Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1465 Discussions

PCKCertification returns 404 Error & Tried troubleshooting but no good!

woogieboogie
Novice
116 Views

Hello there. Greetings from 2024. 

 

1. I've encountered an issue where the PCKCertification returns the 404 error. The request-responses are as follows, the subscription key is censored in this thread for good:

 

--- Request Log Start---

root@woogieboogie-Super-Server:~# curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v4/pckcert?encrypted_ppid=00790a0265720d3760063274634c2a44ebe6db8288149d878b98b19e30188d79385fe0cc66ecf9955e300af1890a99ed019fb2d5acf8421fb88536800a80effcd4725498c6294dd26de8e3e30829ec87dab5b7d2a1b0756165af6578016f069dcdb427a358c2d4fc62a8b56d4a32a0bb6fd486deb919e8b684d162e1dc40b197e982468569f7..." -H "Ocp-Apim-Subscription-Key: {My Subscription Key}"
Note: Unnecessary use of -X or --request, GET is already inferred.
* Trying 40.87.90.88:443...
* Connected to api.trustedservices.intel.com (40.87.90.88) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=California; O=Intel Corporation; CN=api.trustedservices.intel.com
* start date: Apr 11 00:00:00 2024 GMT
* expire date: Jul 10 23:59:59 2024 GMT
* subjectAltName: host "api.trustedservices.intel.com" matched cert's "api.trustedservices.intel.com"
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Organization Validation Secure Server CA
* SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /sgx/certification/v4/pckcert?encrypted_ppid=00790a0265720d3760063274634c2a44ebe6db8288149d878b98b19e30188d79385fe0cc66ecf9955e300af1890a99ed019fb2d5acf8421fb88536800a80effcd4725498c6294dd26de8e3e30829ec87dab5b7d2a1b0756165af6578016f069dcdb427a358c2d4fc62a8b56d4a32a0bb6fd486deb919e8b684d162e1dc40b197e982468569f7c486df08d2657f0f21721a2cfe602ff4a34f8974e3f8f6f79efa80f4dd5499b9cd931780da6d6dfa25a79610f152aca73976a3032714f0d062d858c92343f5f4794440e3e2ed65476e2c89e9013148b2061962dac7ba7efa03e13e018cbdeb214e8a4729ac96e302c61f8296d8ba8ea62e1e2b0439a2ffff8a42eb541105f079b2be5cbb4b17c198df00c622f7fa20a0dff2550a2a439f7fc7f0dc34571c24ffdc8163900a4802ea24fe11be475cbb6d5c1ba285ad2d106373b1d086fbaa31ece8b2f82940e24d79ee9fe26755bb541eba526bc1856098c0bc58eb6e23fcd4d3c8218008b126cde833aa1c5da850103bda772cc807410a657801&cpusvn=090d0f0effff00000000000000000000&pcesvn=0f00&pceid=0000 HTTP/1.1
> Host: api.trustedservices.intel.com
> User-Agent: curl/7.81.0
> Accept: */*
> Ocp-Apim-Subscription-Key: b59f1fa83bba46568af09f279856f12f
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Content-Length: 0
< Request-ID: 234889a3213647f68156d2e551e72f18
< Date: Wed, 29 May 2024 01:01:25 GMT
<
* Connection #0 to host api.trustedservices.intel.com left intact

 

--- Request Log End---

 

 

 

 

2. Here are my environment info, I got it via executing PCKIDRetrievalTool, the version is  1.21.100.3, and the logs are as follows:

 

--- PCKIDRetrievalTool Log Start---

root@woogieboogie-Super-Server:~# PCKIDRetrievalTool

Intel(R) Software Guard Extensions PCK Cert ID Retrieval Tool Version 1.21.100.3

Warning: platform manifest is not available or current platform is not multi-package platform.

Please input the pccs password, and use "Enter key" to end
Error: network error, please check the network setting or whether the cache server is down.
pckid_retrieval.csv has been generated successfully, however the data couldn't be sent to cache server!

 

--- PCKIDRetrievalTool Log End---

 

The retrieved 'pckid_retrieval.csv' file's contents are:

7225cfda64fe9cce0d1d39771ebea53663c2a80c17983195a99416b1d38634c9dfe95c139adce8845b0fafb1ea30f7f23c600af4b506af7c6e2a7b2123d202e1b8c460740d8b623796be3c7bc28422e5e356a7fc3290832953caa802412b5043e9043a52c91e471dbbb0dc476f1b5c6120023be936bd898e99ec89e0cc7e6f1e9ba3b5a7503dd1a12632e124ab8cf561b3fd669a61b9146ebd433e35e6cef253e813252640c0c9fa32feb2a99e4efe5947c69cb66ad87c4c0577fa0c18b1678fd9072b1acf83d5fae465310130b92ffa9218bf3b67ae8544246308be470c09d48a034f735de5b5e1e332d6a7db3802b386341808bd4fb05d76be7194daf6a89e4630e0871a882b8d8cee942fa328bead6dd7d8cfb0550e48f354bffc4a787c163ad6180c7bf2eee296ddc3e518258ff4abe8828b173cb847c9b2739353b76742eee84623fdec8b312f9355df6b492d64822dc11a4cb9e06e06f5a7d5c5a91da5f00e8b25e2b9076a953a1dd3c86e9987c16bb6cf368991cc9094e40d97948210,0000,090d0f0effff00000000000000000000,0f00,d762ff99f3181b5bb7a9f1899ac2c428

