intel / SGXDataCenterAttestationPrimitives

Other
280 stars 166 forks source link

Errors and warnings when try QuoteVerificationSample #291

Closed Jansper-x closed 1 year ago

Jansper-x commented 1 year ago

When I try to run the QuoteGenerationSample,everything works fine. But when I try to make and run the QuoteVerificationSample,I got the Errors and warnings like this : The OS of my server is CentOS Linux release 8.5.2111 , the kernel version is 5.18.15, the installed sgxsdk version is 2.18.1

[root@localhost QuoteVerificationSample]# make
make[1]: Entering directory '/opt/intel/SGXDataCenterAttestationPrimitives1/SampleCode/QuoteVerificationSample'
GEN  =>  App/Enclave_u.h
CC   <=  App/Enclave_u.c
CXX  <=  App/App.cpp
LINK =>  app
GEN  =>  Enclave/Enclave_t.h
CC   <=  Enclave/Enclave_t.c
CXX  <=  Enclave/Enclave.cpp
g++ Enclave/Enclave_t.o Enclave/Enclave.o -o enclave.so -Wl,-z,relro,-z,now,-z,noexecstack -fPIC -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L/opt/intel/sgxsdk/lib64 -Wl,--whole-archive -lsgx_dcap_tvl -lsgx_trts -Wl,--no-whole-archive -Wl,--start-group -lsgx_tstdc -lsgx_tcxx -lsgx_tcrypto -lsgx_tservice -Wl,--end-group -Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined -Wl,-pie,-eenclave_entry -Wl,--export-dynamic -Wl,--defsym,__ImageBase=0 -Wl,--gc-sections -Wl,--version-script=Enclave/Enclave.lds
echo "LINK =>  enclave.so"
LINK =>  enclave.so
The project has been built in release hardware mode.
Please sign the enclave.so first with your signing key before you run the app to launch and access the enclave.
To sign the enclave use the command:
   /opt/intel/sgxsdk/bin/x64/sgx_sign sign -key <your key> -enclave enclave.so -out <enclave.signed.so> -config Enclave/Enclave.config.xml
You can also sign the enclave using an external signing tool.
To build the project in simulation mode set SGX_MODE=SIM. To build the project in prerelease mode set SGX_PRERELEASE=1 and SGX_MODE=HW.
make[1]: Leaving directory '/opt/intel/SGXDataCenterAttestationPrimitives1/SampleCode/QuoteVerificationSample'
[root@localhost QuoteVerificationSample]# ./app
Info: ECDSA quote path: ../QuoteGenerationSample/quote.dat

Trusted quote verification:
    Error: Can't load SampleISVEnclave. 0x200f

===========================================

Untrusted quote verification:
    Error: tee_get_quote_supplemental_data_size failed: 0xe03b
    Warning: Quote supplemental data size is different between DCAP QVL and QvE, please make sure you installed DCAP QVL and QvE from same release.
    Error: App: tee_verify_quote failed: 0xe03b
    Error: App: Verification completed with Terminal result: a006
dashuaic commented 1 year ago

you need to sign the enclave as "Please sign the enclave.so first with your signing key before you run the app to launch and access the enclave. To sign the enclave use the command: /opt/intel/sgxsdk/bin/x64/sgx_sign sign -key -enclave enclave.so -out -config Enclave/Enclave.config.xml" Or for simple, you can just built with SGX_DEBUG=1, so that enclave will be signed with debug key.

Jansper-x commented 1 year ago

you need to sign the enclave as "Please sign the enclave.so first with your signing key before you run the app to launch and access the enclave. To sign the enclave use the command: /opt/intel/sgxsdk/bin/x64/sgx_sign sign -key -enclave enclave.so -out -config Enclave/Enclave.config.xml" Or for simple, you can just built with SGX_DEBUG=1, so that enclave will be signed with debug key.

