search

intel / SGXDataCenterAttestationPrimitives

Other
277 stars 165 forks source link

pccs service cannot be loaded on the SBX server of ubuntu22.04 #333

Closed Chen-Xintong closed 1 year ago

Chen-Xintong commented 1 year ago

HW: SPR CPU and ArcherCity Platform SGX Registration Server: SBX OS: ubuntu 22.04 Kernel: 5.19.0

When I run PCKIDRetrievalTool after set up pccs service, an error would be reported:

Intel(R) Software Guard Extensions PCK Cert ID Retrieval Tool Version 1.18.100.1

Warning: platform manifest is not available or current platform is not multi-package platform.
Error: network error, please check the network setting or whether the cache server is down.
pckid_retrieval.csv has been generated successfully, however the data couldn't be sent to cache server!

my pccs configuration:

$ cat /opt/intel/sgx-dcap-pccs/config/default.json
{
    "HTTPS_PORT" : 8090,
    "hosts" : "0.0.0.0",
    "uri": "https://sbx.api.trustedservices.intel.com/sgx/certification/v4/",
    "ApiKey" : "**********",
    "proxy" : "**********",
    "RefreshSchedule": "0 0 1 * * *",
    "UserTokenHash" : "**********",
    "AdminTokenHash" : "**********",
    "CachingFillMode" : "REQ",
    "LogLevel" : "info",
    "DB_CONFIG" : "sqlite",
    "sqlite" : {
        "database" : "database",
        "username" : "username",
        "password" : "password",
        "options" : {
            "host": "localhost",
            "dialect": "sqlite",
            "pool": {
                "max": 5,
                "min": 0,
                "acquire": 30000,
                "idle": 10000
            },
            "define": {
                "freezeTableName": true
            },
            "logging" : false,
        }
    },
    "mysql" : {
        "database" : "pckcache",
        "username" : "root",
        "password" : "mypass",
        "options" : {
            "host": "localhost",
            "port": "3306",
            "dialect": "mysql",
            "pool": {
                "max": 5,
                "min": 0,
                "acquire": 30000,
                "idle": 10000
            },
            "define": {
                "freezeTableName": true
            },
            "logging" : false
        }
    }
}

And the network setting:

$ cat /opt/intel/sgx-pck-id-retrieval-tool/network_setting.conf
# #############################################################
# PCCS server address
# support V3 version PCCS
#PCCS_URL=https://localhost:8081/sgx/certification/v3/platforms
# support V4 version PCCS
PCCS_URL=https://localhost:8090/sgx/certification/v4/platforms
# To accept insecure HTTPS cert, set this option to FALSE
USE_SECURE_CERT=FALSE
###############################################################

###############################################################
# when access pccs, user need provide the token
user_token = DfR2@qZmPG#vW5$sD
###############################################################

###############################################################
# Proxy settings:proxy type could be the following three types
# direct: means no proxy used
# default: system default proxy will be used
# manual: when this type was selected, user need provide the proxy_url

proxy_type    = direct
#proxy_type    = default
#proxy_type  = manual
#proxy_url   = http://proxy_url:proxy_port
###############################################################

I'm using 8090 as the pccs service port, and also subscribed a SBX api key from https://sbx.api.portal.trustedservices.intel.com/ , is there anything else that needs to be reconfigured?

Chen-Xintong commented 1 year ago

Libs version of sgx:

