Hello, I am trying to build and run the Qu

Agree with <a class="user-mention notranslate" data-hovercard-type="user" data-hoverca

Error while verifying quote with `QuoteGenerationVerification`: `Error: App: tee_verify_quote failed 0xe01c`. about sgxdatacenterattestationprimitives HOT 8 CLOSED

Jojeker commented on August 20, 2024

Error while verifying quote with `QuoteGenerationVerification`: `Error: App: tee_verify_quote failed 0xe01c`.

from sgxdatacenterattestationprimitives.

Comments (8)

hyjiang commented on August 20, 2024

You need to install & configure QPL/PCCS before generating ECDSA quote. In your case, suppose QPL related libraries (libsgx-dcap-default-qpl-dev) is not installed.

See Prerequisite section in sample README.

from sgxdatacenterattestationprimitives.

Jojeker commented on August 20, 2024

Hello,

thank you very much for your help! I was following this Intel guide on installing the PCCS. Regarding the libsgx-dcap-default-qpl-dev, I can confirm that it was previously installed.

I verified, that upon registration to the PCCS, the pckcache.db file is correctly populated with in pcs_certificates after executing PCKIDRetrievalTool with the configuration given below. From my understanding, configuring the PCCS with REQ as cache filling mode, allows the PCCS to retrieve the Platform Certificate with the matching TCB Level from Intel's SGX Provisioning Certification Service.

Regarding my configuration, this is what I set for all services:

PCCS:

sudo cat /opt/intel/sgx-dcap-pccs/config/default.json
{
    "HTTPS_PORT" : 8081,
    "hosts" : "0.0.0.0",
    "uri": "https://api.trustedservices.intel.com/sgx/certification/v4/",
    "ApiKey" : "<SNIP>",
    "proxy" : "",
    "RefreshSchedule": "0 0 1 * * *",
    "UserTokenHash" : "<SNIP>",
    "AdminTokenHash" : "<SNIP>",
    "CachingFillMode" : "REQ",
    "LogLevel" : "info",
    "DB_CONFIG" : "sqlite",
    "sqlite" : {
        "database" : "database",
        "username" : "username",
        "password" : "password",
        "options" : {
            "host": "localhost",
            "dialect": "sqlite",
            "pool": {
                "max": 5,
                "min": 0,
                "acquire": 30000,
                "idle": 10000
            },
            "define": {
                "freezeTableName": true
            },
            "logging" : false,
            "storage": "pckcache.db"
        }
    },
    "mysql" : {
        "database" : "pckcache",
        "username" : "root",
        "password" : "mypass",
        "options" : {
            "host": "localhost",
            "port": "3306",
            "dialect": "mysql",
            "pool": {
                "max": 5,
                "min": 0,
                "acquire": 30000,
                "idle": 10000
            },
            "define": {
                "freezeTableName": true
            },
            "logging" : false
        }
    }
}

Quoting Configuration:

sudo cat /etc/sgx_default_qcnl.conf
{
  // *** ATTENTION : This file is in JSON format so the keys are case sensitive. Don't change them.

  //PCCS server address
  "pccs_url": "https://localhost:8081/sgx/certification/v4/"

  // To accept insecure HTTPS certificate, set this option to false
  ,"use_secure_cert": false,

  // You can use the Intel PCS or another PCCS to get quote verification collateral.  Retrieval of PCK
  // Certificates will always use the PCCS described in pccs_url.  When collateral_service is not defined, both
  // PCK Certs and verification collateral will be retrieved using pccs_url
  ,"collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/"

  // If you use a PCCS service to get the quote verification collateral, you can specify which PCCS API version is to be used.
  // The legacy 3.0 API will return CRLs in HEX encoded DER format and the sgx_ql_qve_collateral_t.version will be set to 3.0, while
  // the new 3.1 API will return raw DER format and the sgx_ql_qve_collateral_t.version will be set to 3.1. The pccs_api_version
  // setting is ignored if collateral_service is set to the Intel PCS. In this case, the pccs_api_version is forced to be 3.1
  // internally.  Currently, only values of 3.0 and 3.1 are valid.  Note, if you set this to 3.1, the PCCS use to retrieve
  // verification collateral must support the new 3.1 APIs.
  //,"pccs_api_version": "3.1"

  // Maximum retry times for QCNL. If RETRY is not defined or set to 0, no retry will be performed.
  // It will first wait one second and then for all forthcoming retries it will double the waiting time.
  // By using retry_delay you disable this exponential backoff algorithm
  ,"retry_times": 6

  // Sleep this amount of seconds before each retry when a transfer has failed with a transient error
  ,"retry_delay": 10

  // If local_pck_url is defined, the QCNL will try to retrieve PCK cert chain from local_pck_url first,
  // and failover to pccs_url as in legacy mode.
  //,"local_pck_url": "http://localhost:8081/sgx/certification/v4/"

