jsun39
commented
6 months ago - Network is needed for MPA.
- MPA need be executed in host/bare-metal platform.
Open reclock opened 6 months ago
jsun39
commented
6 months ago jsun39
commented
6 months ago Of course, registration has two ways: 1. MPA is used to do direct registration. 2. PCKIDretrieval tool could be used to do indirect registration. You can refer to : https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/DCAP_ECDSA_Orientation.pdf section 2.
reclock
commented
6 months ago root@shudun:/opt/intel/sgx-pck-id-retrieval-tool# ./PCKIDRetrievalTool Intel(R) Software Guard Extensions PCK Cert ID Retrieval Tool Version 1.19.100.3 Warning: platform manifest is not available or current platform is not multi-package platform. Error: network error, please check the network setting or whether the cache server is down. pckid_retrieval.csv has been generated successfully, however the data couldn't be sent to cache server!
this is pckid_retrieval.csv pckid_retrieval.csv
I obtained the platform using the Python pccsadmin. py collect platform_list.json this is platform_list.json platform_list.json
Afterwards, I will use the platform_list.json failed to apply for PCK certificate from Intel python3 .\pccsadmin.py fetch
Failed to get PCK certs for platform enc_ppid:4e2f65f095740d8db28212925f0080e87a35349bd0df4b17de10e3867d90f35f2dbb257e1406ae29ef5893fdbe366025a9dea2a4989706d982d88097fe8bb4f3a5e827af79454fac85154c7d1ab9c883e62a485ac3ad4fcb5c43f4102b1c49b9cb4dcbd927a13ef010c265c5d5af67e1f605604b0de993083fd50fda0985b87b56e145b0f7031db8144cdcc2b89c97168d41465f52a281fbc536f54fd88361d298c37ecad1cc8cae90c6d75aded8efcf0ba51588eaf0650a315317194891d5e02e9f4f853d755991f933e7b23124cebf8f7bbf2b50cf23c84de0ed8dab72091c81d061e33636c21cd24cb8c29188302982a6b672e6a70f945a096a146af6b698bc33b869513c287dbc5215a1f805e5f11cdcdbeb07f518b3f30a598d938f878f63226590fef4b4fa89aebd972ddf627187283a2ce3bcc2477a576bb3c073e5a6d9d6fa8d4b48d5dcb93532cd086ab9bb2afd5e42c63d9f423990d3c1efa162f5d6d26ec1e8f19a42e50d2b6f5479f12fb7d12a0ca1ca11b55ab7dbfbf17d2f45, pce_id:0000
reclock
commented
6 months ago in platform_list.json the platform_manifest is null
jsun39
commented
6 months ago did you execute this PCKIDRetrieval tool in host/bare-mental environment?
reclock
commented
6 months ago I executed PCKIDRetrieval on the virtual system Ubuntu 22.04 on ESXI because the machine already has ESXI installed. Do you mean that the host cannot install ESXI and should be installed directly on Ubuntu systems?
jsun39
commented
6 months ago No.
You need execute PCKIDRetrieval tool in host. Running it in VM could not do registration.
dashuaic
commented
6 months ago Can you check if these 2 variables exist on your host? They are needed for registration.
/sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45 , /sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45
reclock
commented
6 months ago No. You need execute PCKIDRetrieval tool in host. Running it in VM could not do registration.
That means I need to uninstall VM and reinstall Ubuntu, and run PCKIDRetrieval directly in Ubuntu. Is this okay?
reclock
commented
6 months ago Can you check if these 2 variables exist on your host? They are needed for registration.
/sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45 , /sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45
At present, I can only access the VM host, which does not have this file
dashuaic
commented
6 months ago Can you check if these 2 variables exist on your host? They are needed for registration.
/sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45 , /sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45At present, I can only access the VM host, which does not have this file
You can't register your platform on VM because the registration process need the information stored in these 2 variables. you need to register your platfrom on host(which owns these 2 variables), after that you can do normal action in VM.
reclock
commented
6 months ago Can you check if these 2 variables exist on your host? They are needed for registration.
/sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45 , /sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45At present, I can only access the VM host, which does not have this file
You can't register your platform on VM because the registration process need the information stored in these 2 variables. you need to register your platfrom on host(which owns these 2 variables), after that you can do normal action in VM.
I understand what you said, but one issue is that if other services are deployed on this machine, I cannot reinstall the system on the machine, which is not realistic. I can use another hard drive to enter the system and complete the registration. Can we replace it with the original hard drive and import the PCK certificate for remote authentication?
dashuaic
commented
6 months ago Can you check if these 2 variables exist on your host? They are needed for registration.
/sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45 , /sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45At present, I can only access the VM host, which does not have this file
You can't register your platform on VM because the registration process need the information stored in these 2 variables. you need to register your platfrom on host(which owns these 2 variables), after that you can do normal action in VM.
I understand what you said, but one issue is that if other services are deployed on this machine, I cannot reinstall the system on the machine, which is not realistic. I can use another hard drive to enter the system and complete the registration. Can we replace it with the original hard drive and import the PCK certificate for remote authentication?
Yes, you can replace hard drive and do registration to check.
reclock
commented
6 months ago OK Now I can see that there is /sys/firmware/efi/efivars/SgxRegistrationStatus f236c5dc-a491-4bbe bcdd-8885770df45 on the host, but I will report an error when using PCKIDRetrievalTool:
sudo LD_LIBRARY_PATH=. ./PCKIDRetrievalTool -platform_id "219d07423c796a6cb7a8e69622bc90ac Intel(R)Software Guard Extensions PcK cert ID Retrieval Tool version 1.20.100.2 Error: the retrieved data doesn't save to file,and it doesn't upload to cache server.
This machine does not have PCCS installed. PCCS is on another machine and is not connected to the network. It was deployed using the OFF_LINE mode.
How should I generate a pckid_ Where is the retrieval.csv file?
reclock
commented
6 months ago Currently, I have completed registration and am using
curl - v - X POST -- data '{"platformManifest": "xxx", "pceid": "xxxx"}'“ https://api.trustedservices.intel.com/sgx/certification/v4/pckcerts "- H" Ocp API Subscription Key: {xxxx} "- H" Content Type: application/JSON“
We also obtained the PCK certificate JSON, but encountered an error of 400 when importing the certificate to the PCCS service. I use the commond: pyrhon3 pccsadmin put -i pck.json
this is error:
reclock
commented
6 months ago ./PCKIDRetrievalTool generated file pckid_retrieval.csv then ./pccsadmin.py collect generated file platform_list.json
./pccsadmin.py fetch , error 404 pckid_retrieval.csv
reclock
commented
6 months ago this is the process I am currently undergoing:
mpa_manage -get_platform_manifest manifest.data
curl -H "Content-Type: application/octet-stream" -v --data-binary manifest.data -X POST "https://api.trustedservices.intel.com/sgx/registration/v1/platform"
response: 648ADC27E4E5BD15BBF5B04F8A987A7F
./PCKIDRetrievalTool -platform_id 648ADC27E4E5BD15BBF5B04F8A987A7F
this step cannot directly generate a CSV file and prompts to write it to PCCS. if you do not use -platform_id parameter can directly generate CSV files
./pccsadmin.py get get file:platform_list.json
get pck cert: curl -v -X POST --data '{"platformManifest":"...", "cpusvn":"...", "pcesvn":"...", "pceid":"..."}' "https://api.trustedservices.intel.com/sgx/certification/v4/pckcert" -H "Ocp-Apim-Subscription-Key: {subscription key}" -H "Content-Type: application/json" get file: mp_pck.json
woogieboogie-jl
commented
2 months ago @reclock Greetings!
I've encountered same problem.
Currently I'm trying to get my platform_manifest and wondering how you managed to pull it off (the 'manifest.data' file) I've just copy-pasted the fifth column's data in the pckid_retrieval.csv file but the intel registration api keeps returning Error 400: InvalidRequestSyntax
Do you have any updates on this thread? anyone?
