message in msg2, I receive a different signature than the one in the sample, although I follow the guide from the Code Sample . Actually, it irritates me that in the Sample Application, the following output is made which shows that the first half of the signature is not at all encrypted/ signed in any way.

 

A more descriptive representation of MSG2:
RESPONSE TYPE:   0x2
RESPONSE STATUS: 0x0 0x0
RESPONSE BODY SIZE: 168
MSG2 gb - 64 bytes:
{
0x6a, 0x83, 0xdc, 0x84, 0xd4, 0x4c, 0x8a, 0xbb, 
0x5e, 0x42, 0xaf, 0xee, 0x8d, 0xe9, 0xf4, 0x57, 
0x71, 0xfd, 0x73, 0x66, 0xd7, 0xfa, 0xad, 0xfa, 
0xf2, 0x17, 0x14, 0xdd, 0x5a, 0xb9, 0x9e, 0x97, 
0x79, 0xa7, 0x38, 0x72, 0xf2, 0xb8, 0xd6, 0xbe, 
0x18, 0x91, 0x7f, 0xf7, 0xb5, 0xd3, 0xe5, 0x64, 
0x9b, 0x12, 0x18, 0xaf, 0x39, 0x29, 0x6c, 0x24, 
0x19, 0x38, 0x29, 0xb, 0xc6, 0xac, 0xc, 0x62 
}
MSG2 spid - 16 bytes:
{
0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x20, 
0x58, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 
}
MSG2 quote_type : 1
MSG2 kdf_id : 1
MSG2 sign_gb_ga - 64 bytes:
{
0x6a, 0x83, 0xdc, 0x84, 0xd4, 0x4c, 0x8a, 0xbb, 
0x5e, 0x42, 0xaf, 0xee, 0x8d, 0xe9, 0xf4, 0x57, 
0x71, 0xfd, 0x73, 0x66, 0xd7, 0xfa, 0xad, 0xfa, 
0xf2, 0x17, 0x14, 0xdd, 0x5a, 0xb9, 0x9e, 0x97, 
0x49, 0xa2, 0x2c, 0xc8, 0xd4, 0xba, 0xd1, 0x3b, 
0xfe, 0x72, 0xd5, 0xc3, 0x18, 0x31, 0x10, 0xd, 
0x72, 0xf4, 0x92, 0xff, 0xf, 0xa0, 0x3e, 0x6f, 
0x97, 0xe4, 0xaa, 0x68, 0x80, 0x69, 0x60, 0xd6 
}
MSG2 mac - 16 bytes:
{
0xaa, 0xc7, 0xa1, 0xbb, 0x94, 0xbf, 0x2d, 0x35, 
0x5f, 0x32, 0x17, 0xe4, 0xfa, 0xca, 0x61, 0x79 
}
MSG2 sig_rl - 
( null )

Call sgx_ra_proc_msg2_ex success.

If you compare line 7ff and line 25ff, the same values are present which does not make sense to me. Also, I noted that no solution has been found to a similar question , has there been any progress so far?

Could somebody explain how the signature is derived in the Remote Attestation Sample? The sample_libcrypto file does not provide real insight into the process. 

Thanks in advance!

0 Kudos
1 Solution
JesusG_Intel
Moderator
1,872 Views

Hello Mxl01,


It seems you are missing the PSW component: libsgx-uae-service. Install it with:


$sudo apt get libsgx-uae-service


Ensure you install all of the PSW components with:

$ sudo apt-get install libsgx-launch libsgx-urts libsgx-epid libsgx-quote-ex libsgx-uae-service


Here is how to follow the code in the sgx-ra-sample to find where it is not detecting SGX:

client.cpp:373 sgx_support = get_sgx_support();

sgx_detect_linux.c:44 if (! have_sgx_psw()) return sgx_support;

sgx_stub.c:196

int have_sgx_psw()

{

    return ( 

        _load_libsgx_uae_service() == NULL ||

        _load_libsgx_urts() == NULL 

    ) ? 0 : 1;

}


Sincerely,

Jesus G.

Intel Customer Support


View solution in original post

0 Kudos
9 Replies
JesusG_Intel
Moderator
1,955 Views

Hello Mxl01,

 

Pay special attention to the instructions regarding little-endian byte order in the end-to-end example. I recommend doing a search on the page for "endian" so you can find all the references.

 

Did you look at the function process_msg01 in sp.cpp?

