Re: Re:Error while running PCKIDRetrievalTool to verify

leila888 · ‎01-04-2023

Hi I am setting DCAP on my azure VM, using link https://www.intel.com/content/www/us/en/developer/articles/guide/intel-software-guard-extensions-data-center-attestation-primitives-quick-install-guide.html
MY VM is SGX enables and the OS is ubuntu 20.04 , the kernel is 5.15 (SO based on explainations no need to install DCAP driver) my first question is that I can not see DCAP-driver when I run :

sudo dmesg | grep sgx
[ 0.555012] sgx: EPC section 0x2c0000000-0x3bfffffff
[ 2.295541] systemd[1]: Set hostname to <sgx-n03>.
[11468.512041] isgx: loading out-of-tree module taints kernel.
[11468.512082] isgx: module verification failed: signature and/or required key missing - tainting kernel
[11468.516710] intel_sgx: Intel SGX Driver v2.11.0
[11468.520319] UBSAN: shift-out-of-bounds in /opt/intel/sgxdriver/package/sgx_main.c:224:11
[11468.526125] sgx_drv_probe.cold+0x16f/0x4b3 [isgx]
[11468.526148] ? sgx_reset_pubkey_hash+0x110/0x110 [isgx]
[11468.526153] init_sgx_module+0x2f/0x90 [isgx]
[11468.529716] intel_sgx INT0E0C:00: EPC bank 0x2c0000000-0x3c0000000
[11468.575432] intel_sgx: second initialization call skipped

why?

another issue is that when I Install and config PCCS , and my network_setting.conf is as follow:#

#############################################################
# PCCS server address
# support V3 version PCCS
#PCCS_URL=https://localhost:8081/sgx/certification/v3/platforms
# support V4 version PCCS
PCCS_URL=https://localhost:8081/sgx/certification/v4/platforms
# To accept insecure HTTPS cert, set this option to FALSE
USE_SECURE_CERT=FALSE
###############################################################


###############################################################
# when access pccs, user need provide the token
user_token =password
###############################################################


###############################################################
# Proxy settings:proxy type could be the following three types
# direct: means no proxy used
# default: system default proxy will be used
# manual: when this type was selected, user need provide the proxy_url

proxy_type = direct
#proxy_type = default
#proxy_type = manual
#proxy_url = http://proxy_url:proxy_port
###############################################################

when I run PCKIDRetrievalTool to verify,I got this problem:

Intel(R) Software Guard Extensions PCK Cert ID Retrieval Tool Version 1.15.100.3

Warning: platform manifest is not available or current platform is not multi-package platform.
Error: unexpected error occurred while sending data to cache server.
pckid_retrieval.csv has been generated successfully, however the data couldn't be sent to cache server!

and in my pccs-server.log:

2023-01-04 15:38:44.836 [info]: Client Request-ID : 2dbe514c95564f04aca78c3dee2fd713
2023-01-04 15:38:45.190 [info]: Request-ID is : 80a7bb01846d494cb61067ceca5deb2c
2023-01-04 15:38:45.192 [error]: Intel PCS server returns error(404).
2023-01-04 15:38:45.192 [error]: Intel PCS server returns error. Error code : 404
2023-01-04 15:38:45.192 [error]: Error: No cache data for this platform.
at Module.getPckCertFromPCS (file:///opt/intel/sgx-dcap-pccs/services/logic/commonCacheLogic.js:92:11)
at processTicksAndRejections (internal/process/task_queues.js:95:5)
at async LazyCachingMode.registerPlatforms (file:///opt/intel/sgx-dcap-pccs/services/caching_modes/cachingMode.js:163:7)
at async Module.registerPlatforms (file:///opt/intel/sgx-dcap-pccs/services/platformsRegService.js:107:3)
at async postPlatforms (file:///opt/intel/sgx-dcap-pccs/controllers/platformsController.js:40:5)
2023-01-04 15:38:45.197 [info]: 127.0.0.1 - - [04/Jan/2023:15:38:45 +0000] "POST /sgx/certification/v4/platforms HTTP/1.1" 404 32 "-" "-"

this is my kernel version:

cat /proc/version
Linux version 5.15.0-1029-azure (buildd@lcy02-amd64-076) (gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #36~20.04.1-Ubuntu SMP Tue Dec 6 17:00:26 UTC 2022

I'm not sure what the message exactly means.Is it something related to BIOS? How can I solve the problem?

KFPW_Intel · ‎01-05-2023

Hi leila888,

Thank you for your interest in Intel® SGX.

Linux kernel versions v5.11 and newer have the SGX driver that supports DCAP built in. You should be able to see the SGX device nodes available, ie:

ls -la /dev/sgx*

crw-rw-rw- 1 root root 10, 125 Aug 29 13:38 /dev/sgx_enclave

crw------- 1 root root 10, 126 Aug 29 13:38 /dev/sgx_provision

crw------- 1 root root 10, 124 Aug 29 13:38 /dev/sgx_vepc

Meanwhile, I am sorry that you faced issues when you install and config PCCS. Thank you for providing the logs, it is very useful.

There is an article that addresses your issue. Refer Article for more information.

You can update the BIOS on the system to the most recent BIOS available from the OEM to make the trusted computing base current.

Hope that the information provided is useful for you. Let us know if you have any questions.

Thank you.

Regards,

Ken

leila888 · ‎01-06-2023

Dear KFPW_Intel,

Thanks for your prompt response,

This is the result of

 ls -la /dev/sgx*
crw-rw-rw- 1 root root 10, 125 Jan 6 08:11 /dev/sgx_enclave
crw-rw---- 1 root sgx_prv 10, 126 Jan 6 08:11 /dev/sgx_provision

/dev/sgx:
total 0
drwxr-xr-x 2 root root 80 Jan 6 08:11 .
drwxr-xr-x 20 root root 3980 Jan 6 08:12 ..
lrwxrwxrwx 1 root root 14 Jan 6 08:11 enclave -> ../sgx_enclave
lrwxrwxrwx 1 root root 16 Jan 6 08:11 provision -> ../sgx_provision

which I can not see

crw------- 1 root root 10, 124 Aug 29 13:38 /dev/sgx_vepc

do you know what is the issue?

