search

edgelesssys / edgelessdb

EdgelessDB is a MySQL-compatible database for confidential computing. It runs entirely inside a secure enclave and comes with advanced features for collaboration, recovery, and access control.
https://edgeless.systems/products/edgelessdb
GNU General Public License v2.0
170 stars 17 forks source link

Failed to get certificate quote verification collateral information. OE_QUOTE_PROVIDER_CALL_ERROR #103

Closed aep closed 2 years ago

aep commented 2 years ago

going through remote attestation in https://docs.edgeless.systems/edgelessdb/#/getting-started/install?id=remote-attestation

curl https://localhost:8081/sgx/certification/v3/rootcacrl

works fine and returns a hex string

curl shows a quote

curl -k https://localhost:8080/quote
{"status":"success","data":{"Cert":"-----BEGIN CERTIFICATE-----\nMIIBlzCCATygAwIBAgIQWS4Tcl80ylnzyD0Q0+AwmDAKBggqhkjOPQQDAjAnMREw\nDwYDVQQKEwhFREIgcm9vdDESMBAGA1UEAxMJbG9jYWxob3N0MCAYDzAwMDEwMTAx\nMDAwMDAwWhcNMzIwNjA3MTAxMjI2WjAnMREwDwYDVQQKEwhFREIgcm9vdDESMBAG\nA1UEAxMJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhq7q2AuV\nht5nP8mlVBNv7mU0ATk36WNLIgikcmugrTzzqn0AVYVri0O4s/6WQM7UEU18quUG\nH0za8lY20F1bjqNIMEYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUNMlbHNLp\nxb2Ktg6tUXCuW6VeIdEwFAYDVR0RBA0wC4IJbG9jYWxob3N0MAoGCCqGSM49BAMC\nA0kAMEYCIQCTIN6Wdx/tmrLRCyLqBSimkbSWsA5wO79/Jh2OiE48UwIhAJ6irNez\niFFA+JEkaaMrEjZbrkUV5Gcv3vMOO+I04IZI\n-----END CERTIFICATE-----\n","Quote":"AQAAAAIAAAD3EQA....CBDRVJUSUZJQ0FURS0tLS0tCg=="}

but era is unhappy about it

era -c edgelessdb-sgx.json -h localhost:8080 -output-root edb.pem

2022-06-07T10:12:39+0000.222999Z [(H)ERROR] tid(0x7f896584e640) | :OE_QUOTE_PROVIDER_CALL_ERROR [/edgelessrt/build/3rdparty/openenclave/openenclave-src/host/sgx/sgxquoteprovider.c:oe_get_sgx_quote_verification_collateral:91]
2022-06-07T10:12:39+0000.223053Z [(H)ERROR] tid(0x7f896584e640) | :OE_QUOTE_PROVIDER_CALL_ERROR [/edgelessrt/build/3rdparty/openenclave/openenclave-src/common/sgx/collateral.c:oe_get_sgx_quote_verification_collateral_from_certs:225]
2022-06-07T10:12:39+0000.223079Z [(H)ERROR] tid(0x7f896584e640) | Failed to get certificate quote verification collateral information. OE_QUOTE_PROVIDER_CALL_ERROR (oe_result_t=OE_QUOTE_PROVIDER_CALL_ERROR) [/edgelessrt/build/3rdparty/openenclave/openenclave-src/common/sgx/endorsements.c:oe_get_sgx_endorsements:389]
2022-06-07T10:12:39+0000.223134Z [(H)ERROR] tid(0x7f896584e640) | :OE_QUOTE_PROVIDER_CALL_ERROR [/edgelessrt/build/3rdparty/openenclave/openenclave-src/common/sgx/verifier.c:oe_sgx_verify_evidence:816]
2022-06-07T10:12:39+0000.223149Z [(H)ERROR] tid(0x7f896584e640) | :OE_QUOTE_PROVIDER_CALL_ERROR [/edgelessrt/build/3rdparty/openenclave/openenclave-src/common/attest_plugin.c:oe_verify_evidence:407]
panic: OE_QUOTE_PROVIDER_CALL_ERROR

goroutine 1 [running]:
main.main()
    /__w/era/era/cmd/era/main.go:63 +0xd7f

here's the call to pccs. looks like encrypted_ppid is just zeroes. unsure if that matters.

2022-06-07 10:12:28.182 [info]: 172.17.0.1 - - [07/Jun/2022:10:12:28 +0000] "GET /sgx/certification/v3/pckcert?qeid=26E300....B9B&encrypted_ppid=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000&cpusvn=03040000000000000000000000000000&pcesvn=0C00&pceid=0000 HTTP/1.1" 200 1639 "-" "-"
thomasten commented 2 years ago

I suspect that use_secure_cert is true in /etc/sgx_default_qcnl.conf. Can you check, set it to false if not already, and try again? If this works, I'll update the docs accordingly. (It's needed because this PCCS uses a self-signed certificate for the connection. This has nothing to do with and doesn't affect the security of the remote attestation process itself.)

aep commented 2 years ago

(edit: never mind, i misread that)

this worked, thanks!

i now get

TCB level of SGX platform is outdated.

the suggested -allow-tcb-status=OutOfDate then worked fine.