  // If local_pck_url is not defined, set pck_cache_expire_hours to a none-zero value will enable local cache.
  // The PCK certificates will be cached in memory and then to the disk drive.
  // ===== Important: Once the local cache files are created, currently there is no other way to clean them other
  //                  than to delete them manually, or wait for them to expire after "pck_cache_expire_hours" hours.
  //                  To delete the cache files manually, go to these foders:
  //                       Linux : $AZDCAP_CACHE, $XDG_CACHE_HOME, $HOME, $TMPDIR, /tmp/
  //                       Windows : $AZDCAP_CACHE, $LOCALAPPDATA\..\..\LocalLow
  //                  If there is a folder called .dcap-qcnl, delete it. Restart the service after all cache
  //                  folders were deleted. The same method applies to "verify_collateral_cache_expire_hours"
  ,"pck_cache_expire_hours": 168

  // To set cache expire time for quote verification collateral in hours
  // See the above comment for pck_cache_expire_hours for more information on the local cache.
  ,"verify_collateral_cache_expire_hours": 168

  // When the "local_cache_only" parameter is set to true, the QPL/QCNL will exclusively use PCK certificates
  // from local cache files and will not request any PCK certificates from service providers, whether local or remote.
  // To ensure that the PCK cache is available for use, an administrator must pre-populate the cache folders with
  // the appropriate cache files. To generate these cache files for specific platforms, the administrator can use
  // the PCCS admin tool. Once the cache files are generated, the administrator must distribute them to each platform
  // that requires provisioning.
  ,"local_cache_only": false

  // You can add custom request headers and parameters to the get certificate API.
  // But the default PCCS implementation just ignores them.
  //,"custom_request_options" : {
  //  "get_cert" : {
  //    "headers": {
  //      "head1": "value1"
  //    },
  //    "params": {
  //      "param1": "value1",
  //      "param2": "value2"
  //    }
  //  }
  //}
}

PCK ID Retrieval Tool

sudo cat /opt/intel/sgx-pck-id-retrieval-tool/network_setting.conf
# #############################################################
# PCCS server address
# support V3 version PCCS
#PCCS_URL=https://localhost:8081/sgx/certification/v3/platforms
# support V4 version PCCS
PCCS_URL=https://localhost:8081/sgx/certification/v4/platforms
# To accept insecure HTTPS cert, set this option to FALSE
USE_SECURE_CERT=FALSE
###############################################################


###############################################################
# when access pccs, user need provide the token
user_token = <SNIP [user password from PCCS configuration]>
###############################################################


###############################################################
# Proxy settings:proxy type could be the following three types
# direct: means no proxy used
# default: system default proxy will be used
# manual: when this type was selected, user need provide the proxy_url

proxy_type    = direct
#proxy_type    = default
#proxy_type  = manual
#proxy_url   = http://proxy_url:proxy_port
###############################################################

AESM Configuration:

sudo cat /etc/aesmd.conf
#Line with comments only

#empty line with comment
proxy type    = direct #direct type means no proxy used
#proxy type    = default #system default proxy
#proxy type    = manual #aesm proxy should be specified for manual proxy type
#aesm proxy    = http://proxy_url:proxy_port
#whitelist url = http://sample_while_list_url/
default quoting type = ecdsa_256
#default quoting type = epid_linkable
#default quoting type = epid_unlinkable
#qpl log level = error
qpl log level = info

The QuoteGenerationSample shows, that the key_type is "incorrect", i.e., using PPID_RSA3072_ENCRYPTED = 3 instead of PCK_CERT_CHAIN = 5 (Source).

[APP] Step4: Call sgx_qe_get_quote
[APP] cert_key_type = 0x3

I also tried to compile the generation sample with SGX_DEBUG=1, without changing the result. Is there some necessary configuration step I am missing? Thank you very much for your help!

from sgxdatacenterattestationprimitives.

hyjiang commented on August 20, 2024

Yes, you can see that your cert_key_type is 3 from the output, then the quote cannot be verified.
It means DCAP QL library cannot find QPL/QCNL library, then it will not try to connect PCCS to get corresponding PCK cert chain.

Maybe you can check:

Whether the QPL/QCNL library is really installed on system, e.g. ls -al /usr/lib64
Try to build QPL/QCNL library by yourself, and copy the libs to QuoteGenerationSample folder, then run the sample again

from sgxdatacenterattestationprimitives.

