The name of this library is confusing. As it turned out, it does not provide a quote, that's the job of the quoting enclave. This library only provides collaterals and QE identity.

Is installing the 1.35 SGX driver with Ubuntu 18.04 and Kernel 4.15 a supported configuration?

Ubuntu 18.04, Kernel 4.15
Intel SGX Driver 1.20 is installed.

When I attempt to install 1.35 SGX driver, the installation fails with no error message.
Intel SGX Driver 1.20 is still installed.
OE Sample application helloworld now fails.

./host/helloworld_host ./enclave/enclave.signed
2020-08-03T22:54:23.000000Z [(H)ERROR] tid(0x7f952ffeeb80) | enclave_create with ENCLAVE_TYPE_SGX1 type failed (err=0x1) (oe_result_t=OE_PLATFORM_ERROR) [/source/host/sgx/sgxload.c:oe_sgx_create_enclave:480]
2020-08-03T22:54:23.000000Z [(H)ERROR] tid(0x7f952ffeeb80) | :OE_PLATFORM_ERROR [/source/host/sgx/create.c:oe_sgx_build_enclave:812]
2020-08-03T22:54:23.000000Z [(H)ERROR] tid(0x7f952ffeeb80) | :OE_PLATFORM_ERROR [/source/host/sgx/create.c:oe_create_enclave:960]
oe_create_helloworld_enclave(): result=21 (OE_PLATFORM_ERROR)

Rebooting doesn't resolve the failure.

The issue is fixed after
sudo apt update
sudo apt upgrade

SGX driver is still at 1.20.

Hi,
I installed dcap driver and /dev/sgx appeared. But when executing samplecode, I got error:

This step is optional: the default enclave load policy is persistent:
set the enclave load policy as persistent:succeed!
[load_pce ../pce_wrapper.cpp:123] Error, call sgx_create_enclave for PCE fail [load_pce], SGXError:0001.
Step1: Call sgx_qe_get_target_info:Error in sgx_qe_get_target_info. 0xe00d

I'm confused that whether I didn't install dcap driver correctly? But I didn't got error when I installed. And I referred to the procedure https://github.com/bitsyizhan/sgx/blob/master/Intel_SGX_DCAP_Linux_SW_Installation_Guide.pdf.

Thanks for your time!!!

The release was made but the corresponding tag is missing.

It seems that shifting 32-bit value 1 by 63 bits is undefined behaviour and signed integer overflow for expression 'if (!((1 << i) & xfrm))'.

Hey, I tried to build the library by $ make in the root but it fails with:

ERROR: Please decompress prebuilt enclave package before compiling. Exiting......

I have no idea how to decompress the prebuilt, can somebody clarify or help me please?

SInce the 1.32 release in driver/linux/main.c, the driver checks for SGX1 support:

if (!cpu_has(c, X86_FEATURE_SGX1)) {
    pr_err_once("sgx: SGX1 instruction set is not supported\n");
    return false;
}

in drvier/linux/include/dcap.h I see X86_FEATURE_SGX1 is defined as:

#define X86_FEATURE_SGX1         ( 8*32+ 0) /* SGX1 leaf functions */

But in the Linux kernel source (arch/x86/include/asm/cpufeatures.h) I see:

#define X86_FEATURE_TPR_SHADOW		( 8*32+ 0) /* Intel TPR Shadow */

So it would appear X86_FEATURE_TPR_SHADOW is being used by the dcap driver as a proxy for SGX1 support. Is this intentional? On some machines this bit is not set (but the X86_FEATURE_SGX bit IS set) which causes the driver to fail to load.

Hi,

When I followed the instruction of executing the command: make sign.
As I google the problem, it says that I use the (1.1.0) OpenSSL version instead of the (1.0.x) one. Is that the reason why I met the problem. Could you please help me confirm the situation? and Any advice for solving this problem? Thanks for your time.

https://stackoverflow.com/questions/46768071/openssl-linking-undefined-reference-evp-md-ctx-new-and-fre

It has some error:
make[1]: Entering directory '/usr/src/linux-headers-4.11.2-041102-generic'
HOSTCC /home/novo1/chao-DataCenter/SGXDataCenterAttestationPrimitives-master/driver/linux/le/enclave/sgxsign
/tmp/ccVzfgkI.o: In function measure_encl': sgxsign.c:(.text+0x4a1): undefined reference to EVP_MD_CTX_new'
sgxsign.c:(.text+0x518): undefined reference to EVP_MD_CTX_free' sgxsign.c:(.text+0x5af): undefined reference to EVP_MD_CTX_free'
sgxsign.c:(.text+0x7f7): undefined reference to EVP_MD_CTX_free' /tmp/ccVzfgkI.o: In function usesig':
sgxsign.c:(.text+0xa27): undefined reference to RSA_get0_key' sgxsign.c:(.text+0xa86): undefined reference to RSA_get0_key'
sgxsign.c:(.text+0xb17): undefined reference to RSA_get0_key' /tmp/ccVzfgkI.o: In function sign':
sgxsign.c:(.text+0xe3a): undefined reference to RSA_get0_key' sgxsign.c:(.text+0xe9b): undefined reference to RSA_get0_key'
/tmp/ccVzfgkI.o:sgxsign.c:(.text+0xf20): more undefined references to `RSA_get0_key' follow
collect2: error: ld returned 1 exit status

Running our own software stack (not written using the Intel SGX SDK), I can reliably get ksgxswapd to hang. It is presumably deadlocked. The linux kernel watchdog reports:

