Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1491 Discussions

SGX_ERROR_INVALID_PARAMETER when unsealing from a saved data file

Mashiro_M_1
Beginner
2,199 Views

Hi!

I've referenced to the SDK Developer reference regarding the error, but every condition seems to be fulfilled... so I'm a bit lost now what could be the reason.

I have these set of codes, it just simply generates a character/string (i.e. a word/text "Hello"), seal it with the sgx_seal_data() then give the untrusted area the copy of this sealed "blob" and have it save to a binary file. To test if this blob provided unto the untrusted area, I tried throwing this blob back in again to the enclave and it gets unsealed successfully. (So from this I guess it is safe to say that the data saved to the file is ok)

However when loading this file and unsealing its contents, SGX_ERROR_INVALID_PARAMETER is being returned by sgx_unseal_data(), I might have something wrong done, so here are snippets of my code.

 

EDIT UPDATE:

Seems like the encrypted data saved is corrupted at some point, trying it again and at times it succeeds in load.

Then at times the error is SGX_ERROR_MAC_MISMATCH.

 

Untrusted.cpp

void doNew() {
    const int SEAL_MAX_BLOB_SIZE = 1024;
    sgx_status_t ret = SGX_SUCCESS;
    int updated = 0;
    uint32_t err;
    unsigned char blob[SEAL_MAX_BLOB_SIZE] = {0};
    unsigned char sealedBlob[SEAL_MAX_BLOB_SIZE] = {0};
    int blob_len, seal_len;
    seal_len = 0;
    blob_len = SEAL_MAX_BLOB_SIZE;

    sgx_status_t res = sgx_create_enclave(ENCLAVE_NAME, 1, &token, &updated, &global_eid, NULL);
    if (res != SGX_SUCCESS) {
        return;
    }

    ret = enclave_experiment(global_eid, &err, blob, blob_len, &seal_len);
    if (ret != SGX_SUCCESS) {
        sgx_destroy_enclave(global_eid);
        return;
    }

    memcpy(sealedBlob, blob, seal_len);

    if(write_file("file.dat", sealedBlob, seal_len))
        cout << "error occurred in saving" << endl;


    cout << "SAVE DONE, attempting to throwback to enclave again" << endl;
    ret = enclave_experimentLoad(global_eid, &err, sealedBlob, blob_len, &seal_len); // in this unseal is OK
    if (ret != SGX_SUCCESS) {
        sgx_destroy_enclave(global_eid);
        return;
    }

    getchar();
    sgx_destroy_enclave(global_eid);
}

 

void doLoad() {
	const int SEAL_MAX_BLOB_SIZE = 1024;
	sgx_status_t ret = SGX_SUCCESS;
	int updated = 0;
	uint32_t err;
	unsigned char blob[SEAL_MAX_BLOB_SIZE] = {0};
	unsigned char sealedBlob[SEAL_MAX_BLOB_SIZE] = {0};
	int blob_len, seal_len;
	seal_len = 0;
	blob_len = SEAL_MAX_BLOB_SIZE;

	long length = load_file("file.dat", sealedBlob);

	seal_len = length;

	sgx_status_t resl = sgx_create_enclave(ENCLAVE_NAME, 1, &token, &updated, &global_eid, NULL);
	if (resl != SGX_SUCCESS) {
		cout << "FAIL: creation of enclave" << endl;
		return;
	}

	ret = enclave_experimentLoad(global_eid, &err, sealedBlob, blob_len, &seal_len);
	if (ret != SGX_SUCCESS) {
		sgx_destroy_enclave(global_eid);
		return;
	}

	cout << "loading main done" << endl;
	getchar();
	sgx_destroy_enclave(global_eid);
}

 

 

 

Enclave.cpp

uint32_t enclave_experiment(unsigned char *blob, int blob_len, int *seal_len) {	
	const int ENCODING_LEN = 56;
	int need_len, plain_len, ret;
	char buf[616];
	char plain[ENCODING_LEN] = "Hello";

	need_len = sgx_calc_sealed_data_size(0, ENCODING_LEN);
	if (sizeof buf < need_len) {
		return -1;
	}

	if (sgx_seal_data(0, NULL, ENCODING_LEN, (uint8_t *)plain, need_len, (sgx_sealed_data_t *)buf)) {
		return -1;
	}
	memcpy(blob, buf, need_len);
	memcpy(seal_len, &need_len, sizeof(&need_len));


	print("ENCLAVE: attempting unseal on blob\n");
	char plainForUnseal[ENCODING_LEN] = {0};
	plain_len = sizeof plainForUnseal;
	if(sgx_unseal_data((const sgx_sealed_data_t *)blob, NULL, NULL, (uint8_t *)plainForUnseal, (uint32_t *)&plain_len))
		print("ENCLAVE: unseal failed\n");
	print("ENCLAVE: unseal SUCCESS\n");

	printData("ENCLAVE: secret is %s\n", plainForUnseal);
	return 0;