Jojeker commented on August 20, 2024

I have checked the paths of the libraries and got the following results:

ls -al /usr/lib64
total 8
drwxr-xr-x  2 root root 4096 Oct  4 06:22 .
drwxr-xr-x 14 root root 4096 Jul  1 07:10 ..
lrwxrwxrwx  1 root root   42 Sep 25 14:45 ld-linux-x86-64.so.2 -> /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2

When specifically looking for the libraries:

sudo find / -name '*libdcap*'
<SNIP>
/usr/lib/x86_64-linux-gnu/libdcap_quoteprov.so
/usr/lib/x86_64-linux-gnu/libdcap_quoteprov.so.1
/usr/lib/x86_64-linux-gnu/libdcap_quoteprov.so.1.13.105.1
<SNIP>

sudo find / -name '*libsgx_default_qcnl_wrapper*'
<SNIP>
/usr/lib/x86_64-linux-gnu/libsgx_default_qcnl_wrapper.so.1.13.105.1
/usr/lib/x86_64-linux-gnu/libsgx_default_qcnl_wrapper.so
/usr/lib/x86_64-linux-gnu/libsgx_default_qcnl_wrapper.so.1
<SNIP>

The files are linked in the following way:

ls /usr/lib/x86_64-linux-gnu/libdcap_quoteprov.so* -al
lrwxrwxrwx 1 root root      22 Oct  6 05:40 /usr/lib/x86_64-linux-gnu/libdcap_quoteprov.so -> libdcap_quoteprov.so.1
lrwxrwxrwx 1 root root      31 Aug  4 10:07 /usr/lib/x86_64-linux-gnu/libdcap_quoteprov.so.1 -> libdcap_quoteprov.so.1.13.105.1
-rw-r--r-- 1 root root 1699800 Aug  4 10:07 /usr/lib/x86_64-linux-gnu/libdcap_quoteprov.so.1.13.105.1

ls -al /usr/lib/x86_64-linux-gnu/libsgx_default_qcnl_wrapper.so*
lrwxrwxrwx 1 root root     32 Oct  6 05:40 /usr/lib/x86_64-linux-gnu/libsgx_default_qcnl_wrapper.so -> libsgx_default_qcnl_wrapper.so.1
lrwxrwxrwx 1 root root     41 Aug  4 10:07 /usr/lib/x86_64-linux-gnu/libsgx_default_qcnl_wrapper.so.1 -> libsgx_default_qcnl_wrapper.so.1.13.105.1
-rw-r--r-- 1 root root 507072 Aug  4 10:07 /usr/lib/x86_64-linux-gnu/libsgx_default_qcnl_wrapper.so.1.13.105.1

However whereis does not return any result:

$ whereis libdcap_quoteprov
libdcap_quoteprov:
$ whereis libsgx_default_qcnl_wrapper
libsgx_default_qcnl_wrapper:

Does this indicate that the libraries for QPL and QCNL are outdated, since the current version is 1.18? However I am a bit puzzled about the fact that dpkg shows that the version is the latest.

libsgx-dcap-default-qpl-dbgsym/unknown,now 1.18.100.1-jammy1 amd64 [installed]
libsgx-dcap-default-qpl-dev/unknown,now 1.18.100.1-jammy1 amd64 [installed]
libsgx-dcap-default-qpl/unknown,now 1.18.100.1-jammy1 amd64 [installed]
libsgx-dcap-ql-dbgsym/unknown,now 1.18.100.1-jammy1 amd64 [installed]
libsgx-dcap-ql-dev/unknown,now 1.18.100.1-jammy1 amd64 [installed]
libsgx-dcap-ql/unknown,now 1.18.100.1-jammy1 amd64 [installed]

I tried building both libraries and placed them inside the QuoteGenerationSample directory using the following commands:

# Building and copying the QPL

$ cd ~/Documents/SGXDataCenterAttestationPrimitives/QuoteGeneration/qpl/linux/
$ make
CXX  <=  x509.cpp
CXX  <=  ../sgx_base64.cpp
CXX  <=  ../sgx_default_quote_provider.cpp
g++ -Wnon-virtual-dtor -std=c++14 -fstack-protector -O2 -D_FORTIFY_SOURCE=2 -UDEBUG -DNDEBUG -ffunction-sections -fdata-sections -Wall -Wextra -Winit-self -Wpointer-arith -Wreturn-type -Waddress -Wsequence-point -Wformat-security -Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow -Wcast-align -Wconversion -Wredundant-decls -DITT_ARCH_IA64 -fcf-protection x509.o ../sgx_base64.o ../sgx_default_quote_provider.o -shared -Wl,-soname=libdcap_quoteprov.so.1  -pthread -Wl,-z,relro,-z,now,-z,noexecstack -Wl,--version-script=sgx_default_quote_provider.lds -Wl,--gc-sections  -g -L../../build/linux -L/opt/intel/sgxsdk/lib64 -L../../../prebuilt/openssl/lib/linux64 -lcrypto -lsgx_default_qcnl_wrapper -lpthread -ldl -DDISABLE_TRACE -o libdcap_quoteprov.so
$  cp libdcap_quoteprov.so ~/Documents/SGXDataCenterAttestationPrimitives/SampleCode/QuoteGenerationSample/