 

If you still cannot figure it out after fixing the endian issues, I recommend installing the debug versions of the SDK and PSW so you can step into the SGX runtimes using sgx-gdb. Follow these instructions to install the debug files:

 

1. Install Prerequisites then download the Intel SGX for Linux source code:

$ git clone https://github.com/intel/linux-sgx.git

$ cd linux-sgx && make preparation

 

2. Build the debug versions of the SDK and SDK installer:

$ make sdk DEBUG=1

$ make sdk_install_pkg DEBUG=1

 

3. Install the SGX SDK

$ cd linux/installer/bin

$ ./sgx_linux_x64_sdk_${version}.bin

$ source ${sgx-sdk-install-path}/environment

 

4. Build the debug versions of the PSW and PSW installers:

$ make psw DEBUG=1

$ make deb_psw_pkg DEBUG=1

 

5. Install the PSW components and their symbol files.

The generated PSW installers are located under linux/installer/rpm/libsgx-urts, linux/installer/rpm/libsgx-enclave-common, linux/installer/rpm/libsgx-uae-service, linux/installer/rpm/libsgx-epid, linux/installer/rpm/libsgx-launch, linux/installer/rpm/libsgx-quote-ex and linux/installer/rpm/sgx-aesm-service

 

6. Execute the following commands in each PSW installer directory:

 

$ sudo dpkg -i *.deb

$ sudo dpkg -i *.ddeb

 

Now you can use sgx-gdb to step into any SGX runtime function so you can see what is happening behind the scenes.

 

Sincerely,

Jesus G.

Intel Customer Support

 

mxl01
Novice
1,943 Views

I will look into this, thanks! Still, I do not think that the used signature procedure is sensible in the RemoteAttestation Sample from the linux-sgx repository, as no signature should yield back an unmodified first half of the original buffer. If you could clear this up, it would be helpful for debugging so I know where these values in line 25ff comes from.

0 Kudos
JesusG_Intel
Moderator
1,932 Views

Hello Mxl01,


You are right, the first halves of Msg2 and the signed Msg2 should not be the same. That is your first indication that something is not right. Here are my outputs from running sgx-ra-sample.


---- Msg2 Details ----------------------------------------------------------

msg2.g_b.gx   = b86a9353678fd85e255825c6fefb53d4fc307dc07cd86f41aec014be5db43e0e

msg2.g_b.gy   = 61e30199bec58304a5da94419effbd7fa84057ebf56369fadcf44e8ea8e5f444

msg2.spid    = 512a4762b082984ff983cb5e59bee669

msg2.quote_type = 0000

msg2.kdf_id   = 0100

msg2.sign_ga_gb = 471991a397d91a27326f4dea2081dbc6d1c1b9ba0ebc2be220fa757f5a0d78b1f59dbc971a676737d78c0ca2c5a9ac8b7fc92c639ac0deb5914b33951333dc72

msg2.mac     = 7a5cd6f10638431b706e43c346505fed

msg2.sig_rl_size = 00000000

msg2.sig_rl   = 

----------------------------------------------------------------------------

+++ msg2_size = 168


mxl01
Novice
1,917 Views

Hello JesusG_Intel,

I was talking about the RemoteAttestation sample from here , if you run that sample, you get two identical first halves of the key and the signature, which should not be the case. In the sgx-sample you described, however, I am not even able to run the ./run-client command as it tells me 'This system does not support Intel SGX.' although I think I have all needed sgx drivers installed and am able to run all sample applications from above link in hardware mode. Can you give me a hint why this problem occurs?

0 Kudos
JesusG_Intel
Moderator
1,900 Views

Hello Mxl01,


We are still trying to figure out why the Remote Attestation sample outputs the same values for msg2_gb_gx and msg2_sign_gb_ga_x. They are different in the sgx-ra-sample.


The function in Remote Attestation that does the signing is service_provider.cpp:506 and starts printing at isv_app.cpp:122.


Let's figure out why you can't run the sgx-ra-sample.


1. Confirm your processor has SGX enabled.

Open a terminal and run$ cpuid | grep -i sgx


2. Check the SGX driver:

$ ls /dev | grep sgx

 

2. Check the PSW, especially libsgx-uae-service

$ sudo apt list --installed | grep sgx

 

3. Run sudo apt-get update to ensure all your components are up-to-date.

 

4. Setup your proxy if necessary.

Edit the file /etc/aesmd.conf (refer to the comments in the file) to set the proxy for the aesmd service.

After you configure the proxy, you need to restart the service to enable the proxy.

 

5. Check aesmd

$ ps aux | grep -aesm

$ sudo systemctl stop aesmd

$ sudo systemctl start aesmd

$ cat /var/log/syslog | grep -i aesm


mxl01
Novice
1,878 Views

Hello JesusG_Intel,

thanks for your detailed response, my resulting terminal output is:

1. processor sgx enabled?