[65371.395333] INFO: task ksgxswapd:495 blocked for more than 120 seconds.
[65371.399106]       Not tainted 5.4.0-1025-azure #25~18.04.1-Ubuntu
[65371.400861] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[65371.403331] ksgxswapd       D    0   495      2 0x80004000
[65371.403333] Call Trace:
[65371.403337]  __schedule+0x277/0x710
[65371.403339]  ? __switch_to_asm+0x40/0x70
[65371.403340]  schedule+0x33/0xa0
[65371.403341]  schedule_timeout+0x1d3/0x320
[65371.403341]  ? __schedule+0x27f/0x710
[65371.403343]  wait_for_completion+0xb4/0x130
[65371.403345]  ? wake_up_q+0x80/0x80
[65371.403346]  __synchronize_srcu.part.22+0x91/0xc0
[65371.403347]  ? __bpf_trace_rcu_utilization+0x10/0x10
[65371.403350]  ? hv_ce_set_oneshot+0x60/0x60
[65371.403352]  synchronize_srcu_expedited+0x27/0x30
[65371.403354]  ? synchronize_srcu_expedited+0x27/0x30
[65371.403356]  synchronize_srcu+0xb2/0xc0
[65371.403359]  sgx_mmu_notifier_release+0x9c/0xb0 [intel_sgx]
[65371.403361]  __mmu_notifier_release+0x47/0xd0
[65371.403362]  exit_mmap+0x15d/0x1b0
[65371.403363]  ? __khugepaged_exit+0xfc/0x110
[65371.403365]  ? kmem_cache_free+0x294/0x2b0
[65371.403367]  ? kmem_cache_free+0x294/0x2b0
[65371.403368]  mmput+0x57/0x140
[65371.403369]  sgx_reclaim_pages+0x17c/0x7c0 [intel_sgx]
[65371.403373]  ksgxswapd+0x14d/0x2e0 [intel_sgx]
[65371.403374]  ? wait_woken+0x80/0x80
[65371.403375]  kthread+0x121/0x140
[65371.403376]  ? sgx_reclaim_pages+0x7c0/0x7c0 [intel_sgx]
[65371.403377]  ? kthread_park+0x90/0x90
[65371.403377]  ret_from_fork+0x35/0x40

This is on Ubuntu 18.04, using version 1.33 of the DCAP driver. I have a largish Docker container with our tests that I can provide. With this container, I can reliably produce this hang within a few minutes. Using the out-of-tree driver, I don't see hangs. Unfortunately, I don't have a test case smaller than this container that demonstrates the issue.

when i build SGXDataCenterAttestationPrimitives/SampleCode/QuoteGenerationSample and run app

The following information appears:

/SGXDataCenterAttestationPrimitives/SampleCode/QuoteGenerationSample# ./app 
sgx_qe_set_enclave_load_policy is valid in in-proc mode only and it is optional: the default enclave load policy is persistent: 
set the enclave load policy as persistent:succeed!

[ecdsa_init_quote ../qe_logic.cpp:1183] Call sgx_pce_get_target().
[ecdsa_init_quote ../qe_logic.cpp:1192] Call Load the QE.
[load_qe ../qe_logic.cpp:622] Call sgx_create_enclave for QE. /usr/lib/x86_64-linux-gnu/libsgx_qe3.signed.so
[ecdsa_init_quote ../qe_logic.cpp:1231] Read ECDSA blob.
[get_qpl_handle ../qe_logic.cpp:247] Found the Quote's dependent library. /usr/lib/x86_64-linux-gnu/libdcap_quoteprov.so.1
[read_persistent_data ../qe_logic.cpp:907] Couldn't find 'sgx_ql_read_persistent_data()' in the platform library. (null)
[ecdsa_init_quote ../qe_logic.cpp:1237] ECDSA Blob doesn't exist is persistent storage.  Try to use the cached version.
[ecdsa_init_quote ../qe_logic.cpp:1263] Invalid ECDSA Blob verificaton. 0xd004, generate a new key.
[ecdsa_init_quote ../qe_logic.cpp:1453] Generate and certify a new ECDSA attestation key
[ecdsa_init_quote ../qe_logic.cpp:1470] Get ATT Key.
[get_qpl_handle ../qe_logic.cpp:247] Found the Quote's dependent library. /usr/lib/x86_64-linux-gnu/libdcap_quoteprov.so.1
[get_platform_quote_cert_data ../qe_logic.cpp:336] Found the sgx_ql_get_quote_config and sgx_ql_free_quote_config API.
[get_platform_quote_cert_data ../qe_logic.cpp:337] Request the Quote Config data.
[get_platform_quote_cert_data ../qe_logic.cpp:340] Error returned from the p_sgx_get_quote_config API. 0xe019
Step1: Call sgx_qe_get_target_info:Error in sgx_qe_get_target_info. 0xe019

Installing Intel QPL will have the package libdcap_quoteprov.so.1 installed. I am wondering is there any particular reason that we name the library libdcap_quoteprov.so.1, instead of libdcap_quoteprov.so?

SGXDataCenterAttestationPrimitives/SampleCode/QuoteGenerationSample/Makefile should be fixed.

diff --git a/SampleCode/QuoteGenerationSample/Makefile b/SampleCode/QuoteGenerationSample/Makefile
index f77f413..0036bee 100644
--- a/SampleCode/QuoteGenerationSample/Makefile
+++ b/SampleCode/QuoteGenerationSample/Makefile
@@ -77,7 +77,7 @@ else ifeq ($(IS_RHEL),)
endif

App_Cpp_Flags := $(App_C_Flags) -std=c++11
-App_Link_Flags := $(SGX_COMMON_CFLAGS) -l$(DCAP_Library_Name) -l$(Urts_Library_Name) -l$(Uae_Library_Name) -ldl -lpthread
+App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -l$(DCAP_Library_Name) -l$(Urts_Library_Name) -l$(Uae_Library_Name) -ldl -lpthread

Below is error log:
nuc@nuc:~/SGXDataCenterAttestationPrimitives/SampleCode/QuoteGenerationSample$ make
make target
make[1]: 进入目录“/home/nuc/SGXDataCenterAttestationPrimitives/SampleCode/QuoteGenerationSample”
cd App && /opt/intel/sgxsdk/bin/x64/sgx_edger8r --untrusted ../Enclave/Enclave.edl
GEN => App/Enclave_u.c
CC <= App/Enclave_u.c
CXX <= App/App.cpp
g++ App/Enclave_u.o App/App.o -o app -m64 -O2 -lsgx_dcap_ql -lsgx_urts -lsgx_quote_ex -ldl -lpthread
/usr/bin/ld: 找不到 -lsgx_quote_ex
collect2: error: ld returned 1 exit status
Makefile:178: recipe for target 'app' failed
make[1]: *** [app] Error 1
make[1]: 离开目录“/home/nuc/SGXDataCenterAttestationPrimitives/SampleCode/QuoteGenerationSample”
Makefile:138: recipe for target 'all' failed
make: *** [all] Error 2

$ cpuid -1 -r|grep ' 0x00000007'
   0x00000007 0x00: eax=0x00000000 ebx=0x029c6fbf ecx=0x40000000 edx=0xbc000000
$ sudo rdmsr 0x3a
60005

However:

$ dmesg|grep intel_sgx
[    4.755630] intel_sgx: module verification failed: signature and/or required key missing - tainting kernel
[    4.756262] intel_sgx: intel_sgx: FLC feature is not supported on the platform!
[    4.756302] intel_sgx: intel_sgx: second initialization call skipped

If I comment out this code in sgx_main.c, everything works fine:

	if (!boot_cpu_has(X86_FEATURE_SGX_LC)) {
		pr_err("intel_sgx: FLC feature is not supported on the platform!\n");
		return false;
	}

I downloaded the driver from https://download.01.org/intel-sgx/dcap-1.0/sgx_linux_x64_driver_dcap_36594a7.bin. I'm on Ubuntu 16.04, kernel 4.4.0-116-generic.