}

// this succeeds when unseal and seal is done in one run, but if blob is from a loaded file it fails
// with SGX_ERROR_INVALID_PARAMETER
uint32_t enclave_experimentLoad(unsigned char *blob, int blob_len, int *seal_len) {

	const int ENCODING_LEN = 56;
	int need_len, plain_len, ret;
	char buf[616];
	char plainForUnseal[ENCODING_LEN] = {0};

	need_len = sgx_calc_sealed_data_size(0, ENCODING_LEN);
	memcpy(seal_len, &need_len, sizeof(&need_len));
	plain_len = sizeof plainForUnseal;

	sgx_status_t res = sgx_unseal_data((const sgx_sealed_data_t *) blob, NULL, NULL, (uint8_t *)plainForUnseal, (uint32_t *)&plain_len);
	if (res == SGX_ERROR_INVALID_PARAMETER) {
		print("ENCLAVE: SGX_ERROR_INVALID_PARAMETER\n");
		return -1;
	}
	if (res == SGX_ERROR_INVALID_CPUSVN) {
		print("ENCLAVE: SGX_ERROR_INVALID_CPUSVN\n");
		return -1;
	}
	if (res == SGX_ERROR_INVALID_ISVSVN) {
		print("ENCLAVE: SGX_ERROR_INVALID_ISVSVN\n");
		return -1;
	}
	if (res == SGX_ERROR_MAC_MISMATCH) {
		print("ENCLAVE: SGX_ERROR_MAC_MISMATCH\n");
		return -1;
	}
	if (res == SGX_ERROR_OUT_OF_MEMORY) {
		print("ENCLAVE: SGX_ERROR_OUT_OF_MEMORY\n");
		return -1;
	}
	if (res == SGX_ERROR_UNEXPECTED) {
		print("ENCLAVE: SGX_ERROR_UNEXPECTED\n");
		return -1;
	}
	print("ENCLAVE: unseal SUCCESS\n");

	printData("ENCLAVE: secret is %s\n", plainForUnseal);

	print("ENCLAVE: DONE\n");
	return 0;
}

 

 

and finally the utilities

int write_file(char const* path, unsigned char *data, int length) {
	FILE *file = fopen(path, "w");
	int ret = fwrite(data, sizeof(unsigned char), length, file);
	if (ret != length) {
	    printf("write_file: Error %d\n", ret);
	}
	fclose(file);
	return 0;
}

long load_file(char const* path, unsigned char *buf)
{
    long length;
    FILE * f = fopen (path, "rb"); //was "rb"
    if (!f)
    {
      return 1;
    }
	fseek (f, 0, SEEK_END);
	length = ftell (f);
	fseek (f, 0, SEEK_SET);

	unsigned char *buffer = new unsigned char[length]();
	fread (buffer, sizeof(unsigned char), length, f);
	fclose (f);

    memcpy(buf, buffer, length);
    return length;
}

 

 

 

 

 

 

 

 

0 Kudos
4 Replies
Surenthar_S_Intel
2,199 Views

Hi,

However when loading this file and unsealing its contents, SGX_ERROR_INVALID_PARAMETER is being returned by sgx_unseal_data(), I might have something wrong done, so here are snippets of my code. -

SGX_ERROR_INVALID_PARAMETER:
Indicates an error if the parameters do not meet any of the following con-ditions:

  • If additional_mactext_length is non-zero, p_additional_mac-text cannot be NULL.
  • p_additional_mactext buffer can be within or outside the enclave, but cannot across the enclave boundary.
  • p_decrypted_text and p_decrypted_text_length must be within the enclave.
  • p_decrypted_text and p_addtitional_MACtext buffer must be big enough to receive the decrypted data.
  • p_sealed_data buffer must be within the enclave

Seems like the encrypted data saved is corrupted at some point, trying it again and at times it succeeds in load. Then at times the error is SGX_ERROR_MAC_MISMATCH - 

SGX_ERROR_MAC_MISMATCH is Indicates an error "The tag verification failed during unsealing. The error may be caused by a platform update, software update, or sealed data blob corruption. This error is also reported if other corruption of the sealed data structure is detected".

From your previous load function corrected your blob. so your getting this error.

-Surenthar 

0 Kudos
glenn_t_
Beginner
2,199 Views

I was having a similar problem and was using int rather than size_t.  On Linux size_t is an unsigned long integer where int is 4 bytes.  Changing that fixed the error.

0 Kudos
Tom__Jimmy
Beginner
2,199 Views

I also encountered the same problem. My code was copied from the official SealUnseal project. The official SealUnseal project runs without any errors, and the project I copied returns SGX_ERROR_MAC_MISMATCH error when executing the sgx_unseal_data function. My code and official SealUnseal The project is the same, I don't know what the problem is, please help me, thank you.

0 Kudos
JesusG_Intel
Moderator
2,199 Views

Hello jimmy518inchina,

Please provide your code so we can reproduce your issue.

Regards,

Jesus

Intel Customer Support

0 Kudos
Reply