 

3. mapping into qeid(platform_manifest), cpusvn, pcesvn, pceid, i get

qeid(platform_manifest)=d762ff99f3181b5bb7a9f1899ac2c428

cpusvn=090d0f0effff00000000000000000000

pcesvn=0f00

pceid=0000

encrypted_ppid=7225cfda64fe9cce0d1d39771ebea53663c2a80c17983195a99416b1d38634c9dfe95c139adce8845b0fafb1ea30f7f23c600af4b506af7c6e2a7b2123d202e1b8c460740d8b623796be3c7bc28422e5e356a7fc3290832953caa802412b5043e9043a52c91e471dbbb0dc476f1b5c6120023be936bd898e99ec89e0cc7e6f1e9ba3b5a7503dd1a12632e124ab8cf561b3fd669a61b9146ebd433e35e6cef253e813252640c0c9fa32feb2a99e4efe5947c69cb66ad87c4c0577fa0c18b1678fd9072b1acf83d5fae465310130b92ffa9218bf3b67ae8544246308be470c09d48a034f735de5b5e1e332d6a7db3802b386341808bd4fb05d76be7194daf6a89e4630e0871a882b8d8cee942fa328bead6dd7d8cfb0550e48f354bffc4a787c163ad6180c7bf2eee296ddc3e518258ff4abe8828b173cb847c9b2739353b76742eee84623fdec8b312f9355df6b492d64822dc11a4cb9e06e06f5a7d5c5a91da5f00e8b25e2b9076a953a1dd3c86e9987c16bb6cf368991cc9094e40d97948210

 

4. Here are my settings, No ES CPU:

Platform Info:

uname -a:

Linux woogieboogie-Super-Server 6.5.0-26-generic #26~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Mar 12 10:22:43 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

 

cat /proc/cpuinfo | grep 'model name' | uniq :
model name : Intel(R) Xeon(R) Gold 5317 CPU @ 3.00GHz

 

rdmsr -f 27:27 0xCE returns '0'

 

 

5. I've tried the following:

a) register and get platform_manifest via building/installing mpa from source. It looks like it successfully registered via following logs:

> vim /var/log/mpa_registration.log

[28-05-2024 03:50:03] INFO: SGX Registration Agent version: 1.21.100.3
[28-05-2024 03:50:03] INFO: Starts Registration Agent Flow.
[28-05-2024 03:50:03] INFO: Registration Flow - Registration status indicates registration is completed successfully. MPA has nothing to do.
[28-05-2024 03:50:03] INFO: Finished Registration Agent Flow.

 

b) register 'multi-package registration' 'directly' calling and sending a POST request, even if I'm using a physical single-socket server. I've encountered a problem when trying to submit a 'platform_manifest'.  

the api docs outline example request as follows:

curl -H "Content-Type: application/octet-stream" -v --data-binary @platform_manifest -X POST "https://api.trustedservices.intel.com/sgx/registration/v1/platform"

@platform_manifest seems like a directory/file path. I've tried creating a .data file with qeid(platform_manifest) I got from the PCKIDRetrievalTool's results - pck_retrival.csv's latest column and gave it a .data extension. named it 'manifest.data' However the results are as follows, returning a 400 InvalidRequestSyntax Error. The logs are as follows:

 

--- platform registration log start ---

root@woogieboogie-Super-Server:~# curl -H "Content-Type: application/octet-stream" -v --data-binary manifest.data -X POST "https://api.trustedservices.intel.com/sgx/registration/v1/platform"
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 40.87.90.88:443...
* Connected to api.trustedservices.intel.com (40.87.90.88) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=California; O=Intel Corporation; CN=api.trustedservices.intel.com
* start date: Apr 11 00:00:00 2024 GMT
* expire date: Jul 10 23:59:59 2024 GMT
* subjectAltName: host "api.trustedservices.intel.com" matched cert's "api.trustedservices.intel.com"
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Organization Validation Secure Server CA
* SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> POST /sgx/registration/v1/platform HTTP/1.1
> Host: api.trustedservices.intel.com
> User-Agent: curl/7.81.0
> Accept: */*
> Content-Type: application/octet-stream
> Content-Length: 13
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 400 Bad Request
< Content-Length: 0
< Request-ID: 5c7eff6a84ff4da19ad5a7828ddc34b6
< Error-Code: InvalidRequestSyntax
< Error-Message: The request could not be understood by the server due to malformed syntax.
< Date: Wed, 29 May 2024 01:54:05 GMT

 

--- platform registration log end ---

 

I think I've tried basically everything to make it work. the last resort that remains for me - is to try SGX factory reset on the BIOS. Can someone from intel guide me or let me know if i've done something wrong to get the PCKCertification and accordingly FMSPC number? I'am also facing problems with DCAP attestation used on my application i wanna run, but I'm guessing the platform registration thing is the source of all problems. 

 

Intel Team Help!

Labels (3)
0 Kudos
0 Replies
Reply