Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1521 Discussions

sgx_create_pse_session fails

shivani_g_
Beginner
‎09-09-2016 10:00 AM
2,159 Views

Hello

I have been trying to use sgx_get_trusted_time function for which I need to create a pse session before calling. Whenever I call sgx_create_pse_session() I get SGX_ERROR_SERVICE_UNAVAILABLE error.

I have several doubts regarding PSE session :

  • I'm not entirely sure what PSE session is for
  • Why would some platforms support it and some don't. Is it hardware depended? Can I make my platform support it?
  • I tried using sgx_get_ps_cap(), but it return SGX_ERROR_SERVICE_UNAVAILABLE. How can I resolve that?
  • If Remote Attestation makes use of Platform Services, what difference does that make. Exactly what services does it refer to.
0 Kudos

Link Copied

8 Replies
Surenthar_S_Intel
Employee
‎09-10-2016 04:40 AM
2,159 Views

Hi,

#1. I'm not entirely sure what PSE session is for

                The caller should make sure a PSE session has been established using sgx_create_pse_session before attempting to establish a
remote attestation and key exchange session involving platform service information.

#2. Why would some platforms support it and some don't. Is it hardware depended? Can I make my platform support it?

                Some platforms do not have firmware support for platform services enclave, which would cause this function to fail. In this case, you should set b_pse=false and call enclave_init_ra again and make a code path where sgx_create_pse_session() is not called.

#3. I tried using sgx_get_ps_cap(), but it return SGX_ERROR_SERVICE_UNAVAILABLE. How can I resolve that?
                There seems something wrong with the platform service configuration. And this problem is solved after I reinstalled the Intel management engine component and sgx platform service.

#4. If Remote Attestation makes use of Platform Services, what difference does that make. Exactly what services does it refer to.

  • sgx_create_pse_session creates a session with the PSE.
  • Syntax:    sgx_status_t sgx_create_pse_session(void);
  • Description:  An Intel® SGX enclave first calls sgx_create_pse_session()in the process to request platform service. It's suggested that the caller should wait (typically several seconds to tens of seconds) and retry this API if SGX_ERROR_BUSY is returned. Refer page no 168 in Intel-SGX-SDK-Users-Guide-for-Windows-OS.pdf

The PSE is an architectural enclave provided by the SDK. It supplies useful services, specifically trusted time and a monotonic counter. These can be used for replay protection during nonce generation and for securely calculating the length of time for which a secret shall be valid. To use the PSE, the enclave function should call the trusted SDK functions sgx_create_pse_session() and sgx_close_pse_session() before and after sgx_ra_init() respectively.

-Surenthar

0 Kudos
Copy link
shivani_g_
Beginner
‎09-13-2016 05:07 PM
2,159 Views

Thank You Surenthar

I just realized that Platform Services are not available for Linux OS (mentioned at- https://01.org/sites/default/files/downloads/intelr-software-guard-extensions-linux-os/sgx-psw-release-notes-linux-os.pdf).

I need to calculate the time or clock cycles taken by a particular instruction inside the enclave, but I'm unable to use trusted time function (which anyway returns time in second, whereas execution time is in nanoseconds). The trusted time.h library does not support clock_gettime() and I'm also not able to use rdtsc instruction inside enclave (it gives error - Illegal instruction (core dumped)). Can you suggest me any other way to measure inside the enclave.

0 Kudos
Copy link
greubel__andre
Beginner
‎11-28-2017 09:36 AM
2,159 Views

Hi,

I have the same problem and also can´t figure out why it isn´t working.

Setup:

- System: Windows 10 on a Lenovo Thinkpad T470s
- SGX: SGX was enabled in BIOS, PSW and SDK version 1.9.100.41172 are installed
- DEV Environment: Visual Studio 2015 Enterprise, set to prerelease mode

Minimal Example Routine:

1. call sgx_create_enclave in APP (result: SGX_SUCESS)
2. call sgx_enable_device in App (result: SGX_SUCESS, output: SGX_ENABLED)
3. call sgx_create_pse_session in Enclave (result: 0x4001 SGX_ERROR_SERVICE_UNAVAILABLE)


I already have re-installed PSW, SDK and the "Intel management engine component" (from this source: https://www.dell.com/support/home/de/de/debsdt1/drivers/driversdetails?driverId=X37VM) and rebootet my device, however, the problem persists 

Same result in debug mode. It does work in Simulation mode, however, this should be expected as the PSE enclave is not really called here.

Any suggestions for a reason for this behaviour / solution to the problem would be appreciated.

edit: I tested the exact same program on a Thinkpad T570 and another T470 and it worked without problems there, which confuses me even more, but at least shows that the error is not in the calling routine itself.. 

 

 

0 Kudos
Copy link
David_Z_3
Beginner
‎11-29-2017 06:59 AM
2,159 Views

I have the same problem on HP EliteDesk i7 6700 running windows 7.

I try to create monotonic counter so I call first sgx_create_pse_session()  but I'm always getting error code ERROR_SERVICE_UNAVAILABLE

Any ideas ?

Thanks

0 Kudos
Copy link
greubel__andre
Beginner
‎11-30-2017 03:04 AM
2,159 Views
Running the Lenovo System Update Tool updated some drivers including the Intel Management Enginge to 11.7 (the linked version above was 1.5). Though it didn´t work with IME 1.7 at the point the system was set up, but now it does somehow... Anyway, problem is fixed.
0 Kudos
Copy link
David_Z_3
Beginner
‎11-30-2017 03:44 AM
2,159 Views

after  installation of Intel Management Engine Component the error  ERROR_SERVICE_UNAVAILABLE sgx_create_pse_session disappear BUT now I got a new one "SGX_ERROR_NETWORK_FAILURE"  does it mean that in order to use monotonic counter we must have internet connection ??

If yes it's seems to be a big constraint 

Any help will be welcome

0 Kudos
Copy link
André_E_
Beginner
‎01-31-2018 08:32 AM
2,159 Views

 

Hi guys,

I also got the same SGX_ERROR_NETWORK_FAILURE while using sgx_create_pse_session() in order to use sgx_get_trusted_time().

Why should I need an internet connection to get a trusted time from within the enclave?

Thanks in advance for any help!

0 Kudos
Copy link
Junli_S_Intel
Employee
‎02-04-2020 02:38 AM
2,159 Views

Before you call Trusted Time or Monotonic Counter service, you need establish the session between PSE and CSME, and an ephemeral session between PSE and App enclave . And during the session establish(between PSE and PSE) process, need make sure the enclave and CSME are in good security status. To make sure it, it is need to involve the Intel Attestation Server. So you need access the internet.  And only the first time, the internet access is needed during session established between PSE and CSME. 

0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.