sudo dpkg -l | grep sgx
ii  libsgx-ae-id-enclave                              1.18.100.1-jammy1                          amd64        Intel(R) Software Guard Extensions Data Center Attestation Primitives ID enclave
ii  libsgx-ae-pce                                     2.21.100.1-jammy1                          amd64        Intel(R) Software Guard Extensions PCE
ii  libsgx-ae-qe3                                     1.18.100.1-jammy1                          amd64        Intel(R) Software Guard Extensions QE3
ii  libsgx-ae-qve                                     1.18.100.1-jammy1                          amd64        Intel(R) Software Guard Extensions QVE
ii  libsgx-ae-tdqe                                    1.18.100.1-jammy1                          amd64        Intel(R) Trust Domain Extensions QE
ii  libsgx-dcap-default-qpl                           1.18.100.1-jammy1                          amd64        Intel(R) Software Guard Extensions Default Quote Provider Library
ii  libsgx-dcap-default-qpl-dbgsym                    1.18.100.1-jammy1                          amd64        debug symbols for libsgx-dcap-default-qpl
ii  libsgx-dcap-default-qpl-dev                       1.18.100.1-jammy1                          amd64        Intel(R) Software Guard Extensions Default Quote Provider Library For Developers
ii  libsgx-dcap-ql                                    1.18.100.1-jammy1                          amd64        Intel(R) Software Guard Extensions Data Center Attestation Primitives
ii  libsgx-dcap-ql-dbgsym                             1.18.100.1-jammy1                          amd64        debug symbols for libsgx-dcap-ql
ii  libsgx-dcap-ql-dev                                1.18.100.1-jammy1                          amd64        Intel(R) Software Guard Extensions Data Center Attestation Primitives For Developers
ii  libsgx-dcap-quote-verify                          1.18.100.1-jammy1                          amd64        Intel(R) Software Guard Extensions Data Center Attestation Primitives
ii  libsgx-enclave-common                             2.21.100.1-jammy1                          amd64        Intel(R) Software Guard Extensions Enclave Common Loader
ii  libsgx-enclave-common-dbgsym                      2.21.100.1-jammy1                          amd64        debug symbols for libsgx-enclave-common
ii  libsgx-enclave-common-dev                         2.21.100.1-jammy1                          amd64        Intel(R) Software Guard Extensions Enclave Common Loader for Developers
ii  libsgx-epid                                       2.21.100.1-jammy1                          amd64        Intel(R) Software Guard Extensions EPID Quote Service
ii  libsgx-headers                                    2.21.100.1-jammy1                          amd64        Intel(R) Software Guard Extensions Basic Headers for Developers
ii  libsgx-launch                                     2.21.100.1-jammy1                          amd64        Intel(R) Software Guard Extensions Launch Service
ii  libsgx-pce-logic                                  1.18.100.1-jammy1                          amd64        Intel(R) Software Guard Extensions Data Center Attestation Primitives
ii  libsgx-qe3-logic                                  1.18.100.1-jammy1                          amd64        Intel(R) Software Guard Extensions Data Center Attestation Primitives
ii  libsgx-quote-ex                                   2.21.100.1-jammy1                          amd64        Intel(R) Software Guard Extensions Unified Quote Service
ii  libsgx-quote-ex-dev                               2.21.100.1-jammy1                          amd64        Intel(R) Software Guard Extensions Unified Quote Service for Developers
ii  libsgx-ra-uefi                                    1.18.100.1-jammy1                          amd64        Intel(R) Software Guard Extensions Registration Agent UEFI library
ii  libsgx-urts                                       2.21.100.1-jammy1                          amd64        Intel(R) Software Guard Extensions uRTS
ii  libsgx-urts-dbgsym                                2.21.100.1-jammy1                          amd64        debug symbols for libsgx-urts
rc  sgx-aesm-service                                  2.21.100.1-jammy1                          amd64        Intel(R) Software Guard Extensions AESM Service
ii  sgx-dcap-pccs                                     1.18.100.1-jammy1                          amd64        Intel(R) Software Guard Extensions PCK Caching Service
ii  sgx-pck-id-retrieval-tool                         1.18.100.1-jammy1                          amd64        Intel(R) Software Guard Extensions: this tool is used to collect the platform information to retrieve the PCK certs from PCS(Provisioning Certification Server)
llly commented 1 year ago

You can change "CachingFillMode" : "REQ", to "CachingFillMode" : "LAZY", in /opt/intel/sgx-dcap-pccs/config/default.json then restart PCCS. And if this PCCS is previously used for production platform, you need backup and delete /opt/intel/sgx-dcap-pccs/pckcache.db before used for SHBX platform.

Chen-Xintong commented 1 year ago

You can change "CachingFillMode" : "REQ", to "CachingFillMode" : "LAZY", in /opt/intel/sgx-dcap-pccs/config/default.json then restart PCCS. And if this PCCS is previously used for production platform, you need backup and delete /opt/intel/sgx-dcap-pccs/pckcache.db before used for SHBX platform.

Thx after update config.json and run PCKIDRetrievalTool, and now there is no network error,

$ PCKIDRetrievalTool

Intel(R) Software Guard Extensions PCK Cert ID Retrieval Tool Version 1.18.100.1

Error opening pckid_retrieval.csv output file.

but got a new error from pccs service:

Aug 28 14:55:28 tdxbm systemd[1]: Started Provisioning Certificate Caching Service (PCCS).
Aug 28 14:55:29 tdxbm node[114352]: 2023-08-28 14:55:29.467 [info]: DB Migration (Ver.0 -> 1) -- Start
Aug 28 14:55:29 tdxbm node[114352]: 2023-08-28 14:55:29.470 [info]: DB Migration -- Done.
Aug 28 14:55:29 tdxbm node[114352]: 2023-08-28 14:55:29.474 [info]: DB Migration (Ver.1 -> 2) -- Start
Aug 28 14:55:29 tdxbm node[114352]: 2023-08-28 14:55:29.480 [info]: DB Migration -- Done.
Aug 28 14:55:29 tdxbm node[114352]: 2023-08-28 14:55:29.483 [info]: DB Migration (Ver.2 -> 3) -- Start
Aug 28 14:55:29 tdxbm node[114352]: 2023-08-28 14:55:29.487 [info]: DB Migration -- Done.
Aug 28 14:55:29 tdxbm node[114352]: 2023-08-28 14:55:29.492 [error]: uncaughtException: The "path" argument must be of type string or an instance of Buffer or URL. Received undefined
Aug 28 14:55:29 tdxbm node[114352]: TypeError [ERR_INVALID_ARG_TYPE]: The "path" argument must be of type string or an instance of Buffer or URL. Received undefined
Aug 28 14:55:29 tdxbm node[114352]:     at Module.chmod (node:fs:1970:10)
Aug 28 14:55:29 tdxbm node[114352]:     at file:///opt/intel/sgx-dcap-pccs/pccs_server.js:82:8
Aug 28 14:55:29 tdxbm node[114352]: 2023-08-28 14:55:29.493 [error]: The "path" argument must be of type string or an instance of Buffer or URL. Received undefined
Aug 28 14:55:29 tdxbm systemd[1]: pccs.service: Deactivated successfully.
Aug 28 14:55:29 tdxbm systemd[1]: pccs.service: Consumed 1.020s CPU time.