Step 5 of How to setup describes how to generate an insecure key and certificate pair with following commands for debugging purposes, but it doesn't tell me where can I put these debugging keys and cert, which is confusing.
I put them into the PCCS installation dir, and it works. But somewhere else, it doesn't.
So could you please briefly describe the purposes of the keys and certs and where to store them in step 5?
thanks,
Su

make[3]: Entering directory '/home/sgx/SGXDataCenterAttestationPrimitives/QuoteGeneration/quote_wrapper/quote/linux'
/opt/intel/sgxsdk/bin/x64/sgx_edger8r --untrusted ../enclave/qe3.edl --search-path ../enclave
GEN => qe3_u.c
CC <= qe3_u.c
CXX <= ../qe_logic.cpp
CXX <= ../sgx_ql_core_wrapper.cpp
true
make[4]: Entering directory '/home/sgx/SGXDataCenterAttestationPrimitives/QuoteGeneration/pce_wrapper/linux'
make[4]: Leaving directory '/home/sgx/SGXDataCenterAttestationPrimitives/QuoteGeneration/pce_wrapper/linux'
g++ qe3_u.o se_thread.o se_trace.o ../qe_logic.o ../sgx_ql_core_wrapper.o -shared -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -UDEBUG -DNDEBUG -ffunction-sections -fdata-sections -Wall -Wextra -Winit-self -Wpointer-arith -Wreturn-type -Waddress -Wsequence-point -Wformat-security -Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow -Wcast-align -Wconversion -Wredundant-decls -DITT_ARCH_IA64 -g -L/home/sgx/SGXDataCenterAttestationPrimitives/QuoteGeneration/build/linux -L/opt/intel/sgxsdk/lib64 -lpthread -ldl -DDISABLE_TRACE -Wl,--version-script=qe3_logic.lds -Wl,--gc-sections -o libsgx_qe3_logic.so
/usr/bin/ld: se_thread.o: unable to initialize decompress status for section .debug_info
/usr/bin/ld: se_thread.o: unable to initialize decompress status for section .debug_info
/usr/bin/ld: se_thread.o: unable to initialize decompress status for section .debug_info
/usr/bin/ld: se_thread.o: unable to initialize decompress status for section .debug_info
se_thread.o: file not recognized: File format not recognized
collect2: error: ld returned 1 exit status
Makefile:91: recipe for target 'libsgx_qe3_logic.so' failed
make[3]: *** [libsgx_qe3_logic.so] Error 1
make[3]: Leaving directory '/home/sgx/SGXDataCenterAttestationPrimitives/QuoteGeneration/quote_wrapper/quote/linux'
Makefile:90: recipe for target '../../quote/linux/libsgx_qe3_logic.so' failed
make[2]: *** [../../quote/linux/libsgx_qe3_logic.so] Error 2
make[2]: Leaving directory '/home/sgx/SGXDataCenterAttestationPrimitives/QuoteGeneration/quote_wrapper/ql/linux'
Makefile:55: recipe for target 'qe3_logic' failed
make[1]: *** [qe3_logic] Error 2
make[1]: Leaving directory '/home/sgx/SGXDataCenterAttestationPrimitives/QuoteGeneration'
Makefile:39: recipe for target 'QuoteGeneration' failed
make: *** [QuoteGeneration] Error 2

Hi,
I try to executing the SampleCode,but get an error.

Step1: Call sgx_qe_get_target_info:Error in sgx_qe_get_target_info. 0xe035

0x0035 means that SGX_QL_ERROR_INVALID_PRIVILEGE,and says that no enough privilege to perform the operation.
I tried to make with DEBUG=1,but no else information output.
I wonders that how to solving this problem?Thanks for your time!!

Hi!

I am trying to install DCAP Drivers in an Ubuntu 18.04 machine following this guide.

My kernel is the standard 5.4.0-52-generic:

➜  SGXDataCenterAttestationPrimitives git:(master) ✗ uname -r
5.4.0-52-generic

TLTR: everything works fine, until I run sudo /sbin/modprobe intel_sgx, which returns modprobe: ERROR: could not insert 'intel_sgx': No such device (read below for more details).

NOTE: I successfully install iSGX driver and run my applications. My CPU is SGX-enabled, at least for SGX1.

Any of you had a similar issue?
I would be great for any help. Thanks.

Here, the detailed steps I follow.

➜  SGXDataCenterAttestationPrimitives git:(master) ✗ make # this goes fine!
➜  SGXDataCenterAttestationPrimitives git:(master) ✗ cat ./driver/linux/dkms.conf 
PACKAGE_NAME="sgx"
PACKAGE_VERSION="1.36.2"
BUILT_MODULE_NAME[0]="intel_sgx"
DEST_MODULE_LOCATION[0]="/kernel/drivers/intel/sgx"
AUTOINSTALL="yes"
MAKE[0]="'make'  KDIR=/lib/moduls/${kernelver}/build"
➜  SGXDataCenterAttestationPrimitives git:(master) ✗ sudo mkdir /usr/src/sgx-1.36.2
➜  SGXDataCenterAttestationPrimitives git:(master) ✗ sudo cp -r ./driver/linux/* /usr/src/sgx-1.36.2
➜  SGXDataCenterAttestationPrimitives git:(master) ✗ sudo dkms add -m sgx -v 1.36.2

Creating symlink /var/lib/dkms/sgx/1.36.2/source ->
                 /usr/src/sgx-1.36.2

DKMS: add completed.
➜  SGXDataCenterAttestationPrimitives git:(master) ✗ sudo dkms build -m sgx -v 1.36.2

Kernel preparation unnecessary for this kernel.  Skipping...

