- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
I am new to SGX, and I have installed SGX SDK and PSW. I have gone through the steps in this quick install guide for DCAP. Everything works fine until I run PCKIDRetrievalTool and then I get this error:
Intel(R) Software Guard Extensions PCK Cert ID Retrieval Tool Version 1.14.100.3
Warning: platform manifest is not available or current platform is not multi-package platform.
Error: unexpected error happend during sending data to cache server.
pckid_retrieval.csv has been generated successfully, however the data couldn't be sent to cache server!
The PCCS server log gives me this error:
2-10-10 19:38:53.281 [debug]: Request URL https://api.trustedservices.intel.com/sgx/certification/v3/pckcerts
2022-10-10 19:38:53.281 [error]: Intel PCS server returns error(404).
2022-10-10 19:38:53.281 [error]: Intel PCS server returns error. Error code : 404
2022-10-10 19:38:53.281 [error]: Error: No cache data for this platform.
at Proxy.getPckCertFromPCS (/opt/intel/sgx-dcap-pccs/services/logic/commonCacheLogic.js:92:11)
at processTicksAndRejections (internal/process/task_queues.js:95:5)
at async ReqCachingMode.registerPlatforms (/opt/intel/sgx-dcap-pccs/services/caching_modes/cachingMode.js:205:7)
at async Proxy.registerPlatforms (/opt/intel/sgx-dcap-pccs/services/platformsRegService.js:107:3)
at async postPlatforms (/opt/intel/sgx-dcap-pccs/controllers/platformsController.js:40:5)
2022-10-10 19:38:53.282 [info]: 127.0.0.1 - - [10/Oct/2022:17:38:53 +0000] "POST /sgx/certification/v3/platforms HTTP/1.1" 404 32 "-" "-"
Question:
Do I need to register my server somewhere? I am sorry if this is a stupid question, but I have not seen where to do this.
Thanks in advance.
General information:
Linux 5.15.0-48-generic #54~20.04.1-Ubuntu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
Address sizes: 45 bits physical, 48 bits virtual
CPU(s): 4
On-line CPU(s) list: 0-3
Thread(s) per core: 1
Core(s) per socket: 1
Socket(s): 4
NUMA node(s): 1
Vendor ID: GenuineIntel
CPU family: 6
Model: 106
Model name: Intel(R) Xeon(R) Silver 4310 CPU @ 2.10GHz
Stepping: 6
CPU MHz: 2095.078
BogoMIPS: 4190.15
Hypervisor vendor: VMware
Virtualization type: full
L1d cache: 192 KiB
L1i cache: 128 KiB
L2 cache: 5 MiB
L3 cache: 72 MiB
NUMA node0 CPU(s): 0-3
Vulnerability Itlb multihit: KVM: Mitigation: VMX unsupported
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Danko.
As Sahira mentioned, you will need to register the platform. And yes, the PCK Cert ID Retrieval tool will only work correctly on bare metal, not in a guest VM, as ESXi doesn't pass through the required UEFI variables, as you found out.
The good news is with vSphere v8+, you can directly register the platform from within the vSphere interface. Per this VMWare article: "To enable SGX remote attestation, register the host in vSphere if running vSphere 8.0 or later." A bit more info here also.
If you wanted to use vSphere 7, you'd need to work around this by booting to bare metal (maybe with a live Linux distro) and utilize the PCK Cert ID Retrieval Tool to retrieve the platform manifest to be able to register manually.
Regards.
Scott
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
This error is due to an outdated BIOS. You need to update the BIOS on your system to the most recent BIOS available from the OEM to make the trusted computing base current.
Sincerely,
Sahira
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Sahira,
Thank you for the fast reply.
Just to be sure, if the BIOS is not the problem, can something else be. My processor is Intel(R) Xeon(R) Silver. If I understood correctly this processor does not support DCAP, because I have read that only Intel® Xeon® E Processor support DCAP (source DCAP_ECDSA_Orientation.pdf ). Am I right?
Does that mean I have to get an Intel® Xeon® E Processor server and install everything there. If I can still work with Intel(R) Xeon(R) Silver processor, do I need to register it?
Thanks in advance!
All the best,
Danko
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Intel® SGX DCAP ECDSA Attestation works with the following Intel processors that support FLC:
- 3rd gen Intel® Xeon® Scalable processors
- The top three SKUs of the Intel® Xeon® E-21xx family support FLC (E-2174G, E-2176G, E-2186G) on Intel® SPS–based platforms.
- 8th Generation Intel® Core™ Processor or newer with Flexible Launch Control and Intel® Advanced Encryption Standard New Instructions (Intel® AES-NI) support
- Intel Atom® Processor with Flexible Launch Control and Intel® AES-NI support
You can also run the following command to ensure your system supports FLC & DCAP:
$ cpuid | grep -i sgx
Then look for output: SGX_LC: SGX launch config supported = true
Visit this article for more information: https://www.intel.com/content/www/us/en/support/articles/000057420/software/intel-security-products.html#:~:text=Intel%C2%AE%20SGX%20DCAP%20ECDSA,Intel%C2%AE%20SPS%E2%80%93based%20platforms.
Most likely you would need to update your BIOS to the latest one provided by the OEM.
To register your platform, visit this page: https://api.portal.trustedservices.intel.com/registration
And for more information, visit this page: https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_DCAP_Multipackage_SW.pdf
Sincerely,
Sahira
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @Sahira_Intel ,
I have updated vSphere7 to vSphere8 (ESXi). The VM that is being run is an Ubuntu 20.04.
When I run the commands "cpuid | grep -i sgx" I can see that SGX is enabled and I see this also SGX_LC: SGX launch config supported = true.
There seems to be no SGX related uefi variables in /sys/firmware/efi/efivars in Ubuntu. It seems that the MPA registration tool is using the uefi varibales, but they are missing. Can this be the cause of the problem?
Configuration of SGX in iDRAC9 (BIOS Settings).
Secure Boot is not shown in this picture, but it is enabled.
Thanks again,
Danko
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Danko.
As Sahira mentioned, you will need to register the platform. And yes, the PCK Cert ID Retrieval tool will only work correctly on bare metal, not in a guest VM, as ESXi doesn't pass through the required UEFI variables, as you found out.
The good news is with vSphere v8+, you can directly register the platform from within the vSphere interface. Per this VMWare article: "To enable SGX remote attestation, register the host in vSphere if running vSphere 8.0 or later." A bit more info here also.
If you wanted to use vSphere 7, you'd need to work around this by booting to bare metal (maybe with a live Linux distro) and utilize the PCK Cert ID Retrieval Tool to retrieve the platform manifest to be able to register manually.
Regards.
Scott
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Scott_R,
Thank you @Scott_R_Intel and @Sahira_Intel for the effort.
This is what I have been looking for.
Best regards,
Danko
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page