This means which path in the wrong format, the url?

lingyuj commented 1 year ago

Hi Xintong, you are mssing "storage": "pckcache.db" in your config file.

llly commented 1 year ago

Correct. Change "logging" : false, in "sqlite" to

            "logging" : false,
            "storage": "pckcache.db"
Chen-Xintong commented 1 year ago

Correct. Change "logging" : false, in "sqlite" to

            "logging" : false,
            "storage": "pckcache.db"

Thanks for correction, updated the config again and now pccs service is running. But when I run the QuoteGeneration demo It occurs error:

 sudo ./app
[APP] Info: sgx_qe_set_enclave_load_policy is valid in in-proc mode only and it is optional: the default enclave load policy is persistent
[APP] Info: set the enclave load policy as persistent
[APP] Step1: Call sgx_qe_get_target_info:
[QPL] Error: No certificate data for this platform.
[get_platform_quote_cert_data ../qe_logic.cpp:388] Error returned from the p_sgx_get_quote_config API. 0xe011
Error in sgx_qe_get_target_info. 0xe011

And the pccs log: 

2023-08-28 15:16:47.290 [info]: DB Migration (Ver.0 -> 1) -- Start
Aug 28 15:16:47 tdxbm node[123190]: 2023-08-28 15:16:47.293 [info]: DB Migration -- Done.
Aug 28 15:16:47 tdxbm node[123190]: 2023-08-28 15:16:47.302 [info]: DB Migration (Ver.1 -> 2) -- Start
Aug 28 15:16:47 tdxbm node[123190]: 2023-08-28 15:16:47.306 [info]: DB Migration -- Done.
Aug 28 15:16:47 tdxbm node[123190]: 2023-08-28 15:16:47.313 [info]: DB Migration (Ver.2 -> 3) -- Start
Aug 28 15:16:47 tdxbm node[123190]: 2023-08-28 15:16:47.317 [info]: DB Migration -- Done.
Aug 28 15:16:47 tdxbm node[123190]: 2023-08-28 15:16:47.397 [info]: HTTPS Server is running on: https://localhost:8090
Aug 28 15:18:10 tdxbm node[123190]: 2023-08-28 15:18:10.595 [info]: Client Request-ID : 02f1a72af6b04c51ab9c5711df6526d6
Aug 28 15:18:12 tdxbm node[123190]: 2023-08-28 15:18:12.196 [info]: Request-ID is : 8ebad56b48224c8bafaff97775fe7097
Aug 28 15:18:12 tdxbm node[123190]: 2023-08-28 15:18:12.196 [error]: Intel PCS server returns error(404).
Aug 28 15:18:12 tdxbm node[123190]: 2023-08-28 15:18:12.196 [error]: Intel PCS server returns error. Error code : 404
Aug 28 15:18:12 tdxbm node[123190]: 2023-08-28 15:18:12.197 [error]: Error: No cache data for this platform.
Aug 28 15:18:12 tdxbm node[123190]:     at Module.getPckCertFromPCS (file:///opt/intel/sgx-dcap-pccs/services/logic/commonCacheLogic.js:92:11)
Aug 28 15:18:12 tdxbm node[123190]:     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
Aug 28 15:18:12 tdxbm node[123190]:     at async LazyCachingMode.getPckCertFromPCS (file:///opt/intel/sgx-dcap-pccs/services/caching_modes/cachingMode.js:126:12)
Aug 28 15:18:12 tdxbm node[123190]:     at async Module.getPckCert (file:///opt/intel/sgx-dcap-pccs/services/pckcertService.js:115:16)
Aug 28 15:18:12 tdxbm node[123190]:     at async getPckCert (file:///opt/intel/sgx-dcap-pccs/controllers/pckcertController.js:77:25)
Aug 28 15:18:12 tdxbm node[123190]: 2023-08-28 15:18:12.201 [info]: 127.0.0.1 - - [28/Aug/2023:15:18:12 +0000] "GET /sgx/certification/v4/pckcert?qeid=54A752941D59A0247B3BCA4AE6C8A8CF&encrypted_ppid=0D62C45B8D133DD494068E36F44D0AEA25FA6EF78B487729>

Is the certificate expired or token error?

llly commented 1 year ago

Warning: platform manifest is not available or current platform is not multi-package platform.

You can set SGX factory reset to Enabled in BIOS setting. Then run PCKIDRetrievalTool again.

Chen-Xintong commented 1 year ago

Warning: platform manifest is not available or current platform is not multi-package platform.

You can set SGX factory reset to Enabled in BIOS setting. Then run PCKIDRetrievalTool again.