Building module:
cleaning build area...
'make' KDIR=/lib/modules/5.4.0-52-generic/build...
Signing module:
 - /var/lib/dkms/sgx/1.36.2/5.4.0-52-generic/x86_64/module/intel_sgx.ko
Secure Boot not enabled on this system.
cleaning build area...

DKMS: build completed.
➜  SGXDataCenterAttestationPrimitives git:(master) ✗ sudo dkms install -m sgx -v 1.36.2

intel_sgx:
Running module version sanity check.
 - Original module
   - No original module exists within this kernel
 - Installation
   - Installing to /lib/modules/5.4.0-52-generic/updates/dkms/

depmod...

DKMS: install completed.
➜  SGXDataCenterAttestationPrimitives git:(master) ✗ sudo /sbin/modprobe intel_sgx     
modprobe: ERROR: could not insert 'intel_sgx': No such device

Hi,
I encountered the following issue, could sgx team help to look at this? It seems a blocking issue.

sgx@sgx-HP-EliteDesk-800-G4-WKS-TWR:~/Downloads$ sudo dpkg -i libsgx-dcap-default-qpl_1.2.100.51313-bionic1_amd64.deb
(Reading database ... 184189 files and directories currently installed.)
Preparing to unpack libsgx-dcap-default-qpl_1.2.100.51313-bionic1_amd64.deb ...
Unpacking libsgx-dcap-default-qpl (1.2.100.51313-bionic1) ...
dpkg: error processing archive libsgx-dcap-default-qpl_1.2.100.51313-bionic1_amd64.deb (--install):
trying to overwrite '/etc/sgx_default_qcnl.conf', which is also in package libsgx-enclave-common 2.6.100.51285-bionic1
Processing triggers for libc-bin (2.27-3ubuntu1) ...
Errors were encountered while processing:
libsgx-dcap-default-qpl_1.2.100.51313-bionic1_amd64.deb

Thanks,
Su

In the 1.6 release, and the current master, the debian package for libsgx-pce-logic lists a dependency on libsgx-urts 2.8 (or higher):

https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/master/QuoteGeneration/installer/linux/deb/libsgx-pce-logic/libsgx-pce-logic-1.0/debian/control

I believe this is incorrect, and the current code actually depends on 2.9. When trying to build with 1.6, and libsgx-urts 2.8, I got linking errors on sgx_get_metadata (which I believe was moved between packages?):

/usr/lib/x86_64-linux-gnu/libsgx_pce_logic.so: undefined reference to `sgx_get_metadata'

I'm not sure if the fix is to update all of the Depends: to >= 2.9? Or perhaps just this one? Or maybe I'm misunderstanding these dependencies.

Thanks for your help.

Steps.

$ docker run -it ubuntu:18:04
# apt update && apt install -y wget git gnupg
# echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' | tee /etc/apt/sources.list.d/intel-sgx.list
# wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add -
# apt update && apt install sgx-dcap-pccs

Need to get 68.2 MB of archives.
After this operation, 275 MB of additional disk space will be used.

275Mb includes dependencies like python2, gcc/g++ and also, deprecated
nodejs modules:

npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142

Are these all needed?

Hi,

I want to install sgx DCAP driver. But when I run "sudo /sbin/modprobe intel_sgx", there is the following error:
modprobe: ERROR: could not insert 'intel_sgx': No such device.

Any idea on how to fix it? Thanks.

/SampleCode/QuoteVerificationSample$ ./app -quote ../QuoteGenerationSample/quote.dat
Info: ECDSA quote path: ../QuoteGenerationSample/quote.dat

Trusted quote verification:
Info: get target info successfully returned.
Info: sgx_qv_set_enclave_load_policy successfully returned.
Info: sgx_qv_get_quote_supplemental_data_size successfully returned.
Error: App: sgx_qv_verify_quote failed: 0xe021
Error: App: Get QvE Identity and Root CA CRL from PCCS failed: 0xe00e

There is a race condition in PCKRetrievalTool Makefile. On my system it is 100% reproducible.
(The build fails on less than 16 CPUs as well)
Steps to reproduce:

$ cd ~/SGXDataCenterAttestationPrimitives/tools/PCKRetrievalTool
$ make clean
$ make -j 16

Edited result:

...
g++ -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -UDEBUG -DNDEBUG -ffunction-sections -fdata-sections -Wall -Wextra -Winit-self -Wpointer-arith -Wreturn-type -Waddress -Wsequence-point -Wformat-security -Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow -Wcast-align -Wconversion -Wredundant-decls -fPIC -Wno-attributes -I/opt/intel/sgxsdk/include -I./App -I ./App/inc -I ../../QuoteGeneration/common/inc/internal -I ../../QuoteGeneration/quote_wrapper/ql/inc  -I ../../QuoteGeneration/pce_wrapper/inc -I ../../QuoteGeneration/quote_wrapper/common/inc -I ../SGXPlatformRegistration/include -std=c++11 -c App/utility.cpp -o App/utility.o
Enclave/Enclave.cpp:34:10: fatal error: Enclave_t.h: No such file or directory
 #include "Enclave_t.h"
          ^~~~~~~~~~~~~
compilation terminated.
make: *** [Makefile:218: Enclave/Enclave.o] Error 1
make: *** Waiting for unfinished jobs....

Running using a single CPU works fine:

$ make clean
$ make

Edited result:

...
Succeed.
SIGN =>  pck_id_retrieval_tool_enclave.signed.so
make -C Qpl/linux
make[1]: Entering directory '/home/juro/pr/SGXDataCenterAttestationPrimitives/tools/PCKRetrievalTool/Qpl/linux'
CXX  <=  ../sgx_quote_provider.cpp
g++ -Wnon-virtual-dtor -std=c++11 ../sgx_quote_provider.o -shared -Wl,-soname=libdcap_quoteprov.so.1 -pthread -Wl,-z,relro,-z,now,-z,noexecstack -Wl,--gc-sections  -L/opt/intel/sgxsdk/lib64 -lpthread -ldl  -Wl,-rpath=. -o libdcap_quoteprov.so.1
make[1]: Leaving directory '/home/juro/pr/SGXDataCenterAttestationPrimitives/tools/PCKRetrievalTool/Qpl/linux'
The project has been built in release hardware mode.

I am trying build Quote Generation Library.

With all prerequisite installed, my normal build by running "make" works well.

