- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I have been trying to use sgx_get_trusted_time function for which I need to create a pse session before calling. Whenever I call sgx_create_pse_session() I get SGX_ERROR_SERVICE_UNAVAILABLE error.
I have several doubts regarding PSE session :
- I'm not entirely sure what PSE session is for
- Why would some platforms support it and some don't. Is it hardware depended? Can I make my platform support it?
- I tried using sgx_get_ps_cap(), but it return SGX_ERROR_SERVICE_UNAVAILABLE. How can I resolve that?
- If Remote Attestation makes use of Platform Services, what difference does that make. Exactly what services does it refer to.
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
#1. I'm not entirely sure what PSE session is for
The caller should make sure a PSE session has been established using sgx_create_pse_session before attempting to establish a
remote attestation and key exchange session involving platform service information.
#2. Why would some platforms support it and some don't. Is it hardware depended? Can I make my platform support it?
Some platforms do not have firmware support for platform services enclave, which would cause this function to fail. In this case, you should set b_pse=false and call enclave_init_ra again and make a code path where sgx_create_pse_session() is not called.
#3. I tried using sgx_get_ps_cap(), but it return SGX_ERROR_SERVICE_UNAVAILABLE. How can I resolve that?
There seems something wrong with the platform service configuration. And this problem is solved after I reinstalled the Intel management engine component and sgx platform service.
#4. If Remote Attestation makes use of Platform Services, what difference does that make. Exactly what services does it refer to.
- sgx_create_pse_session creates a session with the PSE.
- Syntax: sgx_status_t sgx_create_pse_session(void);
- Description: An Intel® SGX enclave first calls sgx_create_pse_session()in the process to request platform service. It's suggested that the caller should wait (typically several seconds to tens of seconds) and retry this API if SGX_ERROR_BUSY is returned. Refer page no 168 in Intel-SGX-SDK-Users-Guide-for-Windows-OS.pdf
The PSE is an architectural enclave provided by the SDK. It supplies useful services, specifically trusted time and a monotonic counter. These can be used for replay protection during nonce generation and for securely calculating the length of time for which a secret shall be valid. To use the PSE, the enclave function should call the trusted SDK functions sgx_create_pse_session() and sgx_close_pse_session() before and after sgx_ra_init() respectively.
-Surenthar
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank You Surenthar
I just realized that Platform Services are not available for Linux OS (mentioned at- https://01.org/sites/default/files/downloads/intelr-software-guard-extensions-linux-os/sgx-psw-release-notes-linux-os.pdf).
I need to calculate the time or clock cycles taken by a particular instruction inside the enclave, but I'm unable to use trusted time function (which anyway returns time in second, whereas execution time is in nanoseconds). The trusted time.h library does not support clock_gettime() and I'm also not able to use rdtsc instruction inside enclave (it gives error - Illegal instruction (core dumped)). Can you suggest me any other way to measure inside the enclave.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have the same problem and also can´t figure out why it isn´t working.
Setup:
- System: Windows 10 on a Lenovo Thinkpad T470s
- SGX: SGX was enabled in BIOS, PSW and SDK version 1.9.100.41172 are installed
- DEV Environment: Visual Studio 2015 Enterprise, set to prerelease mode
Minimal Example Routine:
1. call sgx_create_enclave in APP (result: SGX_SUCESS)
2. call sgx_enable_device in App (result: SGX_SUCESS, output: SGX_ENABLED)
3. call sgx_create_pse_session in Enclave (result: 0x4001 SGX_ERROR_SERVICE_UNAVAILABLE)
I already have re-installed PSW, SDK and the "Intel management engine component" (from this source: https://www.dell.com/support/home/de/de/debsdt1/drivers/driversdetails?driverId=X37VM) and rebootet my device, however, the problem persists
Same result in debug mode. It does work in Simulation mode, however, this should be expected as the PSE enclave is not really called here.
Any suggestions for a reason for this behaviour / solution to the problem would be appreciated.
edit: I tested the exact same program on a Thinkpad T570 and another T470 and it worked without problems there, which confuses me even more, but at least shows that the error is not in the calling routine itself..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same problem on HP EliteDesk i7 6700 running windows 7.
I try to create monotonic counter so I call first sgx_create_pse_session() but I'm always getting error code ERROR_SERVICE_UNAVAILABLE
Any ideas ?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
after installation of Intel Management Engine Component the error ERROR_SERVICE_UNAVAILABLE sgx_create_pse_session disappear BUT now I got a new one "SGX_ERROR_NETWORK_FAILURE" does it mean that in order to use monotonic counter we must have internet connection ??
If yes it's seems to be a big constraint
Any help will be welcome
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi guys,
I also got the same SGX_ERROR_NETWORK_FAILURE while using sgx_create_pse_session() in order to use sgx_get_trusted_time().
Why should I need an internet connection to get a trusted time from within the enclave?
Thanks in advance for any help!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Before you call Trusted Time or Monotonic Counter service, you need establish the session between PSE and CSME, and an ephemeral session between PSE and App enclave . And during the session establish(between PSE and PSE) process, need make sure the enclave and CSME are in good security status. To make sure it, it is need to involve the Intel Attestation Server. So you need access the internet. And only the first time, the internet access is needed during session established between PSE and CSME.

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page