- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
We recently noticed that our "working" attestation code doesn't work anymore. Our SDK/PSW version is still 2.12 and we are using v3 of the attestation service. In one of the attestation protocol exchanges, when we call sgx_get_extended_epid_group_id, the API returns the following:
SGX_ERROR_SERVICE_UNAVAILABLE = SGX_MK_ERROR(0x4001), /* Indicates aesm didn't respond or the requested service is not supported */Are there any changes in the attestation service lately?
Thanks!
Kind Regards,
Rodel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Rodel,
What is the output from:
$ uname -r
$ cat /var/log/syslog | grep -i aesm
Please install the latest version of the PSW.
Install all of the libraries from the Intel® Software Guard Extensions (Intel® SGX) PSW for Ubuntu*:
$ sudo apt-get install libsgx-launch libsgx-urts libsgx-epid libsgx-quote-ex libsgx_uae_service
Run sudo apt list --installed | grep sgx to ensure that you have the latest version, 2.13, of the PSW packages.
Sincerely,
Jesus G.
Intel Customer Support
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you double check that aesmd is running, and check the syslog for aesmd messages?
ps aux | grep -i aesm
sudo systemctl start aesmd
cat /var/log/syslog | grep -i aesm
Thanks
Chris
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Chris,
Thanks for the response. Yes, the aesmd service is running. I am running the app in a cloud provider. Not sure if there's some incompatibility issues with their latest Ubuntu 18.04 image with the driver and PSW. We were able to run the same app a few months ago though.
Also, BTW, I did not see any attestation APIs being called by our app yet (from the portal), since the error happens at the very beginning of the attestation protocol.
Kind Regards,
Rodel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Rodel,
What is the output from:
$ uname -r
$ cat /var/log/syslog | grep -i aesm
Please install the latest version of the PSW.
Install all of the libraries from the Intel® Software Guard Extensions (Intel® SGX) PSW for Ubuntu*:
$ sudo apt-get install libsgx-launch libsgx-urts libsgx-epid libsgx-quote-ex libsgx_uae_service
Run sudo apt list --installed | grep sgx to ensure that you have the latest version, 2.13, of the PSW packages.
Sincerely,
Jesus G.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jesus,
I have found out the issue. It's because of varying PSW libraries. We have built our production binaries last Dec. (with SDK 2.12) and the PSW library 2.12 versions that we installed using apt-get were only for libsgx-urts, libsgx-epid, and libsgx-quote-ex. The others were installed automatically with 2.13.3. So, in this case we would have to make sure our installer will use specific versions only. Can I confirm that these are the only services that we need to tag to 2.13.103.1-bionic1?
For example
sudo apt-get install libsgx-launch=2.13.103.1-bionic1 libsgx-urts=2.13.103.1-bionic1 libsgx-epid=2.13.103.1-bionic1 libsgx-quote-ex=2.13.103.1-bionic1 libsgx_uae_service=2.13.103.1-bionic1
The reason I want to make sure it stays on this version, is that our binaries will be compiled with the SDK that's compatible with this PSW version. When Intel releases PSW 2.14, our compiled binaries will not be compatible with with this version anymore.
For now, my work-around is to sync the PSW and SDK version. When I deploy my installer next time, if there's a new PSW libary/app, my installer should stay with 2.13. Will this work?
Thanks a lot for your help!
Kind Regards,
Rodel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Rodel,
Intel recommends to always use the latest versions of the PSW and SDK for several reasons.
- The new versions of these components have the latest bug and security fixes. For this reason alone, it is crucial for ISVs to keep up with the new versions.
- Though we generally try to maintain backward compatibility, there have been instances over time where things changed together and both, the SDK and PSW, need to be updated. We also do not do cross version testing in validation. If you decide to mix versions it is up to you to do your own validation and testing of old SDK build/newer PSW.
- During remote attestation, the IAS will detect an outdated PSW and will report an "OUT_OF_DATE" response.
Ultimately, it is up to you to decide whether to update the SDK and PSW based on the release notes for each.
Again, Intel recommends to always use the latest versions which have the latest bug and security updates.
Sincerely,
Jesus G.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page