Thanks for your reply. Where can I get my signing key. And when I build it with SGX_DEBUG=1, the build succeeds. But I got some errors, when I run the app like this. ''' [root@localhost QuoteVerificationSample]# ./app Info: ECDSA quote path: ../QuoteGenerationSample/quote.dat

Trusted quote verification: Info: get target info successfully returned. Info: sgx_qv_set_enclave_load_policy successfully returned. Error: tee_get_quote_supplemental_data_size failed: 0xe03b Warning: Quote supplemental data size is different between DCAP QVL and QvE, please make sure you installed DCAP QVL and QvE from same release. Error: App: tee_verify_quote failed: 0xe03b Error: Ecall: Verify QvE report and identity failed. 0xe013 Error: App: Verification completed with Terminal result: a006

===========================================

Untrusted quote verification: Error: tee_get_quote_supplemental_data_size failed: 0xe03b Warning: Quote supplemental data size is different between DCAP QVL and QvE, please make sure you installed DCAP QVL and QvE from same release. Error: App: tee_verify_quote failed: 0xe03b Error: App: Verification completed with Terminal result: a006 ''' Does this mean the verification failed, how can I handle these situations.

dashuaic commented 1 year ago

The error 0xe03b means "Warning: Quote supplemental data size is different between DCAP QVL and QvE, please make sure you installed DCAP QVL and QvE from same release." You need to install SDK and QVL/QVE package from same release. so that they will have same size of supplemental data

Where can I get my signing key.

No special requirement, you can just use OpenSSL to general new key for example, openssl genrsa -out your_key_name.key -3 3072

Jansper-x commented 1 year ago

The error 0xe03b means "Warning: Quote supplemental data size is different between DCAP QVL and QvE, please make sure you installed DCAP QVL and QvE from same release." You need to install SDK and QVL/QVE package from same release. so that they will have same size of supplemental data

Where can I get my signing key.

No special requirement, you can just use OpenSSL to general new key for example, openssl genrsa -out your_key_name.key -3 3072

thanks for your reply.Following your steps I got successful results, but there is still a warning message.Will this message affect the result?

Warning: App: Verification completed with Non-terminal result: a002
[root@localhost QuoteVerificationSample]# ./app 
Info: ECDSA quote path: ../QuoteGenerationSample/quote.dat

Trusted quote verification:
    Info: get target info successfully returned.
    Info: sgx_qv_set_enclave_load_policy successfully returned.
    Info: tee_get_quote_supplemental_data_version_and_size successfully returned.
    Info: latest supplemental data major version: 3, minor version: 1, size: 336
    Info: App: tee_verify_quote successfully returned.
    Info: Ecall: Verify QvE report and identity successfully returned.
    Warning: App: Verification completed with Non-terminal result: a002
    Info: Supplemental data Major Version: 3
    Info: Supplemental data Minor Version: 1

===========================================

Untrusted quote verification:
    Info: tee_get_quote_supplemental_data_version_and_size successfully returned.
    Info: latest supplemental data major version: 3, minor version: 1, size: 336
    Info: App: tee_verify_quote successfully returned.
    Warning: App: Verification completed with Non-terminal result: a002
    Info: Supplemental data Major Version: 3
    Info: Supplemental data Minor Version: 1
hyjiang commented 1 year ago

Warning a002 means your TCB is out of date. Please upgrade your BIOS and SGX SW to latest version. Usually this warning would NOT be accepted, because it means attester used old version FW/SW. But the final result should depends on your business logic.

FunnyShelby commented 5 months ago

I have a similar problem, do not know how to solve it? Thanks for all the help!

./app [APP] Info: ECDSA quote path: ../QuoteGenerationSample/quote.dat [APP] Trusted quote verification: [APP] Error: Can't load SampleISVEnclave. 0x200f

===========================================

[APP] Untrusted quote verification: [APP] Info: tee_get_quote_supplemental_data_version_and_size successfully returned. [APP] Info: latest supplemental data major version: 3, minor version: 3, size: 536 [APP] Info: App: tee_verify_quote successfully returned. [APP] Warning: App: Verification completed with Non-terminal result: a008 [APP] Info: Supplemental data Major Version: 3 [APP] Info: Supplemental data Minor Version: 3 [APP] Info: Advisory ID: INTEL-SA-00289,INTEL-SA-00615