Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.

service unavailable: sgx_get_extended_epid_group_id

Rodel
Beginner
490 Views

Hi,

 

We recently noticed that our "working" attestation code doesn't work anymore.  Our SDK/PSW version is still 2.12 and we are using v3 of the attestation service.  In one of the attestation protocol exchanges, when we call sgx_get_extended_epid_group_id, the API returns the following:

SGX_ERROR_SERVICE_UNAVAILABLE       = SGX_MK_ERROR(0x4001),   /* Indicates aesm didn't respond or the requested service is not supported */

Are there any changes in the attestation service lately?

Thanks!

 

Kind Regards,

Rodel

0 Kudos
1 Solution
JesusG_Intel
Moderator
443 Views

Hello Rodel,


What is the output from:

$ uname -r

$ cat /var/log/syslog | grep -i aesm


Please install the latest version of the PSW.


Install all of the libraries from the Intel® Software Guard Extensions (Intel® SGX) PSW for Ubuntu*:

$ sudo apt-get install libsgx-launch libsgx-urts libsgx-epid libsgx-quote-ex libsgx_uae_service


Run sudo apt list --installed | grep sgx to ensure that you have the latest version, 2.13, of the PSW packages.


Sincerely,

Jesus G.

Intel Customer Support


View solution in original post

6 Replies
ChrisB_Intel
Moderator
467 Views

Have you double check that aesmd is running, and check the syslog for aesmd messages?


ps aux | grep -i aesm

sudo systemctl start aesmd

cat /var/log/syslog | grep -i aesm


Thanks

Chris



Rodel
Beginner
453 Views

Hi Chris,

 

Thanks for the response.  Yes, the aesmd service is running.  I am running the app in a cloud provider.  Not sure if there's some incompatibility issues with their latest Ubuntu 18.04 image with the driver and PSW.  We were able to run the same app a few months ago though.

 

Also, BTW, I did not see any attestation APIs being called by our app yet (from the portal), since the error happens at the very beginning of the attestation protocol.

 

Kind Regards,

Rodel

JesusG_Intel
Moderator
444 Views

Hello Rodel,


What is the output from:

$ uname -r

$ cat /var/log/syslog | grep -i aesm


Please install the latest version of the PSW.


Install all of the libraries from the Intel® Software Guard Extensions (Intel® SGX) PSW for Ubuntu*:

$ sudo apt-get install libsgx-launch libsgx-urts libsgx-epid libsgx-quote-ex libsgx_uae_service


Run sudo apt list --installed | grep sgx to ensure that you have the latest version, 2.13, of the PSW packages.


Sincerely,

Jesus G.

Intel Customer Support


Rodel
Beginner
433 Views

Hi Jesus,

 

I have found out the issue.  It's because of varying PSW libraries.  We have built our production binaries last Dec. (with SDK 2.12) and the PSW library 2.12 versions that we installed using apt-get were only for libsgx-urts, libsgx-epid, and libsgx-quote-ex.  The others were installed automatically with 2.13.3.  So, in this case we would have to make sure our installer will use specific versions only.  Can I confirm that these are the only services that we need to tag to 2.13.103.1-bionic1? 

For example

sudo apt-get install libsgx-launch=2.13.103.1-bionic1 libsgx-urts=2.13.103.1-bionic1 libsgx-epid=2.13.103.1-bionic1 libsgx-quote-ex=2.13.103.1-bionic1 libsgx_uae_service=2.13.103.1-bionic1

The reason I want to make sure it stays on this version, is that our binaries will be compiled with the SDK that's compatible with this PSW version.  When Intel releases PSW 2.14, our compiled binaries will not be compatible with with this version anymore.

 

For now, my work-around is to sync the PSW and SDK version.  When I deploy my installer next time, if there's a new PSW libary/app, my installer should stay with 2.13.  Will this work?

 

Thanks a lot for your help!  

 

Kind Regards,

Rodel

JesusG_Intel
Moderator
424 Views

Hello Rodel,


Intel recommends to always use the latest versions of the PSW and SDK for several reasons.


  1. The new versions of these components have the latest bug and security fixes. For this reason alone, it is crucial for ISVs to keep up with the new versions.
  2. Though we generally try to maintain backward compatibility, there have been instances over time where things changed together and both, the SDK and PSW, need to be updated. We also do not do cross version testing in validation. If you decide to mix versions it is up to you to do your own validation and testing of old SDK build/newer PSW.
  3. During remote attestation, the IAS will detect an outdated PSW and will report an "OUT_OF_DATE" response.


Ultimately, it is up to you to decide whether to update the SDK and PSW based on the release notes for each.


Again, Intel recommends to always use the latest versions which have the latest bug and security updates.


Sincerely,

Jesus G.

Intel Customer Support


JesusG_Intel
Moderator
406 Views

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


Reply