Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1540 Discussions

verify SGX quote fail with a006

gslv
Beginner
‎08-05-2025 11:24 PM
2,995 Views
Solved Jump to solution

I try to use RATS-TLS which installed in a non-intel platform to verify remote SGX server's quote, but failed with code e019, below is log of the failure with all quote raw data, I want to know how to debug the error? is there any tool which can be used to verify the quote raw data? does the remote SGX server need to registered before verification? if needed i can provide quote information.root@ubuntu:/usr/share/rats-tls/samples# ./rats-tls-client -v sgx_ecdsa -a csv -i 172.31.13.40 -p 12348
Welcome to RATS-TLS sample client
the  wrapper 'openssl' selected
the enclave attester 'csv' selected
 the enclave verifier 'sgx_ecdsa' selected
the tls wrapper 'openssl' selected
sgx qv gets quote supplemental data size successfully.
failed to verify quote by sgx qv: e019
failed to verify quote by sgx qv: a006
failed to verify quote by sgx qv: 0001
failed to verify ecdsa
failed to verify evidence 0xb000e019
failed to verify evidence: 0xeffffffd
failed to verify certificate extension 0xeffffffd
failed to connect -1, SSL_get_error(): 1
Failed to negotiate 0x907fffff

Labels (1)
Labels:
0 Kudos
1 Solution
Benny_Intel
Moderator
‎08-14-2025 04:15 AM
2,293 Views
Solved Jump to solution

Hello,

attestation consists of two steps:

  1. Quote generation
  2. Quote verification

Quote generation always happens on the machine with the TEE - Intel SGX in this case. Registration is a pre-requisite and quote generation collateral (i.e., the PCK Certificate) must be present during quote generation. This quote generation collateral can be in a local caching file, inside a collateral caching service (e.g. PCCS), or retrieved from the PCS.

Quote verification can happen on an arbitrary machine. which does not need a TEE. Registration is not required, but quote verification collateral (e.g., TCB Info and QE identity) must be present during quote verification. The quote verification collateral should be inside a collateral caching service (e.g. PCCS).

You'll find a lot more details in our Intel TDX Enabling Guide. As the attestation process is the same for Intel SGX and Intel TDX, the information is also valid for Intel SGX.

For issues regarding the RATS-TLS implementation from Inclavare Containers (https://github.com/inclavare-containers/rats-tls), please create a GitHub issue in the project.