Hi, I set the SGX factory reset to enable and run PCKIDRetrievalTool:

sudo PCKIDRetrievalTool

Intel(R) Software Guard Extensions PCK Cert ID Retrieval Tool Version 1.18.100.1

Error: unexpected error occurred while sending data to cache server.
Registration status has been set to completed status.
pckid_retrieval.csv has been generated successfully, however the data couldn't be sent to cache server!

but the demo occured the same error 404:


2023-08-28 16:18:00.714 [info]: Client Request-ID : dc6842c5359e47d99879c93538cae849
Aug 28 16:18:02 tdxbm node[2864]: 2023-08-28 16:18:02.094 [info]: Request-ID is : c20ad4bf671e499dbafdbde1c92ff639
Aug 28 16:18:02 tdxbm node[2864]: 2023-08-28 16:18:02.094 [error]: Intel PCS server returns error(404).
Aug 28 16:18:02 tdxbm node[2864]: 2023-08-28 16:18:02.094 [error]: Intel PCS server returns error. Error code : 404
Aug 28 16:18:02 tdxbm node[2864]: 2023-08-28 16:18:02.094 [error]: Error: No cache data for this platform.
Aug 28 16:18:02 tdxbm node[2864]:     at Module.getPckCertFromPCS (file:///opt/intel/sgx-dcap-pccs/services/logic/commonCacheLogic.js:92:11)
Aug 28 16:18:02 tdxbm node[2864]:     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
Aug 28 16:18:02 tdxbm node[2864]:     at async LazyCachingMode.getPckCertFromPCS (file:///opt/intel/sgx-dcap-pccs/services/caching_modes/cachingMode.js:126:12)
Aug 28 16:18:02 tdxbm node[2864]:     at async Module.getPckCert (file:///opt/intel/sgx-dcap-pccs/services/pckcertService.js:115:16)
Aug 28 16:18:02 tdxbm node[2864]:     at async getPckCert (file:///opt/intel/sgx-dcap-pccs/controllers/pckcertController.js:77:25)
Aug 28 16:18:02 tdxbm node[2864]: 2023-08-28 16:18:02.095 [info]: 127.0.0.1 - - [28/Aug/2023:16:18:02 +0000] "GET /sgx/certification/v4/pckcert?qeid=E7EDB6D77570E91D5B6C86C8EB4D25D9&encrypted_ppid=67165D854DB412ABA86D61DC94616540998A91E0A5652ABFEEF4F21DBDAC10894647D0269D95CA33D00888EE1DCEA5A092082A9BDCEB89DA57A60CBF3EA91317658F720C85EF1B8C016228F4B66286226E7C7C0657A22A5214B27A89DD833E6D07E3441443C1016F5AD91813DB9FBE0A8E7247DA27C11D8AE1C18640A166ED04B6877BCADA09B9B834F24CFE4C26C715742DC8CA5EBABF876381AA8C080C8BA052CEC74BD76F6E9D4C95D15EB29E23610AD65A2B826D7A7BB7F68781B084D325D933D2F77ABB95F5DB3844F3EAA22ED3BDE015C4953A1692CA6616BBA7DECB5D5C5F30089D46141F8561F5A123FAC5AA67F1B47100491D71BC303057C527024B466F3AB48343216D0A864AD9A58AA46D54438AE7DB2E7EC716CE039CDB89A48D7C50716B39E497B21C8684DD86968EB3317572B277C2C401494B738C01E8217D9023481D8E35284A3273F1F314C5EA83159388D7AB44B7E0F24BE136EF07DE5D24175DE91DB8635A6944C041B990CCB32A0277F443C808B01EBF51583232B079&cpusvn=0606161803FF00040000000000000000&pcesvn=0E00&pceid=0000 HTTP/1.1" 404 32 "-" "-"```
llly commented 1 year ago

Can you copy PCCS log when running PCKIDRetrievalTool?

Chen-Xintong commented 1 year ago 
PCKIDRetrievalTool

Sure

2023-08-28 16:42:22.202 [info]: Client Request-ID : cac4a02b01b84fd59b9b7619b1d078c8
Aug 28 16:42:23 tdxbm node[2864]: 2023-08-28 16:42:23.667 [info]: Request-ID is : 960db691e96643708324f2004c3fc9a1
Aug 28 16:42:23 tdxbm node[2864]: 2023-08-28 16:42:23.667 [error]: Intel PCS server returns error(400).
Aug 28 16:42:23 tdxbm node[2864]: 2023-08-28 16:42:23.667 [error]: Intel PCS server returns error. Error code : 400
Aug 28 16:42:23 tdxbm node[2864]: 2023-08-28 16:42:23.667 [error]: Error: No cache data for this platform.
Aug 28 16:42:23 tdxbm node[2864]:     at Module.getPckCertFromPCS (file:///opt/intel/sgx-dcap-pccs/services/logic/commonCacheLogic.js:92:11)
Aug 28 16:42:23 tdxbm node[2864]:     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
Aug 28 16:42:23 tdxbm node[2864]:     at async LazyCachingMode.registerPlatforms (file:///opt/intel/sgx-dcap-pccs/services/caching_modes/cachingMode.js:163:7)
Aug 28 16:42:23 tdxbm node[2864]:     at async Module.registerPlatforms (file:///opt/intel/sgx-dcap-pccs/services/platformsRegService.js:107:3)
Aug 28 16:42:23 tdxbm node[2864]:     at async postPlatforms (file:///opt/intel/sgx-dcap-pccs/controllers/platformsController.js:40:5)
Aug 28 16:42:23 tdxbm node[2864]: 2023-08-28 16:42:23.669 [info]: 127.0.0.1 - - [28/Aug/2023:16:42:23 +0000] "POST /sgx/certification/v4/platforms HTTP/1.1" 404 32 "-" "-"
lingyuj commented 1 year ago