Besides, I have no Idea how can I update BIOS on VM, and as you can see my linux version is

Linux version 5.15.0-1029-azure

not OEM. Would you please guide me with this?

Thanks so much

Junli_S_Intel · ‎01-06-2023

since your environment is one VM, it is expected result: there is no /dev/sgx_vepc. And You can find this device node in host.

You don't need update BIOS on VM. In general, the CSP should have done the registration for the platform, but I am not sure why your VM could NOT get PCK certs from Intel PCS. Need time to investigate it.

leila888 · ‎01-06-2023

Thanks Junli_S_Intel

How can I investigate it? Is there any thing that I have to do?

KFPW_Intel · ‎01-08-2023

Hi leila888,

I found this reference that may assist you for your use cases. Quickstart: Create Intel SGX VM in Azure Portal

Based on the reference,

"For DCsv3 and DCdsv3-series Azure VMs, the Intel certificates can only be fetched from THIM, as it is not possible to make direct calls to Intel service from the VMs"

It is suggested to contact their THIM service to assist your platform use cases. This github Azure DCAP Client source may assist you.

Regards,

Ken

leila888 · ‎01-10-2023

Thanks KFPW_intel.

I have installed the Azure-DCAP-Client and Open enclave, when I try to run sample of microsoft-azure-attestation/sgx.attest.sample.intel.sdk and open enclave attestation sample I get errors in order:

[get_platform_quote_cert_data ../qe_logic.cpp:378] Error returned from the p_sgx_get_quote_config API. 0xe011
Step1: Call sgx_qe_get_target_info: Error in sgx_qe_get_target_info. 0xe011
make: *** [Makefile:22: run] Error 255

sudo make runsgxremote
host/attestation_host sgxremote ./enclave_a/enclave_a.signed ./enclave_b/enclave_b.signed
Host: Creating two enclaves
Host: Enclave library ./enclave_a/enclave_a.signed
Enclave1: ***../common/crypto.cpp(80): mbedtls initialized.
Host: Enclave successfully created.
Host: Enclave library ./enclave_b/enclave_b.signed
Enclave2: ***../common/crypto.cpp(80): mbedtls initialized.
Host: Enclave successfully created.
Host: environment variable SGX_AESM_ADDR is not set


Host: ********** Attest enclave_a to enclave_b **********

Host: Requesting enclave_b format settings
Enclave2: ***../common/dispatcher.cpp(79): get_enclave_format_settings
Host: Requesting enclave_a to generate a targeted evidence with an encryption key
Enclave1: ***../common/dispatcher.cpp(133): get_evidence_with_public_key
Enclave1: ***../common/attestation.cpp(94): oe_serialize_custom_claims
Enclave1: ***../common/attestation.cpp(105): serialized custom claims buffer size: 121
[get_platform_quote_cert_data ../qe_logic.cpp:378] Error returned from the p_sgx_get_quote_config API. 0xe011
2023-01-10T08:52:25+0000.824117Z [(H)ERROR] tid(0x7f68e9c27f40) | quote3_error_t=SGX_QL_NO_PLATFORM_CERT_DATA
 (oe_result_t=OE_PLATFORM_ERROR) [/source/openenclave/host/sgx/sgxquote.c:oe_sgx_qe_get_target_info:706]
2023-01-10T08:52:25+0000.825863Z [(H)ERROR] tid(0x7f68e9c27f40) | :OE_PLATFORM_ERROR [/source/openenclave/host/sgx/quote.c:sgx_get_qetarget_info:37]
Enclave1: ***../common/attestation.cpp(121): oe_get_evidence failed.(OE_PLATFORM_ERROR)
Enclave1: ***../common/dispatcher.cpp(153): get_evidence_with_public_key failed
Host: get_evidence_with_public_key failed. OE_OK
Host: attestation failed with 1
Host: Terminating enclaves
Enclave1: ***../common/crypto.cpp(94): mbedtls cleaned up.
Host: Enclave successfully terminated.
Enclave2: ***../common/crypto.cpp(94): mbedtls cleaned up.
Host: Enclave successfully terminated.
Host:  failed 
make: *** [Makefile:27: runsgxremote] Error 1

Do you have any ideas?

Thank you

KFPW_Intel · ‎01-11-2023

Hi leila888,

Thank you for the your patience.

The logs are very useful, the error you encountered may due to the client could not get PCK certs from cache server (THIM or PCCS).

In order to get the PCK certs from the cache server, Quote Provide Library (QPL) will be used to fetch the certs. Please check which QPL is used, is it the Intel or Microsoft version?

If it is the Intel version QPL, there is one configuration file /etc/sgx_default_qcnl.conf that you need to provide your cache server URL correctly in order to be able to work.

If it is the Microsoft version QPL, please check with Microsoft and this Azure DCAP Client source may assist you for your use cases.

Regards,

Ken

KFPW_Intel · ‎01-15-2023

Hi leila888,

I hope the information I provided was helpful to you. Do you need further help with this issue?

Please inform us if you have any questions regards to this issue.

Thank you.

Regards,

Ken

leila888 · ‎01-25-2023

Thanks So much problem solved.

KFPW_Intel · ‎01-17-2023

Hi leila888,

We have not heard from you in several days so we will no longer monitor this thread. We hope you were able to resolve your issue. Please start a new thread if you need further help.

Regards,

Ken