Best regards,
Benny

View solution in original post

0 Kudos
Copy link

Link Copied

6 Replies
gslv
Beginner
‎08-05-2025 11:32 PM
2,928 Views
Solved Jump to solution

below is the quote raw data,                                                                                                                                                                                          ===== Quote Raw Data (4734 bytes) =====
03000200000000000b001000939a7233f79c4ca9940a0db3957f0607dc038847
9a4cdaffa9695bb2e0676eae000000000b0f100fffff00000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0700000000000000e700000000000000c1ed5282e337080fb4c67f9211a4982a
f02123fe8aed663b49eda486c1a5dee700000000000000000000000000000000
0000000000000000000000000000000083d719e77deaca1470f6baf62a4d7743
03c899db69020f9c70ee1dfc08c7ce9e00000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000269daff7d9d1bbff4711f98adf7f46cf
45ba948bc5903c5c955bcb90b9afab3300000000000000000000000000000000
00000000000000000000000000000000ca10000044fca6643f127f380a3d419f
bdb1caf9e95311e6cc68c53821c66ce269b0c59bde66b3e82b40ab0c493e293b
1b2553fda2864baaff3b41519300f8ccd0608dba82e5f97a0cde5abb89c11c12
44ecf3e58ab84465445630b6b36312cb494625951d991bf72f8bb23a91d98e14
3212905dc6daebbe648df20f97465637dfcff2e60b0f100fffff000000000000
0000000000000000000000000000000000000000000000000000000000000000
000000001500000000000000e70000000000000078fe8cfd01095a0f108aff5c
40624b93612d6c28b73e1a8d28179c9ddf0e0686000000000000000000000000
00000000000000000000000000000000000000008c4f5775d796503e96137f77
c68a829a0056ac8ded70140b081b094490c57bff000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000001000b000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000918b15f6f0d18f034de308c6
773763837c7464aee5f61182f3255d0c20c1e823000000000000000000000000
000000000000000000000000000000000000000049804d34f6226096db9d164f
2e100195a736c381d4f1660d8f5f6f1296d188be34ca79491e4fe4805a4a257f
ca4d0e770265749427a39cd42bf31aca97dc4983200000010203040506070809
0a0b0c0d0e0f101112131415161718191a1b1c1d1e1f0500620e00002d2d2d2d
2d424547494e2043455254494649434154452d2d2d2d2d0a4d49494539444343
424a6d674177494241674956414d6170545171756867316442504338304d4754
6c653774755774704d416f4743437147534d343942414d430a4d484178496a41
6742674e5642414d4d47556c756447567349464e485743425151307367554778
6864475a76636d306751304578476a415942674e5642416f4d0a45556c756447
567349454e76636e4276636d4630615739754d52517745675944565151484441
74545957353059534244624746795954454c4d416b47413155450a4341774351
304578437a414a42674e5642415954416c56544d423458445449314d4467774d
54417a4d6a63774e316f5844544d794d4467774d54417a4d6a63770a4e316f77
634445694d434147413155454177775a535735305a5777675530645949464244
537942445a584a3061575a70593246305a5445614d426747413155450a436777
52535735305a577767513239796347397959585270623234784644415342674e
564241634d43314e68626e526849454e7359584a684d517377435159440a5651
514944414a445154454c4d416b474131554542684d4356564d77575441544267
6371686b6a4f5051494242676771686b6a4f50514d4242774e434141544c0a74
6c556b2b565074655336657578332f667675793631754f4a555834535a4a4f69
7152617333537a7356775533674e5a2b445849507a41372b52695376466d6c0a
333145367638523343776534545452446d5658526f344944446a434341776f77
487759445652306a42426777466f41556c5739647a62306234656c4153636e55
0a3944504f4156634c336c5177617759445652306642475177596a42676f4636
6758495a616148523063484d364c79396863476b7564484a316333526c5a484e
6c0a636e5a705932567a4c6d6c75644756734c6d4e766253397a5a3367765932
567964476c6d61574e6864476c76626939324e4339775932746a636d772f5932
45390a6347786864475a76636d306d5a57356a62325270626d63395a4756794d
42304741315564446751574242525379424443385043576646314d7335566b4f
6336370a623564703344414f42674e56485138424166384542414d4342734177
44415944565230544151482f4241497741444343416a73474353714753496234
5451454e0a41515343416977776767496f4d4234474369714753496234545145
4e4151454545424457776b757878504a37323256626676393074423477676746
6c42676f710a686b69472b453042445145434d4949425654415142677371686b
69472b4530424451454341514942437a415142677371686b69472b4530424451
4543416749420a437a415142677371686b69472b453042445145434177494241
7a415142677371686b69472b4530424451454342414942417a41524267737168
6b69472b4530420a4451454342514943415038774551594c4b6f5a496876684e
41513042416759434167442f4d42414743797147534962345451454e41514948
416745414d4241470a43797147534962345451454e41514949416745414d4241
4743797147534962345451454e4151494a416745414d42414743797147534962
345451454e4151494b0a416745414d42414743797147534962345451454e4151
494c416745414d42414743797147534962345451454e4151494d416745414d42
414743797147534962340a5451454e4151494e416745414d4241474379714753
4962345451454e4151494f416745414d42414743797147534962345451454e41
514950416745414d4241470a43797147534962345451454e4151495141674541