# Building and copying the QCNL

$ cd ~/Documents/SGXDataCenterAttestationPrimitives/QuoteGeneration/qcnl/linux/
$ make
make -C ../../../tools/PCKCertSelection/PCKCertSelectionLib -f Makefile.static_lib
make[1]: Entering directory '/home/eduard/Documents/SGXDataCenterAttestationPrimitives/tools/PCKCertSelection/PCKCertSelectionLib'
Archiving...
make[1]: Leaving directory '/home/eduard/Documents/SGXDataCenterAttestationPrimitives/tools/PCKCertSelection/PCKCertSelectionLib'
g++ -Wnon-virtual-dtor -std=c++14 -fstack-protector -O2 -D_FORTIFY_SOURCE=2 -UDEBUG -DNDEBUG -ffunction-sections -fdata-sections -Wall -Wextra -Winit-self -Wpointer-arith -Wreturn-type -Waddress -Wsequence-point -Wformat-security -Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow -Wcast-align -Wconversion -Wredundant-decls -DITT_ARCH_IA64 -fcf-protection network_wrapper.o qcnl_config_impl.o ../certification_provider.o ../certification_service.o ../pccs_response_object.o ../qcnl_config.o ../qcnl_util.o ../sgx_default_qcnl_wrapper.o -shared -Wl,-soname=libsgx_default_qcnl_wrapper.so.1 -pthread -Wl,-z,relro,-z,now,-z,noexecstack -Wl,--version-script=sgx_default_qcnl.lds -Wl,--gc-sections  -g -L../../build/linux -L/opt/intel/sgxsdk/lib64 -L../../../prebuilt/openssl/lib/linux64 -lpthread -ldl -lcurl ../../../tools/PCKCertSelection/static_out/libPCKCertSelection.a -DDISABLE_TRACE -o libsgx_default_qcnl_wrapper.so
$ cp libsgx_default_qcnl_wrapper.so ~/Documents/SGXDataCenterAttestationPrimitives/SampleCode/QuoteGenerationSample/

# Clean building the QuoteGenerationSample

$ cd ~/Documents/SGXDataCenterAttestationPrimitives/SampleCode/QuoteGenerationSample/
$ make clean && make
$ ./app
[APP] Step1: Call sgx_qe_get_target_info:
[APP] succeed!
[APP] Step2: Call create_app_report
[APP] Step3: Call sgx_qe_get_quote_size
[APP] Step4: Call sgx_qe_get_quote
[APP] cert_key_type = 0x3

# Output of aesmd Service

Oct 08 06:18:02 machine aesm_service[9804]: [read_persistent_data ../qe_logic.cpp:1082] Couldn't find the platform library. (null)
Oct 08 06:18:02 machine aesm_service[9804]: [get_platform_quote_cert_data ../qe_logic.cpp:438] Couldn't load the platform library. (null)
Oct 08 06:18:02 machine aesm_service[9804]: [read_persistent_data ../qe_logic.cpp:1082] Couldn't find the platform library. (null)
Oct 08 06:18:02 machine aesm_service[9804]: [get_platform_quote_cert_data ../qe_logic.cpp:438] Couldn't load the platform library. (null)
Oct 08 06:18:02 machine aesm_service[9804]: [read_persistent_data ../qe_logic.cpp:1082] Couldn't find the platform library. (null)
Oct 08 06:18:02 machine aesm_service[9804]: [get_platform_quote_cert_data ../qe_logic.cpp:438] Couldn't load the platform library. (null)

Are there additional libraries I should build from source, or is there another way I should use the build libraries during execution? It seems like they aren't used when executing ./app even though they reside in the directory.

from sgxdatacenterattestationprimitives.

jsun39 commented on August 20, 2024

would you please check the qpl/qcnl's configuration: /etc/sgx_default_qcnl.conf?

// To accept insecure HTTPS certificate, set this option to false
,"use_secure_cert": false

maybe you need change HTTPS certification option.

from sgxdatacenterattestationprimitives.

lingyuj commented on August 20, 2024

I think use_secure_cert is already set to false. Maybe you can try purging the libdcap_quoteprov package and reinstall.

from sgxdatacenterattestationprimitives.

hyjiang commented on August 20, 2024

Agree with @lingyuj , it's better to reinstall the 1.18 QPL package

from sgxdatacenterattestationprimitives.

Jojeker commented on August 20, 2024

Thank you for the advice, reinstalling the QPL package finally solved the problem! So the issue was incompatible versions?

from sgxdatacenterattestationprimitives.

Error while verifying quote with `QuoteGenerationVerification`: `Error: App: tee_verify_quote failed 0xe01c`. about sgxdatacenterattestationprimitives HOT 8 CLOSED

Comments (8)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent