PackageNotFound on multi-package platform

[cjqpker]

Env:

• Ubuntu 16.04
• Xeon Glod 5318Y * 2
• DCAP 1.6
• SGX Driver 1.33

Register via postman:

Register via mpa:

[08-08-2022 09:14:36] INFO: Starts Registration Agent Flow.
[08-08-2022 09:14:40] ERROR: RS reports a '400 Bad Request'.
[08-08-2022 09:14:40] INFO: Registration Flow - PLATFORM_ESTABLISHMENT or TCB_RECOVERY failed.
[08-08-2022 09:14:40] INFO: Finished Registration Agent Flow.

root@master:/opt/intel/sgx-ra-service# ./mpa_manage -get_last_registration_error_code
Last reported registration error code: a3

[jsun39]

It is one commercial platform, right? And could you please share your manifest's size? And please copy the Request-ID information to here.

By the way, the software stack in your platform is very old. It is better to upgrade them.

[cjqpker]

1、Commercial platform: yes 2、Manifest's size: 16926 bytes in binary, 33852 bytes in hex text(6th column of pckid_retrieval.csv) 3、A newly Request-ID: 9125ab7c53e74576aba1b5bd9a0c2ba9 4、I tried sgx_linux_x64_driver_1.36.2.bin of dcap 1.9 and got the same error

Thanks @jsun39

[cjqpker]

We tried another machine with ubuntu 18.04 and got the same error: PackageNotFound

[jsun39]

that is not related to your OS environment. Could you please execute this command: "cat /proc/cpuinfo |grep microcode", and pasted the result?

[cjqpker]

We tested two machines and the microcodes are:

• 0xd000280
• 0xd0002e0

@jsun39

[jsun39]

microcode has no problem. Would you please check this command's output: sudo rdmsr 0x503?

[cjqpker]

microcode has no problem. Would you please check this command's output: sudo rdmsr 0x503?

root@barenode3:~# rdmsr 0x503
2

[jsun39]

OK, who is your BIOS vender? AMI or Intel, or other? If you are using Intel version BIOS, please make sure: Set EDKII Menu -> Platform Configuration -> Server ME Debug Configuration -> Server ME General Configuration -> Delayed Authentication to enable this option (X) Set EDKII Menu -> Platform Configuration -> Server ME Debug Configuration -> Server ME General Configuration -> Delayed Authentication Mode (DAM) to Disabled

[cjqpker]

OK, who is your BIOS vender? AMI or Intel, or other? If you are using Intel version BIOS, please make sure: Set EDKII Menu -> Platform Configuration -> Server ME Debug Configuration -> Server ME General Configuration -> Delayed Authentication to enable this option (X) Set EDKII Menu -> Platform Configuration -> Server ME Debug Configuration -> Server ME General Configuration -> Delayed Authentication Mode (DAM) to Disabled

AMI ~

[cjqpker]

OK, who is your BIOS vender? AMI or Intel, or other? If you are using Intel version BIOS, please make sure: Set EDKII Menu -> Platform Configuration -> Server ME Debug Configuration -> Server ME General Configuration -> Delayed Authentication to enable this option (X) Set EDKII Menu -> Platform Configuration -> Server ME Debug Configuration -> Server ME General Configuration -> Delayed Authentication Mode (DAM) to Disabled

BIOS vendor is AMI and I didn't find any configurations relating to "Intel ME"

[jsun39]

Can you find some configuration related to "Delayed Authentication Mode(DAM)" in section "platform configuration" or "security configuration"?

[cjqpker]

Can you find some configuration related to "Delayed Authentication Mode(DAM)" in section "platform configuration" or "security configuration"?

No:

[jsun39]

I didn't have one AMI version BIOS at hand. I am not sure whether you can get AMI's support. If yes, please check with them how to set the platform in production status from SGX perspective. If Not, I will try to find one platform with AMI version BIOS to double check it.

[cjqpker]

I didn't have one AMI version BIOS at hand. I am not sure whether you can get AMI's support. If yes, please check with them how to set the platform in production status from SGX perspective. If Not, I will try to find one platform with AMI version BIOS to double check it.

Does that mean the cpus we tested are not in production status (SGX perspective) ? Is this problem relating to BIOS settings or CPU itself(for example not official edition) ?

[jsun39]

I am a litter confused: do you mean your CPU is not official edition? If your CPUs are buy from market, I supposed that they should be official edition. Then current problem is related to BIOS

[cjqpker]

I am a litter confused: do you mean your CPU is not official edition? If your CPUs are buy from market, I supposed that they should be official edition. Then current problem is related to BIOS

Yes they are official edition. We are seeking help from vendor of these servers, thanks a lot !