4d42414743797147534962345451454e415149524167454e4d42384743797147
534962345451454e415149530a4242414c43774d442f2f384141414141414141
41414141414d42414743697147534962345451454e41514d45416741414d4251
4743697147534962345451454e0a41515145426a426761674141414441504267
6f71686b69472b45304244514546436745424d42344743697147534962345451
454e4151594545423944364e77460a52473541453054506c776a5832556f7752
41594b4b6f5a496876684e41513042427a41324d424147437971475349623454
51454e415163424151482f4d4241470a43797147534962345451454e41516343
4151482f4d42414743797147534962345451454e415163444151482f4d416f47
43437147534d343942414d4341306b410a4d4559434951445961465767707942
6f6d31565734524b32535876486e36437343367439416972436a5134446e7949
4242514968414e4969554864697a644f670a666d496f4d394d51585254755054
5772317a3246496b776e37413731697642550a2d2d2d2d2d454e442043455254
494649434154452d2d2d2d2d0a2d2d2d2d2d424547494e204345525449464943
4154452d2d2d2d2d0a4d4949436c6a4343416a32674177494241674956414a56
7658633239472b487051456e4a3150517a7a674658433935554d416f47434371
47534d343942414d430a4d476778476a415942674e5642414d4d45556c756447
567349464e48574342536232393049454e424d526f77474159445651514b4442
464a626e526c624342440a62334a7762334a6864476c76626a45554d42494741
3155454277774c553246756447456751327868636d4578437a414a42674e5642
41674d416b4e424d5173770a435159445651514745774a56557a416546773078
4f4441314d6a45784d4455774d5442614677307a4d7a41314d6a45784d445577
4d5442614d484178496a41670a42674e5642414d4d47556c756447567349464e
4857434251513073675547786864475a76636d306751304578476a415942674e
5642416f4d45556c75644756730a49454e76636e4276636d4630615739754d52
51774567594456515148444174545957353059534244624746795954454c4d41
6b474131554543417743513045780a437a414a42674e5642415954416c56544d
466b77457759484b6f5a497a6a3043415159494b6f5a497a6a30444151634451
6741454e53422f377432316c58534f0a3243757a7078773734654a4237324579
44476757357258437478327456544c7136684b6b367a2b5569525a436e715237
70734f766771466553786c6d546c4a6c0a65546d693257597a33714f42757a43
427544416642674e5648534d4547444157674251695a517a575770303069664f
44744a5653763141624f536347724442530a42674e5648523845537a424a4d45
656752614244686b466f64485277637a6f764c324e6c636e52705a6d6c6a5958
526c63793530636e567a6447566b633256790a646d6c6a5a584d75615735305a
577775593239744c306c756447567355306459556d397664454e424c6d526c63
6a416442674e5648513445466751556c5739640a7a62306234656c4153636e55
3944504f4156634c336c517744675944565230504151482f4241514441674547
4d42494741315564457745422f7751494d4159420a4166384341514177436759
494b6f5a497a6a30454177494452774177524149675873566b6930772b693656
5947573355462f32327561586530594a446a3155650a6e412b546a4431616935
6343494359623153416d4435786b66545670766f34556f79695359787244574c
6d5552344349394e4b7966504e2b0a2d2d2d2d2d454e44204345525449464943
4154452d2d2d2d2d0a2d2d2d2d2d424547494e2043455254494649434154452d
2d2d2d2d0a4d4949436a7a4343416a53674177494241674955496d554d316c71
644e496e7a6737535655723951477a6b6e42717777436759494b6f5a497a6a30
45417749770a614445614d4267474131554541777752535735305a5777675530
645949464a766233516751304578476a415942674e5642416f4d45556c756447
567349454e760a636e4276636d4630615739754d525177456759445651514844
4174545957353059534244624746795954454c4d416b47413155454341774351
304578437a414a0a42674e5642415954416c56544d423458445445344d445579
4d5445774e4455784d466f58445451354d54497a4d54497a4e546b314f566f77
614445614d4267470a4131554541777752535735305a5777675530645949464a
766233516751304578476a415942674e5642416f4d45556c756447567349454e
76636e4276636d46300a615739754d5251774567594456515148444174545957
353059534244624746795954454c4d416b47413155454341774351304578437a
414a42674e56424159540a416c56544d466b77457759484b6f5a497a6a304341
5159494b6f5a497a6a3044415163445167414543366e45774d4449595a4f6a2f
69505773437a61454b69370a314f694f534c52466857476a626e42564a66566e
6b59347533496a6b4459594c304d784f346d717379596a6c42616c5456597846
5032734a424b357a6c4b4f420a757a43427544416642674e5648534d45474441
57674251695a517a575770303069664f44744a5653763141624f536347724442
5342674e5648523845537a424a0a4d45656752614244686b466f64485277637a
6f764c324e6c636e52705a6d6c6a5958526c63793530636e567a6447566b6332
5679646d6c6a5a584d75615735300a5a577775593239744c306c756447567355
306459556d397664454e424c6d526c636a416442674e56485134454667515549
6d554d316c71644e496e7a673753560a55723951477a6b6e4271777744675944
565230504151482f42415144416745474d42494741315564457745422f775149
4d4159424166384341514577436759490a4b6f5a497a6a304541774944535141
7752674968414f572f35516b522b533943695344634e6f6f774c7550524c7357
47662f59693747535839344267775477670a41694541344a306c72486f4d732b
586f356f2f7358364f39515778485241765a55474f6452513763767152586171
493d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a00