Seems this line is wrong: PCCS_URL=https://localhost:8090/sgx/certification/v4/platforms Should be PCCS_URL=https://localhost:8090/sgx/certification/v4/

Chen-Xintong commented 1 year ago

Seems this line is wrong: PCCS_URL=https://localhost:8090/sgx/certification/v4/platforms Should be PCCS_URL=https://localhost:8090/sgx/certification/v4/

Thanks, change the PCCS_URL in /opt/intel/sgx-pck-id-retrieval-tool/network_setting.conf, now run PCKIDRetrievalTool:

$ sudo PCKIDRetrievalTool

Intel(R) Software Guard Extensions PCK Cert ID Retrieval Tool Version 1.18.100.1

Error: unexpected error occurred while sending data to cache server.
Registration status has been set to completed status.
pckid_retrieval.csv has been generated successfully, however the data couldn't be sent to cache server!

## pccs log
2023-08-28 16:50:57.390 [info]: Client Request-ID : 510397d7faa143e29b0ab0ae5051dc7d
Aug 28 16:50:57 tdxbm node[2864]: 2023-08-28 16:50:57.392 [info]: 127.0.0.1 - - [28/Aug/2023:16:50:57 +0000] "POST /sgx/certification/v4/ HTTP/1.1" 404 161 "-" "-"

but demo still error with 404😥

2023-08-28 16:50:36.341 [info]: Client Request-ID : 26e2c385676647d2b94d05b12a7c456e
Aug 28 16:50:37 tdxbm node[2864]: 2023-08-28 16:50:37.906 [info]: Request-ID is : 55391b13e9324076a9f18d491aca44ad
Aug 28 16:50:37 tdxbm node[2864]: 2023-08-28 16:50:37.907 [error]: Intel PCS server returns error(404).
Aug 28 16:50:37 tdxbm node[2864]: 2023-08-28 16:50:37.907 [error]: Intel PCS server returns error. Error code : 404
Aug 28 16:50:37 tdxbm node[2864]: 2023-08-28 16:50:37.907 [error]: Error: No cache data for this platform.
Aug 28 16:50:37 tdxbm node[2864]:     at Module.getPckCertFromPCS (file:///opt/intel/sgx-dcap-pccs/services/logic/commonCacheLogic.js:92:11)
Aug 28 16:50:37 tdxbm node[2864]:     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
Aug 28 16:50:37 tdxbm node[2864]:     at async LazyCachingMode.getPckCertFromPCS (file:///opt/intel/sgx-dcap-pccs/services/caching_modes/cachingMode.js:126:12)
Aug 28 16:50:37 tdxbm node[2864]:     at async Module.getPckCert (file:///opt/intel/sgx-dcap-pccs/services/pckcertService.js:115:16)
Aug 28 16:50:37 tdxbm node[2864]:     at async getPckCert (file:///opt/intel/sgx-dcap-pccs/controllers/pckcertController.js:77:25)
Aug 28 16:50:37 tdxbm node[2864]: 2023-08-28 16:50:37.908 [info]: 127.0.0.1 - - [28/Aug/2023:16:50:37 +0000] "GET /sgx/certification/v4/pckcert?qeid=E7EDB6D77570E91D5B6C86C8EB4D25D9&encrypted_ppid=B6F8744294D4116371D4316D80A9E71B0914DA5BFA0707D6244E6BA0F322171AE8491972EC9EEC9C6905478E4870935EA48A15CEC2EBB773D95EEB1657D63DEEE9671FCE53B792758AD8193DA0C7B874785453AE3BF2BFFAE91477643C73466CC606C9A9501F2EC67FA8F66D343CFCD3B2DBB54A8796AC3874BB139F9D7EA24AF9BF7743EA76B8BEE2959BF8E951C9C34452D642A58FBF52097C580CF918A6CEA0A18BEDE9A81EEFD0D69EC1B2D1AF6E999A8788D0CC98F9F0974AF5647FEE1CBBBB952F035DDD6559208CDE9585890395B4FA948775BCF6F2138DAAE27F4B444BAAB13E18D40DD7B64E20CE2A18EAF1B48399A141163C17242822E2D21B076FF2331903309FB2F0AEDFDBBC88859C52D71978032990880048B3CFC3DC355758F3F5F7C4514265B3708C57D7B656038CF4027A3937CF5BBCF85636CE463ED570BCE361A60DB0235D58E0AD69B5487FF391B081898EDA514E5F4446FD91FC21503E3EB880FCC029D9C1D35DE36BBACA45510204DFBBD9A1EB776287A33E9F5BB6&cpusvn=0606161803FF00040000000000000000&pcesvn=0E00&pceid=0000 HTTP/1.1" 404 32 "-" "-"

Did I need regenerate a new SBX API token?

jsun39 commented 1 year ago

Are you sure the platform is one pre-production platform?

Chen-Xintong commented 1 year ago

Are you sure the platform is one pre-production platform?