[cjqpker]

I am a litter confused: do you mean your CPU is not official edition? If your CPUs are buy from market, I supposed that they should be official edition. Then current problem is related to BIOS

In screen shots below, is there any configurations probably relating to our problem ?

[jsun39]

I didn't think it is related to current issue

[cjqpker]

@jsun39 We replace the mainboard of the server and "rdmsr 0x503" now return 0 .

'POST api.trustedservices.intel.com/sgx/registration/v1/platform' returned '201 Created' 'GET api.trustedservices.intel.com/sgx/certification/v3/pckcert' returned 404

[jsun39]

I am happy to hear that your platform is in production status. what is your petameter setting for "GET api.trustedservices.intel.com/sgx/certification/v3/pckcert"?

[cjqpker]

I am happy to hear that your platform is in production status. what is your petameter setting for "GET api.trustedservices.intel.com/sgx/certification/v3/pckcert"?

Below is the petameter from pccs's log

/sgx/certification/v3/pckcert?qeid=3C852C6435C53F989E52B94AEBF8BFF3&encrypted_ppid=50C3FDC1FF7D698D94A62E08354F168484AF145067C6DFD2207845B1DD89F60A2903BAAB7F202D8CB2E6182926546DB55D7B10D66C899385A62B1AADCC1C8F3D5FAB41272D7F74B797E95A1B555537A76E56E2D9C999943C2EECA8992A0D79A54C926D52C1B3BB32EBAA876C913595FD67CAA21DFDBB87C58B441D439FB54B16D1402D7D666B5C55631C027D1D6AF149109A170FF6D0F6E124EA95A8D297B941930A4F6C21577EA583E0747F98D1434E70B3736FD451DBA4150FC3DA01592A82F740F375B30683790AC6E04897CF50C92EC155D346BC411060E006D69DD51D4E2F9520150B5C7E582133427D6403EA2C87BC6B522FAFB1963F82E25CD35E5EF87ED873B7106C439705996E3E5A77CF3D9AE8898074E12205EBDE7CCF16C40A9F973C8226AE2ACBBA56141688B97C22BDA690BD1C51C1453D4D46D05F81F7E70AF1C16E7E16A7D8732AAC5C34D9563008868E98748EA945C3A5C0D9487DD9BA0F892D3F8AC34833C0B234D1CFAD3C4CD5623056318D274997A6CF71E0DC26DA46&cpusvn=05050000FFFF00000000000000000000&pcesvn=0D00&pceid=0000 HTTP/1.1" 404 32 "-" "-"

[jsun39]

I think your current platform configuration has some problem, the cpusvn is: 05050000FFFF00000000000000000000, the high-light part is not a correct configuration.

[jsun39]

on another hand, you are try to connect Intel's PCS directly, so you can remove the parameter: qeid=3C852C6435C53F989E52B94AEBF8BFF3.

And you use this command to get all of PCK certs: /sgx/certification/v3/pckcerts?encrypted_ppid=50C3FDC1FF7D698D94A62E08354F168484AF145067C6DFD2207845B1DD89F60A2903BAAB7F202D8CB2E6182926546DB55D7B10D66C899385A62B1AADCC1C8F3D5FAB41272D7F74B797E95A1B555537A76E56E2D9C999943C2EECA8992A0D79A54C926D52C1B3BB32EBAA876C913595FD67CAA21DFDBB87C58B441D439FB54B16D1402D7D666B5C55631C027D1D6AF149109A170FF6D0F6E124EA95A8D297B941930A4F6C21577EA583E0747F98D1434E70B3736FD451DBA4150FC3DA01592A82F740F375B30683790AC6E04897CF50C92EC155D346BC411060E006D69DD51D4E2F9520150B5C7E582133427D6403EA2C87BC6B522FAFB1963F82E25CD35E5EF87ED873B7106C439705996E3E5A77CF3D9AE8898074E12205EBDE7CCF16C40A9F973C8226AE2ACBBA56141688B97C22BDA690BD1C51C1453D4D46D05F81F7E70AF1C16E7E16A7D8732AAC5C34D9563008868E98748EA945C3A5C0D9487DD9BA0F892D3F8AC34833C0B234D1CFAD3C4CD5623056318D274997A6CF71E0DC26DA46&pceid=0000

[cjqpker]

@jsun39

[jdbeaney]

This seem to be an issue about the way your BIOS is reporting the TXT TCB. Do you have TXT enabled? You may need to contact your BIOS vendor.

[jsun39]

Sorry I missed this thread. You need check your BIOS(Just as Jim mentioned, it is better to check with your BIOS vendor, whether "TXT" setting is exposed to user), or you need check your motherboard's jumper.

[cjqpker]

@jsun39 @jdbeaney
Our vendor updated the BIOS and now it works fine. Thanks a lot !