But when I try to build debug libraries by running "make DEBUG=1". I am keeping running into the issue below:

../qe_logic.cpp: In function ‘void* get_qpl_handle()’:
../qe_logic.cpp:259:13: error: ‘old_libname_used’ was not declared in this scope
old_libname_used = true;
^~~~~~~~~~~~~~~~
Makefile:87: recipe for target '../qe_logic.o' failed
make[2]: *** [../qe_logic.o] Error 1
make[2]: Leaving directory '/home/yufjiang/SGXDataCenterAttestationPrimitives/QuoteGeneration/quote_wrapper/quote/linux'
Makefile:90: recipe for target '../../quote/linux/libsgx_qe3_logic.so' failed
make[1]: *** [../../quote/linux/libsgx_qe3_logic.so] Error 2
make[1]: Leaving directory '/home/yufjiang/SGXDataCenterAttestationPrimitives/QuoteGeneration/quote_wrapper/ql/linux'
Makefile:55: recipe for target 'qe3_logic' failed
make: *** [qe3_logic] Error 2

Please let me know if there are any workaround. Thank you very much!

following driver/linux installation instructions, after running make and make clean, it says "With root priviledge, copy the sources to /usr/src/sgx-/"

What is meant by sources in this context?

These are the files in the dir.

-rw-r--r-- 1 root root 249 Sep 2 16:55 version.h
-rw-r--r-- 1 root root 3314 Sep 2 16:55 sgx_wl.h
-rw-r--r-- 1 root root 1807 Sep 2 16:55 sgx.h
-rw-r--r-- 1 root root 8851 Sep 2 16:55 README.md
-rw-r--r-- 1 root root 635 Sep 2 16:55 Makefile
-rw-r--r-- 1 root root 20064 Sep 2 16:55 main.c
-rw-r--r-- 1 root root 2391 Sep 2 16:55 License.txt
-rw-r--r-- 1 root root 21963 Sep 2 16:55 ioctl.c
drwxr-xr-x 3 root root 4096 Sep 2 16:55 include
-rw-r--r-- 1 root root 5892 Sep 2 16:55 encls.h
-rw-r--r-- 1 root root 3912 Sep 2 16:55 encl.h
-rw-r--r-- 1 root root 21259 Sep 2 16:55 encl.c
-rw-r--r-- 1 root root 886 Sep 2 16:55 driver.h
-rw-r--r-- 1 root root 5147 Sep 2 16:55 driver.c
-rw-r--r-- 1 root root 200 Sep 2 16:55 dkms.conf
-rw-r--r-- 1 root root 10594 Sep 2 16:55 arch.h
-rw-r--r-- 1 root root 115 Sep 2 16:55 10-sgx.rules

map_handle_t* map_file(se_file_handle_t file, uint32_t size)
{
map_handle_t mh = (map_handle_t *)calloc(1, sizeof(map_handle_t));
if (mh == NULL || size == NULL)
return NULL; // FIXME

// Using GetFileSizeEx instead of GetFileSize.
// We do NOT support mapping files larger than max uint32_t with this API.
LARGE_INTEGER file_size; file_size.QuadPart = 0;
if (GetFileSizeEx(file, &file_size) && file_size.HighPart == 0)
{
    *size = file_size.LowPart;
}
else
{
    return NULL;  // FIXME
}

Are there any plans or guidance to build a Linux driver with support for both SGX2 (EDMM) and the DCAP LE?

This is especially relevant since intel/linux-sgx-driver#92 deprecated the master branch of linux-sgx-driver, and this project contains what's apparently a fork of that codebase.

SampleCode/QuoteGenerationSample$ sudo make
make target
make[1]: Entering directory '/home/rigsec/sgx-file/SGXDataCenterAttestationPrimitives/SampleCode/QuoteGenerationSample'
App/App.cpp:50:10: fatal error: sgx_dcap_ql_wrapper.h: No such file or directory
#include "sgx_dcap_ql_wrapper.h"
^~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.
Makefile:174: recipe for target 'App/App.o' failed
make[1]: *** [App/App.o] Error 1
make[1]: Leaving directory '/home/rigsec/sgx-file/SGXDataCenterAttestationPrimitives/SampleCode/QuoteGenerationSample'
Makefile:138: recipe for target 'all' failed
make: *** [all] Error 2

I believe the comments are supposed to reference the offset in bytes within the structure. The offsets are wrong though.

In the document: https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/QuoteGeneration/pccs

It was mentioned that "All configurations can be done during the installation process."

But when I run
dpkg -i libsgx-dcap-pccs_1.3.100.4-bionic1_amd64.deb
It installed the files into their destination folders, but didn't prompt any configuration process.
Do I miss anything here?

The manual installation works well for me though.

Thanks for your help!

Hi~

I'm playing with dcap-v1.3 recently, and write toy project as https://github.com/sammyne/sgx-dcap-playground. It has run ok before. But recently, SGX_QL_TCBINFO_UNSUPPORTED_FORMAT error pops out, and I cannot figure out why?

My environment goes as

• ubuntu 16.04
• SGX v2.7
• DCAP v1.3.101.3

The project is very simple and based on teaclave-sgx-sdk.

It would be also nice if someone could also tell me how to enable the tracing log such as https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/DCAP_1.3.1/QuoteVerification/dcap_quoteverify/sgx_dcap_quoteverify.cpp#L333, which helps me debugging during native development~

Really appreciate if someone could help me out~

I got an error of 0xe001 when I run ./App of QuoteGeneration Sample

Step1: Call sgx_qe_get_target_info:Error in sgx_qe_get_target_info. 0xe001

I can't find any document referring to this error code.