Hi, I'm using the same platform as this https://github.com/intel/SGXDataCenterAttestationPrimitives/issues/321, the only difference is CPU from EMR to SPR

Chen-Xintong commented 1 year ago

Hi @llly @lingyuj @jsun39 , after using SGX factory reset, I'm still facing the 127.0.0.1 - - [29/Aug/2023:15:22:03 +0000] "POST /sgx/certification/v4/ HTTP/1.1" 404 161 "-" "-"error. Now my setting:

$ cat /opt/intel/sgx-dcap-pccs/config/default.json
{
    "HTTPS_PORT" : 8090,
    "hosts" : "0.0.0.0",
    "uri": "https://sbx.api.trustedservices.intel.com/sgx/certification/v4/",
    "ApiKey" : "***",
    "proxy" : "***",
    "RefreshSchedule": "0 0 1 * * *",
    "UserTokenHash" : "***",
    "AdminTokenHash" : "***",
    "CachingFillMode" : "LAZY",
    "LogLevel" : "info",
    "DB_CONFIG" : "sqlite",
    "sqlite" : {
        "database" : "database",
        "username" : "username",
        "password" : "password",
        "options" : {
            "host": "localhost",
            "dialect": "sqlite",
            "pool": {
                "max": 5,
                "min": 0,
                "acquire": 30000,
                "idle": 10000
            },
            "define": {
                "freezeTableName": true
            },
            "logging" : false,
            "storage": "pckcache.db"
        }
    },
    "mysql" : {
        "database" : "pckcache",
        "username" : "root",
        "password" : "mypass",
        "options" : {
            "host": "localhost",
            "port": "3306",
            "dialect": "mysql",
            "pool": {
                "max": 5,
                "min": 0,
                "acquire": 30000,
                "idle": 10000
            },
            "define": {
                "freezeTableName": true
            },
            "logging" : false
        }
    }
}

$ cat /etc/sgx_default_qcnl.conf
{
  // *** ATTENTION : This file is in JSON format so the keys are case sensitive. Don't change them.

  //PCCS server address
  "pccs_url": "https://localhost:8090/sgx/certification/v4/"

  // To accept insecure HTTPS certificate, set this option to false
  ,"use_secure_cert": false

  // You can use the Intel PCS or another PCCS to get quote verification collateral.  Retrieval of PCK
  // Certificates will always use the PCCS described in pccs_url.  When collateral_service is not defined, both
  // PCK Certs and verification collateral will be retrieved using pccs_url
  // ,"collateral_service": "https://sbx.api.trustedservices.intel.com/sgx/certification/v4/"

  // If you use a PCCS service to get the quote verification collateral, you can specify which PCCS API version is to be used.
  // The legacy 3.0 API will return CRLs in HEX encoded DER format and the sgx_ql_qve_collateral_t.version will be set to 3.0, while
  // the new 3.1 API will return raw DER format and the sgx_ql_qve_collateral_t.version will be set to 3.1. The pccs_api_version
  // setting is ignored if collateral_service is set to the Intel PCS. In this case, the pccs_api_version is forced to be 3.1
  // internally.  Currently, only values of 3.0 and 3.1 are valid.  Note, if you set this to 3.1, the PCCS use to retrieve
  // verification collateral must support the new 3.1 APIs.
  //,"pccs_api_version": "3.1"

  // Maximum retry times for QCNL. If RETRY is not defined or set to 0, no retry will be performed.
  // It will first wait one second and then for all forthcoming retries it will double the waiting time.
  // By using retry_delay you disable this exponential backoff algorithm
  ,"retry_times": 6

  // Sleep this amount of seconds before each retry when a transfer has failed with a transient error
  ,"retry_delay": 10

  // If local_pck_url is defined, the QCNL will try to retrieve PCK cert chain from local_pck_url first,
  // and failover to pccs_url as in legacy mode.
  //,"local_pck_url": "http://localhost:8090/sgx/certification/v4/"

  // If local_pck_url is not defined, set pck_cache_expire_hours to a none-zero value will enable local cache.
  // The PCK certificates will be cached in memory and then to the disk drive.
  // ===== Important: Once the local cache files are created, currently there is no other way to clean them other
  //                  than to delete them manually, or wait for them to expire after "pck_cache_expire_hours" hours.
  //                  To delete the cache files manually, go to these foders:
  //                       Linux : $AZDCAP_CACHE, $XDG_CACHE_HOME, $HOME, $TMPDIR, /tmp/
  //                       Windows : $AZDCAP_CACHE, $LOCALAPPDATA\..\..\LocalLow
  //                  If there is a folder called .dcap-qcnl, delete it. Restart the service after all cache
  //                  folders were deleted. The same method applies to "verify_collateral_cache_expire_hours"
  ,"pck_cache_expire_hours": 168

  // To set cache expire time for quote verification collateral in hours
  // See the above comment for pck_cache_expire_hours for more information on the local cache.
  ,"verify_collateral_cache_expire_hours": 168

  // When the "local_cache_only" parameter is set to true, the QPL/QCNL will exclusively use PCK certificates
  // from local cache files and will not request any PCK certificates from service providers, whether local or remote.
  // To ensure that the PCK cache is available for use, an administrator must pre-populate the cache folders with
  // the appropriate cache files. To generate these cache files for specific platforms, the administrator can use
  // the PCCS admin tool. Once the cache files are generated, the administrator must distribute them to each platform
  // that requires provisioning.
  ,"local_cache_only": false