0 Kudos
Copy link
Benny_Intel
Moderator
‎08-06-2025 01:10 AM
2,978 Views
Solved Jump to solution

Hello,

what CPU are you using on the machine with Intel SGX, which generated the Quote? Most certainly, yes, you have to register this machine before creating a quote.

From your output, I assume you are using the RATS-TLS implementation from Inclavare Containers (https://github.com/inclavare-containers/rats-tls). In this case, you might get the best support by opening a GitHub issue there.

Best regards,
Benny

0 Kudos
Copy link
gslv
Beginner
‎08-06-2025 03:23 AM
2,946 Views
Solved Jump to solution
In response to Benny_Intel

Hi Beeny,

Here is the cpu info and microcode info:

CPU, Intel(R) Xeon(R) Gold 6326 CPU @ 2.90GHz. 

microcode, 0xd0003e7.

As i read intel document, it seems this microcode need to be updated to support SGX ecdsa quote verification, should i update microcode? 

 

In response to Benny_Intel
0 Kudos
Copy link
Benny_Intel
Moderator
‎08-06-2025 08:12 AM
2,925 Views
Solved Jump to solution

Hello,

looking at your initial message, the first error you are seeing is a e019. This is an SGX_QL_NETWORK_ERROR/TEE_NETWORK_ERROR error. Please make sure you can reach PCS/PCCS.

Best regards,
Benny

0 Kudos
Copy link
gslv
Beginner
‎08-14-2025 02:07 AM
2,316 Views
Solved Jump to solution
In response to Benny_Intel

Hi Benny,

 

SGX quote be verified by another non-SGX machine, should this non-SGX machine register to PCS and install PCCS for quote verification?  From RATS-TLS  document, it seems only Intel PCAP library is needed to verify quote.

 

 

 

In response to Benny_Intel
0 Kudos
Copy link
Benny_Intel
Moderator
‎08-14-2025 04:15 AM
2,294 Views
Solved Jump to solution

Hello,

attestation consists of two steps:

  1. Quote generation
  2. Quote verification

Quote generation always happens on the machine with the TEE - Intel SGX in this case. Registration is a pre-requisite and quote generation collateral (i.e., the PCK Certificate) must be present during quote generation. This quote generation collateral can be in a local caching file, inside a collateral caching service (e.g. PCCS), or retrieved from the PCS.

Quote verification can happen on an arbitrary machine. which does not need a TEE. Registration is not required, but quote verification collateral (e.g., TCB Info and QE identity) must be present during quote verification. The quote verification collateral should be inside a collateral caching service (e.g. PCCS).

You'll find a lot more details in our Intel TDX Enabling Guide. As the attestation process is the same for Intel SGX and Intel TDX, the information is also valid for Intel SGX.

For issues regarding the RATS-TLS implementation from Inclavare Containers (https://github.com/inclavare-containers/rats-tls), please create a GitHub issue in the project.

Best regards,
Benny

0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.