search

intel / SGXDataCenterAttestationPrimitives

Other
279 stars 166 forks source link

Error Running QuoteGeneration SampleCode #150

Open kamathhrishi opened 3 years ago

kamathhrishi commented 3 years ago

I tried running the QuoteGeneration SampleCode and it returned the following error. 

sgx_qe_set_enclave_load_policy is valid in in-proc mode only and it is optional: the default enclave load policy is persistent: 
set the enclave load policy as persistent: succeed!

Step1: Call sgx_qe_get_target_info:Error in sgx_qe_get_target_info. 0xe044

Any idea what the problem is?

Error 0xe044 corresponds to SGX_QL_UNKNOWN_MESSAGE_RESPONSE from the https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_ECDSA_QuoteLibReference_DCAP_API.pdf.

How do I go about resolving this?

fqiu1 commented 3 years ago

You may need to check the PCCS's log under /opt/intel/sgx-dcap-pccs/logs/

fork-while-1 commented 2 years ago

Does anyone have an update on this? I have the same issue on my Azure confidential compute VM (Standard DC2s v2 (2 vcpus, 8 GiB memory) which runs Ubuntu 20.04 LTS.

Step1: Call sgx_qe_get_target_info:Error in sgx_qe_get_target_info. 0xe040

The PCCS logs have nothing useful:

2022-03-03 20:39:01.774 [info]: DB Migration (Ver.0 -> 1) -- Start
2022-03-03 20:39:01.781 [info]: DB Migration -- Done.
2022-03-03 20:39:01.821 [info]: DB Migration (Ver.1 -> 2) -- Start
2022-03-03 20:39:01.826 [info]: DB Migration -- Done.
2022-03-03 20:39:01.886 [info]: HTTPS Server is running on: https://localhost:8081
2022-03-03 21:15:51.995 [info]: HTTPS Server is running on: https://localhost:8081

Any help is appreciated!

jsun39 commented 2 years ago

error code 0xe040 means Service is not available, please check your QPL's configuration file: /etc/sgx_default_qcnl.conf: make sure your PCCS's url is correct

fork-while-1 commented 2 years ago

Here are the contents of my config file:

# PCCS server address
PCCS_URL=https://localhost:8081/sgx/certification/v3/

# To accept insecure HTTPS certificate, set this option to FALSE
USE_SECURE_CERT=FALSE

# You can use Intel PCS to get quote verification collateral 
#COLLATERAL_SERVICE=https://api.trustedservices.intel.com/sgx/certification/v3/

# If you use PCCS service to get quote verification collateral, you can specify which API version is to be used
# The legacy 3.0 API will return CRLs in HEX encoded DER format, while the new 3.1 API will return raw DER format
#PCCS_API_VERSION=3.1

# Maximum retry times for QCNL. If RETRY is not defined or set to 0, no retry will be performed.
# It will first wait one second and then for all forthcoming retries it will double the waiting time
# By using RETRY_DELAY you disable this exponential backoff algorithm
#RETRY_TIMES=6

# Sleep this amount of seconds before each retry when a transfer has failed with a transient error
#RETRY_DELAY=10

The URL seems to be correct. I changed the log level to silly and restarted the pccs service, but the logs don't register anything other than what I have above, even after I run the QuoteGenerationSample. I would think it would register some information, so I'm not sure how to debug this.

jsun39 commented 2 years ago

This is your PCCS's config. I need your qpl's confg: /etc/sgx_default_qcnl.conf

fork-while-1 commented 2 years ago

Actually, that is what I had in /etc/sgx_default_qcnl.conf -- does it look okay?

Here are the contents of my config file:

# PCCS server address
PCCS_URL=https://localhost:8081/sgx/certification/v3/

# To accept insecure HTTPS certificate, set this option to FALSE
USE_SECURE_CERT=FALSE

# You can use Intel PCS to get quote verification collateral 
#COLLATERAL_SERVICE=https://api.trustedservices.intel.com/sgx/certification/v3/

# If you use PCCS service to get quote verification collateral, you can specify which API version is to be used
# The legacy 3.0 API will return CRLs in HEX encoded DER format, while the new 3.1 API will return raw DER format
#PCCS_API_VERSION=3.1

# Maximum retry times for QCNL. If RETRY is not defined or set to 0, no retry will be performed.
# It will first wait one second and then for all forthcoming retries it will double the waiting time
# By using RETRY_DELAY you disable this exponential backoff algorithm
#RETRY_TIMES=6

# Sleep this amount of seconds before each retry when a transfer has failed with a transient error
#RETRY_DELAY=10

The URL seems to be correct. I changed the log level to silly and restarted the pccs service, but the logs don't register anything other than what I have above, even after I run the QuoteGenerationSample. I would think it would register some information, so I'm not sure how to debug this.

lingyuj commented 2 years ago

First please make sure the PCCS is working as expected by running below commands: curl -v -k -G "https://localhost:8081/sgx/certification/v3/rootcacrl" or curl --noproxy "*" -v -k -G "https://localhost:8081/sgx/certification/v3/rootcacrl"