  // You can add custom request headers and parameters to the get certificate API.
  // But the default PCCS implementation just ignores them.
  //,"custom_request_options" : {
  //  "get_cert" : {
  //    "headers": {
  //      "head1": "value1"
  //    },
  //    "params": {
  //      "param1": "value1",
  //      "param2": "value2"
  //    }
  //  }
  //}
}
$ cat /opt/intel/sgx-pck-id-retrieval-tool/network_setting.conf

# #############################################################
# PCCS server address
# support V3 version PCCS
# PCCS_URL=https://localhost:8081/sgx/certification/v3/platforms
# support V4 version PCCS
PCCS_URL=https://localhost:8090/sgx/certification/v4/
# To accept insecure HTTPS cert, set this option to FALSE
USE_SECURE_CERT=FALSE
###############################################################

###############################################################
# when access pccs, user need provide the token
 user_token = ***
###############################################################

###############################################################
# Proxy settings:proxy type could be the following three types
# direct: means no proxy used
# default: system default proxy will be used
# manual: when this type was selected, user need provide the proxy_url

proxy_type    = direct
#proxy_type    = default
#proxy_type  = manual
#proxy_url   = http://proxy_url:proxy_port
###############################################################

Did I need change any configuration of these files?

fqiu1 commented 1 year ago

In /opt/intel/sgx-pck-id-retrieval-tool/network_setting.conf, It should be "PCCS_URL=https://localhost:8081/sgx/certification/v4/platforms"

Chen-Xintong commented 1 year ago

In /opt/intel/sgx-pck-id-retrieval-tool/network_setting.conf, It should be "PCCS_URL=https://localhost:8081/sgx/certification/v4/platforms"

Hi, if I change the PCCS_URL to https://localhost:8090/sgx/certification/v4/platforms in /opt/intel/sgx-pck-id-retrieval-tool/network_setting.conf and run PCKIDRetrievalTool, the pccs service will occur this error: https://github.com/intel/SGXDataCenterAttestationPrimitives/issues/333#issuecomment-1695283539

fqiu1 commented 1 year ago

I think @lingyuj is referring uri in /opt/intel/sgx-dcap-pccs/config/default.json. You should use "https://localhost:8090/sgx/certification/v4/platforms" in /opt/intel/sgx-pck-id-retrieval-tool/network_setting.conf

lingyuj commented 1 year ago

My mistake. "https://localhost:8090/sgx/certification/v4/platforms" is correct. Please first make sure that the platform info data can be sent to cache server without issue and no errors occur.

Chen-Xintong commented 1 year ago

Please first make sure that the platform info data can be sent to cache server without issue and no errors occur.

Thx @lingyuj @fqiu1, how to check the data can be sent to cache server? Seems I don't have any cache server, is it required?

I've tried both "https://localhost:8090/sgx/certification/v4/platforms" and "https://localhost:8090/sgx/certification/v4/" in /etc/sgx_default_qcnl.confand /opt/intel/sgx-pck-id-retrieval-tool/network_setting.conf, but it still doesn't work.

fqiu1 commented 1 year ago

Are you sure the platform is one pre-production platform?

Hi, I'm using the same platform as this #321, the only difference is CPU from EMR to SPR

If you've changed CPU from EMR to SPR then you may be using production CPU. Would you please paste the output of "rdmsr -f 27:27 0xce"?

Chen-Xintong commented 1 year ago

rdmsr -f 27:27 0xce

$ sudo rdmsr -f 27:27 0xce
0
Chen-Xintong commented 1 year ago

Are you sure the platform is one pre-production platform?

Hi, I'm using the same platform as this #321, the only difference is CPU from EMR to SPR

If you've changed CPU from EMR to SPR then you may be using production CPU. Would you please paste the output of "rdmsr -f 27:27 0xce"?

I selected SBX in the SGX registration server option in Bios, does this require sbx.api.trustedservices.intel.com?

fqiu1 commented 1 year ago

It's a production one. You need to use Liv instead of SBX

  1. Stop PCCS
  2. Rename or remove the pckcache.db.
  3. Change the uri in /opt/intel/sgx-dcap-pccs/config/default.json and restart PCCS
  4. Redo the registration.
fqiu1 commented 1 year ago

Are you sure the platform is one pre-production platform?

Hi, I'm using the same platform as this #321, the only difference is CPU from EMR to SPR

If you've changed CPU from EMR to SPR then you may be using production CPU. Would you please paste the output of "rdmsr -f 27:27 0xce"?

I selected SBX in the SGX registration server option in Bios, does this require sbx.api.trustedservices.intel.com?

Are you sure the platform is one pre-production platform?

Hi, I'm using the same platform as this #321, the only difference is CPU from EMR to SPR

If you've changed CPU from EMR to SPR then you may be using production CPU. Would you please paste the output of "rdmsr -f 27:27 0xce"?

I selected SBX in the SGX registration server option in Bios, does this require sbx.api.trustedservices.intel.com?

You should not use SBX, because you're using a production CPU.