FunnyShelby
commented
1 month ago 您好,我目前有一台带有 Intel (R) Xeon (R) Silver 4310 * 2 CPU 的物理服务器机器。系统使用的是 Ubuntu 22.04,它是使用 EXSI7.0 虚拟化的。目前,本机无法连接到网络。
- 我发现具有多个 CPU 的机器需要注册才能使用 SGX。我安装了 MPA 服务,但该服务在启动后退出
- 我已经启用了 SGX 重置模式并检查了日志文件/var/log/mpa_ Registration.log:
[22-01-2024 09:36:10]信息:新交所注册代理版本:1.18.100.1 [22-01-2024 09:36:10] 信息:启动注册代理流程 [22-01-2024 09:36:10] 错误:readUEFIVar:无法打开 uefi 变量/sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45,错误:没有这样的文件或目录 [22-01-2024 09:36:10] 错误:getRegistrationStatus:找不到 SgxRegistrationStatus UEFI 变量或大小不符合预期[22-01-2024 09:36:10]错误:getRegistrationStatus:SgxRegistrationStatus 自动大小:0,预期大小:7 [22-01-2024 09:36:10] 错误:注册流 - getRegistrationStatus 失败,错误:4 [22-01-2024 09:36:10] 信息:setRegistrationStatus:状态。status=0x1a,statusUefi。status=0x02 [22-01-2024 09:36:10] 错误:writeUEFIVar:无法打开 uefi 变量/sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45,错误:没有这样的文件或目录 [22-01-2024 09:36:10] 错误:setRegistrationStatus:无法写入 uefi 变量 [22-01-2024 09:36:10] 错误:setRegistrationStatus 失败,错误:4 [22-01-2024 09:36:10] 信息:已完成注册代理流程
- 这是我的BISO设置:
- 这是我的 ESXI 设置:
我的问题是:
Q1:MPA服务是否需要连接到互联网才能使用?如果不连接到互联网就无法完成注册吗?因为我看到了Intel SGX DCAP Multipackage 文档SW.pdf指出需要网络
Hello, bro! I just came into contact with sgx, and I don't quite understand the specific operation of the content you talked about before. The problem you raised at the beginning is the same, but I still haven't solved it yet. May I ask how you solved it step by step? (Politely)
![Uploading 3.png…]()
dashuaic
commented
1 month ago Yes, the MPA requires a network to complete the registration process.
FunnyShelby
commented
1 month ago Yes, the MPA requires a network to complete the registration process.
Thank you for your reply! But I don't know how to operate to complete this part[sad]
Hello, I currently have a physical server machine with an Intel (R) Xeon (R) Silver 4310 * 2 CPU. The system is using Ubuntu 22.04, which was virtualized using EXSI7.0. Currently, the machine cannot be connected to the network.
I found that machines with multiple CPUs need to register to use SGX. I installed the MPA service, but the service exited after starting it
I have enabled SGX reset mode and checked the log file/var/log/mpa_ Registration.log:
[22-01-2024 09:36:10] INFO: SGX Registration Agent version: 1.18.100.1 [22-01-2024 09:36:10] INFO: Starts Registration Agent Flow [22-01-2024 09:36:10] Error: readUEFIVar: failed to open uefi variable/sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45, error: No such file or directory [22-01-2024 09:36:10] Error: getRegistrationStatus: SgxRegistrationStatus UEFI variable was not found or size not as expected [22-01-2024 09:36:10] Error: getRegistrationStatus: SgxRegistrationStatus automatic size: 0, expected size: 7 [22-01-2024 09:36:10] Error: Registration Flow - getRegistrationStatus failed, error: 4 [22-01-2024 09:36:10] INFO: setRegistrationStatus: status. status=0x1a, statusUefi. status=0x02 [22-01-2024 09:36:10] Error: writeUEFIVar: failed to open uefi variable/sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45, error: No such file or directory [22-01-2024 09:36:10] Error: setRegistrationStatus: failed to write uefi variable [22-01-2024 09:36:10] Error: setRegistrationStatus failed, error: 4 [22-01-2024 09:36:10] INFO: Completed Registration Agent Flow
This is my BISO settings:
this is my ESXI settings:
My question is:
Q1: Do MPA services need to be connected to the internet in order to be used? Is it impossible to complete registration without connecting to the internet? Because I saw Intel SGX DCAP Multipackage The document SW.pdf states that networking is required