For kernels 5.0 to 5.3, the Linux dcap driver uses mmput_async instead of mmput. The issue is that mmput_async is not an exported symbol, a dkms module will fail to build on 5.0 to 5.3 kernels. I don't understand why this condition is there, and think mmput should just be used for all kernels

Code in question in main.c:

#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0) || LINUX_VERSION_CODE > KERNEL_VERSION(5, 4, 0) )
                mmput(encl_mm->mm);
#else
                mmput_async(encl_mm->mm);
#endif

when i run /SGXDataCenterAttestationPrimitives/SampleCode/QuoteVerificationSample# ./app
Some errors occurred:

Info: ECDSA quote path: ../QuoteGenerationSample/quote.dat

Trusted quote verification:
	Info: get target info successfully returned.
	Info: sgx_qv_set_enclave_load_policy successfully returned.
	Info: sgx_qv_get_quote_supplemental_data_size successfully returned.
	Info: App: sgx_qv_verify_quote successfully returned.
	Info: App: Get QvE Identity and Root CA CRL from PCCS successfully returned.
	Error: failed to verify QvE report. 0x0001
	Warning: App: Verification completed with Non-terminal result: a008

===========================================

Untrusted quote verification:
	Info: sgx_qv_get_quote_supplemental_data_size successfully returned.
	Info: App: sgx_qv_verify_quote successfully returned.
	Warning: App: Verification completed with Non-terminal result: a008

The 1.2 release no longer has the QuoteProviderSample code in the SampleCode directory. Is there a reason why this was removed?

scripts/installConfig
~/SGXDataCenterAttestationPrimitives/QuoteGeneration
~/SGXDataCenterAttestationPrimitives/QuoteGeneration/installer/linux/deb/libsgx-dcap-ql/libsgx-dcap-ql-1.3.101.3 ~/SGXDataCenterAttestationPrimitives/QuoteGeneration
~/SGXDataCenterAttestationPrimitives/QuoteGeneration
~/SGXDataCenterAttestationPrimitives/QuoteGeneration/installer/linux/deb/libsgx-dcap-ql/libsgx-dcap-ql-1.3.101.3 ~/SGXDataCenterAttestationPrimitives/QuoteGeneration
~/SGXDataCenterAttestationPrimitives/QuoteGeneration
~/SGXDataCenterAttestationPrimitives/QuoteGeneration/installer/linux/deb/libsgx-dcap-ql/libsgx-dcap-ql-1.3.101.3 ~/SGXDataCenterAttestationPrimitives/QuoteGeneration
dpkg-buildpackage: info: 源码包 libsgx-dcap-ql
dpkg-buildpackage: info: 源码版本 1.3.101.3-bionic1
dpkg-buildpackage: info: source distribution unstable
dpkg-buildpackage: info: 源码修改者 Xiangquan Liu [email protected]
dpkg-buildpackage: info: 主机架构 amd64
dpkg-source --before-build libsgx-dcap-ql-1.3.101.3
fakeroot debian/rules clean
make[2]: 进入目录“/home/wangsu/SGXDataCenterAttestationPrimitives/QuoteGeneration/installer/linux/deb/libsgx-dcap-ql/libsgx-dcap-ql-1.3.101.3”
dh clean
dh_auto_clean
dh_clean
make[2]: 离开目录“/home/wangsu/SGXDataCenterAttestationPrimitives/QuoteGeneration/installer/linux/deb/libsgx-dcap-ql/libsgx-dcap-ql-1.3.101.3”
dpkg-source -b libsgx-dcap-ql-1.3.101.3
dpkg-source: info: using source format '3.0 (quilt)'
dpkg-source: info: building libsgx-dcap-ql using existing ./libsgx-dcap-ql_1.3.101.3.orig.tar.gz
dpkg-source: info: building libsgx-dcap-ql in libsgx-dcap-ql_1.3.101.3-bionic1.debian.tar.xz
dpkg-source: info: building libsgx-dcap-ql in libsgx-dcap-ql_1.3.101.3-bionic1.dsc
debian/rules build
make[2]: 进入目录“/home/wangsu/SGXDataCenterAttestationPrimitives/QuoteGeneration/installer/linux/deb/libsgx-dcap-ql/libsgx-dcap-ql-1.3.101.3”
dh build
dh_update_autotools_config
dh_auto_configure
dh_auto_build
make -j1
make[3]: 进入目录“/home/wangsu/SGXDataCenterAttestationPrimitives/QuoteGeneration/installer/linux/deb/libsgx-dcap-ql/libsgx-dcap-ql-1.3.101.3”
make[3]: 对“default”无需做任何事。
make[3]: 离开目录“/home/wangsu/SGXDataCenterAttestationPrimitives/QuoteGeneration/installer/linux/deb/libsgx-dcap-ql/libsgx-dcap-ql-1.3.101.3”
dh_auto_test
make[2]: 离开目录“/home/wangsu/SGXDataCenterAttestationPrimitives/QuoteGeneration/installer/linux/deb/libsgx-dcap-ql/libsgx-dcap-ql-1.3.101.3”
fakeroot debian/rules binary
make[2]: 进入目录“/home/wangsu/SGXDataCenterAttestationPrimitives/QuoteGeneration/installer/linux/deb/libsgx-dcap-ql/libsgx-dcap-ql-1.3.101.3”
dh binary
dh_testroot
dh_prep
dh_auto_install
make -j1 install DESTDIR=/home/wangsu/SGXDataCenterAttestationPrimitives/QuoteGeneration/installer/linux/deb/libsgx-dcap-ql/libsgx-dcap-ql-1.3.101.3/debian/libsgx-dcap-ql AM_UPDATE_INFO_DIR=no
make[3]: 进入目录“/home/wangsu/SGXDataCenterAttestationPrimitives/QuoteGeneration/installer/linux/deb/libsgx-dcap-ql/libsgx-dcap-ql-1.3.101.3”
install -d /home/wangsu/SGXDataCenterAttestationPrimitives/QuoteGeneration/installer/linux/deb/libsgx-dcap-ql/libsgx-dcap-ql-1.3.101.3/debian/libsgx-dcap-ql/usr/lib/x86_64-linux-gnu
install package/lib/* /home/wangsu/SGXDataCenterAttestationPrimitives/QuoteGeneration/installer/linux/deb/libsgx-dcap-ql/libsgx-dcap-ql-1.3.101.3/debian/libsgx-dcap-ql/usr/lib/x86_64-linux-gnu
install: 无法获取'package/lib/*' 的文件状态(stat): 没有那个文件或目录
Makefile:43: recipe for target 'install' failed
make[3]: *** [install] Error 1
make[3]: 离开目录“/home/wangsu/SGXDataCenterAttestationPrimitives/QuoteGeneration/installer/linux/deb/libsgx-dcap-ql/libsgx-dcap-ql-1.3.101.3”
dh_auto_install: make -j1 install DESTDIR=/home/wangsu/SGXDataCenterAttestationPrimitives/QuoteGeneration/installer/linux/deb/libsgx-dcap-ql/libsgx-dcap-ql-1.3.101.3/debian/libsgx-dcap-ql AM_UPDATE_INFO_DIR=no returned exit code 2
debian/rules:8: recipe for target 'binary' failed
make[2]: *** [binary] Error 2
make[2]: 离开目录“/home/wangsu/SGXDataCenterAttestationPrimitives/QuoteGeneration/installer/linux/deb/libsgx-dcap-ql/libsgx-dcap-ql-1.3.101.3”
dpkg-buildpackage: 错误: fakeroot debian/rules binary subprocess returned exit status 2
Makefile:88: recipe for target 'deb_sgx_dcap_ql_pkg' failed
make[1]: *** [deb_sgx_dcap_ql_pkg] Error 2
make[1]: 离开目录“/home/wangsu/SGXDataCenterAttestationPrimitives/QuoteGeneration”
Makefile:37: recipe for target 'all' failed
make: *** [all] Error 2