> cpuid | grep -i sgx
      SGX: Software Guard Extensions supported = true
      SGX_LC: SGX launch config supported      = false
   Software Guard Extensions (SGX) capability (0x12/0):
      SGX1 supported                         = true
      SGX2 supported                         = false
      SGX ENCLV E*VIRTCHILD, ESETCONTEXT     = false
      SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false
   SGX attributes (0x12/1):
      SGX: Software Guard Extensions supported = true
      SGX_LC: SGX launch config supported      = false
   Software Guard Extensions (SGX) capability (0x12/0):
      SGX1 supported                         = true
      SGX2 supported                         = false
      SGX ENCLV E*VIRTCHILD, ESETCONTEXT     = false
      SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false
   SGX attributes (0x12/1):
      SGX: Software Guard Extensions supported = true
      SGX_LC: SGX launch config supported      = false
   Software Guard Extensions (SGX) capability (0x12/0):
      SGX1 supported                         = true
      SGX2 supported                         = false
      SGX ENCLV E*VIRTCHILD, ESETCONTEXT     = false
      SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false
   SGX attributes (0x12/1):
      SGX: Software Guard Extensions supported = true
      SGX_LC: SGX launch config supported      = false
   Software Guard Extensions (SGX) capability (0x12/0):
      SGX1 supported                         = true
      SGX2 supported                         = false
      SGX ENCLV E*VIRTCHILD, ESETCONTEXT     = false
      SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false
   SGX attributes (0x12/1):
      SGX: Software Guard Extensions supported = true
      SGX_LC: SGX launch config supported      = false
   Software Guard Extensions (SGX) capability (0x12/0):
      SGX1 supported                         = true
      SGX2 supported                         = false
      SGX ENCLV E*VIRTCHILD, ESETCONTEXT     = false
      SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false
   SGX attributes (0x12/1):
      SGX: Software Guard Extensions supported = true
      SGX_LC: SGX launch config supported      = false
   Software Guard Extensions (SGX) capability (0x12/0):
      SGX1 supported                         = true
      SGX2 supported                         = false
      SGX ENCLV E*VIRTCHILD, ESETCONTEXT     = false
      SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false
   SGX attributes (0x12/1):
      SGX: Software Guard Extensions supported = true
      SGX_LC: SGX launch config supported      = false
   Software Guard Extensions (SGX) capability (0x12/0):
      SGX1 supported                         = true
      SGX2 supported                         = false
      SGX ENCLV E*VIRTCHILD, ESETCONTEXT     = false
      SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false
   SGX attributes (0x12/1):
      SGX: Software Guard Extensions supported = true
      SGX_LC: SGX launch config supported      = false
   Software Guard Extensions (SGX) capability (0x12/0):
      SGX1 supported                         = true
      SGX2 supported                         = false
      SGX ENCLV E*VIRTCHILD, ESETCONTEXT     = false
      SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false
   SGX attributes (0x12/1):

 

2.  sgx-driver check:

> ls /dev | grep sgx
isgx

 

3.  my components are up-to-date

4. I don't think I need to configure a proxy 

5. aesmd:

> ps aux | grep -aesm
root          67  0.0  0.0      0     0 ?        SN   13:40   0:00 [ksmd]
gdm         1490  0.0  0.0 323796  8600 tty1     Sl+  13:40   0:00 /usr/libexec/gsd-smartcard
max         2039  0.0  0.0 397532  8780 ?        Ssl  13:41   0:00 /usr/libexec/gsd-smartcard
aesmd       6235  0.0  0.0 352572 14576 ?        Ssl  13:52   0:00 /opt/intel/sgx-aesm-service/aesm/aesm_service
max         7028  0.0  0.0  17672  2864 pts/0    S+   14:04   0:00 grep --color=auto -aesm

When checking the syslog, there is actually something interesting:

Sep 16 14:19:03 max-laptop systemd[1]: aesmd.service: Succeeded.
Sep 16 14:19:09 max-laptop aesm_service[10163]: [ADMIN]White List update requested
Sep 16 14:19:09 max-laptop aesm_service[10163]: [load_qe ../qe_logic.cpp:680] Error, call sgx_create_enclave QE fail [load_qe], SGXError:4004.
Sep 16 14:19:09 max-laptop aesm_service[10163]: Failed to load QE3: 0x4004
Sep 16 14:19:09 max-laptop aesm_service[10163]: The server sock is 0x5644b9d506f0
Sep 16 14:19:10 max-laptop aesm_service[10163]: [ADMIN]White list update request successful for Version: 105

 Error 0x4004 is (according to the developer reference) 'Enclave has no privilege to get a launch token.' 

Is the launch token error the problem for my inability to launch the sgx-ra-sample client? Or does my system simply not have the sgx standards needed? Thanks in advance!

0 Kudos
JesusG_Intel
Moderator
1,873 Views

Hello Mxl01,


It seems you are missing the PSW component: libsgx-uae-service. Install it with:


$sudo apt get libsgx-uae-service


Ensure you install all of the PSW components with:

$ sudo apt-get install libsgx-launch libsgx-urts libsgx-epid libsgx-quote-ex libsgx-uae-service


Here is how to follow the code in the sgx-ra-sample to find where it is not detecting SGX:

client.cpp:373 sgx_support = get_sgx_support();

sgx_detect_linux.c:44 if (! have_sgx_psw()) return sgx_support;

sgx_stub.c:196

int have_sgx_psw()

{

    return ( 

        _load_libsgx_uae_service() == NULL ||

        _load_libsgx_urts() == NULL 

    ) ? 0 : 1;

}


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
JesusG_Intel
Moderator
1,841 Views

Hello Mxl01,


Were you able to install libsgx-uae-service and get the sgx-ra-sample running? We recommend using the sgx-ra-sample over the RemoteAttestation sample in the SDK.


Sincerely,

Jesus G.

Intel Customer Suppor


0 Kudos
JesusG_Intel
Moderator
1,796 Views

Hello Mxl01,


I hope the information I provided was helpful to you. Since we haven't heard from you I will close this case. If you need further assistance with this issue, please open a new thread.


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
Reply