Chen-Xintong commented 1 year ago

It's a production one. You need to use Liv instead of SBX Stop PCCS Rename or remove the pckcache.db. Change the uri in /opt/intel/sgx-dcap-pccs/config/default.json and restart PCCS Redo the registration.

Sure, so I should use api.trustedservices.intel.com in the /opt/intel/sgx-dcap-pccs/config/default.json after change the registration server to LIV?

fqiu1 commented 1 year ago

yes

Chen-Xintong commented 1 year ago

Thanks a lot @fqiu1, after change registration server to LIV and re-configuration, the QuoteGeneration demo can works now!

FunnyShelby commented 5 months ago

HW: SPR CPU and ArcherCity Platform SGX Registration Server: SBX OS: ubuntu 22.04 Kernel: 5.19.0

When I run PCKIDRetrievalTool after set up pccs service, an error would be reported:

Intel(R) Software Guard Extensions PCK Cert ID Retrieval Tool Version 1.18.100.1

Warning: platform manifest is not available or current platform is not multi-package platform.
Error: network error, please check the network setting or whether the cache server is down.
pckid_retrieval.csv has been generated successfully, however the data couldn't be sent to cache server!

my pccs configuration:

$ cat /opt/intel/sgx-dcap-pccs/config/default.json
{
    "HTTPS_PORT" : 8090,
    "hosts" : "0.0.0.0",
    "uri": "https://sbx.api.trustedservices.intel.com/sgx/certification/v4/",
    "ApiKey" : "**********",
    "proxy" : "**********",
    "RefreshSchedule": "0 0 1 * * *",
    "UserTokenHash" : "**********",
    "AdminTokenHash" : "**********",
    "CachingFillMode" : "REQ",
    "LogLevel" : "info",
    "DB_CONFIG" : "sqlite",
    "sqlite" : {
        "database" : "database",
        "username" : "username",
        "password" : "password",
        "options" : {
            "host": "localhost",
            "dialect": "sqlite",
            "pool": {
                "max": 5,
                "min": 0,
                "acquire": 30000,
                "idle": 10000
            },
            "define": {
                "freezeTableName": true
            },
            "logging" : false,
        }
    },
    "mysql" : {
        "database" : "pckcache",
        "username" : "root",
        "password" : "mypass",
        "options" : {
            "host": "localhost",
            "port": "3306",
            "dialect": "mysql",
            "pool": {
                "max": 5,
                "min": 0,
                "acquire": 30000,
                "idle": 10000
            },
            "define": {
                "freezeTableName": true
            },
            "logging" : false
        }
    }
}

And the network setting:

$ cat /opt/intel/sgx-pck-id-retrieval-tool/network_setting.conf
# #############################################################
# PCCS server address
# support V3 version PCCS
#PCCS_URL=https://localhost:8081/sgx/certification/v3/platforms
# support V4 version PCCS
PCCS_URL=https://localhost:8090/sgx/certification/v4/platforms
# To accept insecure HTTPS cert, set this option to FALSE
USE_SECURE_CERT=FALSE
###############################################################

###############################################################
# when access pccs, user need provide the token
user_token = DfR2@qZmPG#vW5$sD
###############################################################

###############################################################
# Proxy settings:proxy type could be the following three types
# direct: means no proxy used
# default: system default proxy will be used
# manual: when this type was selected, user need provide the proxy_url

proxy_type    = direct
#proxy_type    = default
#proxy_type  = manual
#proxy_url   = http://proxy_url:proxy_port
###############################################################

I'm using 8090 as the pccs service port, and also subscribed a SBX api key from https://sbx.api.portal.trustedservices.intel.com/ , is there anything else that needs to be reconfigured?

Hello, why is user_token = DfR2@qZmPG#vW5$sD in your file like this? After I install pccs, "user_token hash" is automatically generated. However, the user_token in the file "/opt/intel/sgx-pck-id-retrieval-tool/network_setting.conf" is entered by myself (it is also the same password entered when registering pccs). Just plain text for hash), do I have a problem with this?

FunnyShelby commented 5 months ago

Are you sure the platform is one pre-production platform?

Hello, do you know how to judge whether it is a pre-production platform

FunnyShelby commented 5 months ago

Are you sure the platform is one pre-production platform?

Hi, I'm using the same platform as this #321, the only difference is CPU from EMR to SPR

If you've changed CPU from EMR to SPR then you may be using production CPU. Would you please paste the output of "rdmsr -f 27:27 0xce"?

I selected SBX in the SGX registration server option in Bios, does this require sbx.api.trustedservices.intel.com?

Are you sure the platform is one pre-production platform?

Hi, I'm using the same platform as this #321, the only difference is CPU from EMR to SPR

If you've changed CPU from EMR to SPR then you may be using production CPU. Would you please paste the output of "rdmsr -f 27:27 0xce"?

I selected SBX in the SGX registration server option in Bios, does this require sbx.api.trustedservices.intel.com?

You should not use SBX, because you're using a production CPU.

Hello, do you know how to judge whether it is a production platform

FunnyShelby commented 5 months ago

Thanks a lot @fqiu1, after change registration server to LIV and re-configuration, the QuoteGeneration demo can works now!

hello. After you decided to use LIV, how did you complete the registration, please guide me