And I checked this config:
cat ./QuoteGeneration/installer/linux/common/libsgx-dcap-ql/output/scripts/installConfig

NGA_VERSION="1.0"
TARBALL_NAME=libsgx-dcap-ql_1.0.orig.tar.gz
NGA_PKG_NAME=libsgx-dcap-ql

LIB_DIR=lib

I'm using https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main for my distro (in a container) but I cannot find pre-built packages for the tools maintained in the tools repository.

Any change those could be provided as packages too?

Hei,

I am trying to install SGXDCP driver but when I execute the following command
/sbin/modprobe intel_sgx I got the following error
modprobe: ERROR: could not insert 'intel_sgx': No such device
I am able though to install the isgx driver from binary files but I want to use the out-of-tree driver. I have enabled SGX in my Bios and also disabled Secure Boot. Also when I try to install SGXDCAP driver I of course un install first the sgx-driver (isgx).

Is there any reason why I am not able to install such driver and what should I do?

Currently, the user needs to run an application with SGX_AESM_ADDR=1 ./my-app if she wants to force DCAP libraries to use AESM (instead of creating QE and PCE in the same process, which is the default).

I didn't find any API to enforce this (so that the user doesn't need to explicitly specify this env variable).

Even worse, I cannot even do setenv("SGX_AESM_ADDR", "1", /*overwrite=*/1) in my program because DCAP libraries look at SGX_AESM_ADDR at initialization/constructor time:

It would be great to have an API like set_aesm_usage(true/false) or something.

Currently libsgx_default_qcnl_wrapper.so.1 relies on libcurl3. libcurl3 and libcurl4 cannot coexist on the system which causes issues when I run attestation on the system that requires libcurl4.

Could you please consider to make libsgx_default_qcnl_wrapper.so.1 rely on libcurl4?

I used the latest master branch (34d1ad489d282e5e2cfe8e4256ec405a1ea916ea commit) on stable Linux 5.4.

The driver didn't build:

$ make
  CC [M]  /home/dimakuv/SGXDataCenterAttestationPrimitives/driver/linux/encl.o
  CC [M]  /home/dimakuv/SGXDataCenterAttestationPrimitives/driver/linux/main.o
  CC [M]  /home/dimakuv/SGXDataCenterAttestationPrimitives/driver/linux/driver.o
  CC [M]  /home/dimakuv/SGXDataCenterAttestationPrimitives/driver/linux/ioctl.o
  LD [M]  /home/dimakuv/SGXDataCenterAttestationPrimitives/driver/linux/intel_sgx.o
  Building modules, stage 2.
  MODPOST 1 modules
ERROR: "mmput_async" [/home/dimakuv/SGXDataCenterAttestationPrimitives/driver/linux/intel_sgx.ko] undefined!
scripts/Makefile.modpost:93: recipe for target '__modpost' failed
make[2]: *** [__modpost] Error 1

It looks like mmput_async() doesn't exist in Linux 5.4. I fixed this like this:

diff --git a/driver/linux/main.c b/driver/linux/main.c
index 13a60f1..ddf9dc4 100644
--- a/driver/linux/main.c
+++ b/driver/linux/main.c
@@ -96,7 +96,7 @@ static bool sgx_reclaimer_age(struct sgx_epc_page *epc_page)
                ret = !sgx_encl_test_and_clear_young(encl_mm->mm, page);
                up_read(&encl_mm->mm->mmap_sem);

-#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0) || LINUX_VERSION_CODE > KERNEL_VERSION(5, 4, 0) )
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0) || LINUX_VERSION_CODE >= KERNEL_VERSION(5, 4, 0) )
                 mmput(encl_mm->mm);
 #else
                 mmput_async(encl_mm->mm);
@@ -144,7 +144,7 @@ static void sgx_reclaimer_block(struct sgx_epc_page *epc_page)

                        up_read(&encl_mm->mm->mmap_sem);

-#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0) || LINUX_VERSION_CODE > KERNEL_VERSION(5, 4, 0) )
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0) || LINUX_VERSION_CODE >= KERNEL_VERSION(5, 4, 0) )
                         mmput(encl_mm->mm);
 #else
                         mmput_async(encl_mm->mm);
@@ -212,7 +212,7 @@ static const cpumask_t *sgx_encl_ewb_cpumask(struct sgx_encl *encl)

                cpumask_or(cpumask, cpumask, mm_cpumask(encl_mm->mm));

-#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0) || LINUX_VERSION_CODE > KERNEL_VERSION(5, 4, 0) )
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0) || LINUX_VERSION_CODE >= KERNEL_VERSION(5, 4, 0) )
                 mmput(encl_mm->mm);
 #else
                 mmput_async(encl_mm->mm);

Probably not the best way to fix this...

Since 5.4 is an LTS kernel, it would be very good to fix this bug.

Hi,

As the instruction says that FLC feature is needed for developing SGXDataCenter, I have tried on my server (Ubuntu 18.04) capable of SGX machine equipped with Intel(R) Xeon(R) CPU E3-1270 v6 @ 3.80GHz. It says that FLC is not supported on my platform.

Does anyone know which kind of CPU could I use that support FLC features? or Does update my BIOS workout for me?

Best,
Chao

Hi,
I could confirm PCCS and other dependencies have been installed and work (QL sample code could work). But I can't make the folllowing test passed.
sgx@sgx-test:~/SGXDataCenterAttestationPrimitives/QuoteVerification/SampleISVEnclave$ ./app
Info: get target info successfully returned.
Info: sgx_qv_set_enclave_load_policy successfully returned.
Info: sgx_qv_get_quote_supplemental_data_size successfully returned.
Error: App: sgx_qv_verify_quote failed: 0xe01b
Error: failed to verify QvE report. 0x3001
Error: App: Verification completed with Terminal result: e006
Enter a character before exit ...

HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/zip]
Saving to: ‘/usr/src/SGXDataCenterAttestationPrimitives/QuoteVerification/sgxssl/lin_2.5_1.1.1d.zip.1’

lin_2.5_1.1.1d.zip.1 [ <=> ] 2.94M 4.31KB/s in 11m 28s

2020-05-09 16:06:57 (4.37 KB/s) - ‘/usr/src/SGXDataCenterAttestationPrimitives/QuoteVerification/sgxssl/lin_2.5_1.1.1d.zip.1’ saved [3078260]

File /usr/src/SGXDataCenterAttestationPrimitives/QuoteVerification/sgxssl//lin_2.5_1.1.1d.zip checksum failure
Makefile:180: recipe for target 'PREPARE_SGX_SSL' failed
make[3]: *** [PREPARE_SGX_SSL] Error 255
make[3]: Leaving directory '/usr/src/SGXDataCenterAttestationPrimitives/QuoteVerification/QvE'
Makefile:37: recipe for target 'all' failed
make[2]: *** [all] Error 2
make[2]: Leaving directory '/usr/src/SGXDataCenterAttestationPrimitives/QuoteVerification'
Makefile:64: recipe for target 'qve_wrapper' failed
make[1]: *** [qve_wrapper] Error 2
make[1]: Leaving directory '/usr/src/SGXDataCenterAttestationPrimitives/QuoteGeneration'
Makefile:39: recipe for target 'QuoteGeneration' failed
make: *** [QuoteGeneration] Error 2

Are these files supposed to be public?

https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/master/QuoteGeneration/psw/quote_wrapper/quote/enclave/qe3_private.pem
https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/master/QuoteGeneration/psw/quote_wrapper/quote/MSFTtestkey.h

The file /etc/mpa_registration.conf needs a key.
The file README.md says:

subscription key = <64byte-hex-value>

However, when user enters (no space following '='):

subscription key =<64byte-hex-value>

then we can see there is an error in the log file:

$ sudo systemctl restart mpa_registration_tool.service
$ cat /var/log/mpa_registration.log 
...
[25-10-2020 03:49:40] ERROR: too long subscription key in config file 32
[25-10-2020 03:49:40] INFO: SGX Registration Agent version: 1.8.100.2
[25-10-2020 03:49:40] INFO: Starts Registration Agent Flow.
[25-10-2020 03:49:40] INFO: Registration Flow - Registration status indicates registration is complete.  Nothing to do.
[25-10-2020 03:49:40] INFO: Finished Registration Agent Flow.

While one could argue this is not a bug but a feature, I don't share that sentiment.
Adding to the confusion is the fact that systemctl does not report any error:

$ sudo systemctl status mpa_registration_tool.service
● mpa_registration_tool.service - Intel MPA Registration
   Loaded: loaded (/usr/lib/systemd/system/mpa_registration_tool.service; enabled; vendor preset: disabled)
   Active: inactive (dead) since Sun 2020-10-25 16:08:32 PDT; 53s ago
  Process: 4055030 ExecStart=/opt/intel/sgx-ra-service/mpa_registration (code=exited, status=0/SUCCESS)
 Main PID: 4055030 (code=exited, status=0/SUCCESS)

In addition, there is a dead link on the page:
https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/tools/SGXPlatformRegistration

"See doc/README for details." points to a non-existing page:
https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/master/tools/SGXPlatformRegistration/doc/README

When an error happens calling sgx_qe_get_target_info (and friends), it dumps "quote3_error_t=0x...". The error codes are listed at https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/master/QuoteGeneration/quote_wrapper/common/inc/sgx_ql_lib_common.h. It would be good if the code is translated into an understandable message.

Issue links to openenclave/openenclave#2945.

Currently the "sgx-pck-id-retrieval-tool" RPM package installs the following files:
/opt/intel/sgx-pck-id-retrieval-tool/License.txt
/opt/intel/sgx-pck-id-retrieval-tool/PCKIDRetrievalTool
/opt/intel/sgx-pck-id-retrieval-tool/README.txt
/opt/intel/sgx-pck-id-retrieval-tool/libdcap_quoteprov.so.1
/opt/intel/sgx-pck-id-retrieval-tool/network_setting.conf
/opt/intel/sgx-pck-id-retrieval-tool/pck_id_retrieval_tool_enclave.signed.so

and one additional symlink in /usr/local/bin PCKIDRetrievalTool -> /opt/intel/sgx-pck-id-retrieval-tool/PCKIDRetrievalTool

Is there any particular reason these files are not installed in standard Linux locations?

/usr/bin/PCKIDRetrievalTool
/usr/lib64/libdcap_quoteprov.so.1
/usr/lib64/pck_id_retrieval_tool_enclave.signed.so
/etc/sgx-pck-id-retrieval-tool/network_setting.conf
%{_licensedir}/sgx-pck-id-retrieval-tool/License.txt
%{_docdir}/sgx-pck-id-retrieval-tool/README.txt

I am aware placing network_settings in /etc/ folder would require code change, but the change is rather trivial.

Also, the README.txt file says:

 Please install these Debian or RPM packages, you can download it from [01.org](https://01.org/intel-software-guard-extensions/downloads)
             a. libsgx-enclave-common_{version}-{revision}_{arch}.deb or libsgx-enclave-common_{version}-{revision}_{arch}.rpm
             b. libsgx-dcap-ql_{version}-{revision}_{arch}.deb or libsgx-dcap-ql_{version}-{revision}_{arch}.rpm

The sgx-pck-id-retrieval-tool.spec file already contains:

Recommends:     libsgx-urts >= 2.11, libsgx-dcap-ql >= %{version}-%{release}, libsgx-ra-uefi >= %{version}-%{release}

Considering there are users that may not read the README.txt, the .spec file should probably contain:

Recommends:     libsgx-urts >= 2.11,  libsgx-ra-uefi >= %{version}-%{release}
Requires: libsgx-enclave-common >= 2.11
Requires: libsgx-dcap-ql >= %{version}-%{release}

The README.txt "_{version}-{revision}" is a bit confusing as well, as DCAP version/revision differs form SDK/PSW /version/revision