Intel® Software Guard Extensions Remote Attestation Sample Code now available

Intel® Software Guard Extensions Remote Attestation Sample Code now available

Zone: 

- Surenthar Selvaraj
7 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.

Wow, its good to hear new sample application for remote attestation.

Thanks 

Thanks so much for sharing, really helps my project.

 

Thanks,

Chenghong

Is there an equivalent of this code available for the SGX SDK for Linux?

Cheers,

Rodolfo

Best Reply

At this time there are no plans to provide a remote attestation sample for Linux OS

- Surenthar Selvaraj

Hi Surenthar,

There is probably a small bug in the above sample code. It will never encrypt/decrypt the message if I run with simulated IAS.

In the Server code "Msg4Builder.cs":

private void BuildNonIasMessage4(SpSequenceCheck sigmaSequenceCheck)
        {
            ...
                msg4.respHeader.respStatus = BitConverter.GetBytes((UInt32)enStatusCodes.raErrNone);
            ...

                // This is the successful end of the sequence. 
                // Reset the state machine and return M4
                log.Info("*********** Remote Attestation Sequence Successful with Simulated IAS");
                log.Info("*********** Sending Msg4");
            ...
        }

Here when the attestation is successful ( I know the IAS is simulated and always returns success, but still the message sequence is successful as you commented in the code ), the msg4.respHeader.respStatus is set to raErrNone, which is defined in "Constants.cs":

public enum enStatusCodes : uint
    {
        raErrNone = 0x00,                    // 00, Success
        raErrReqRejected = 0x01,             // 01, External error, ALL  - request message was rejected
        raErrInternal = 0x02,                // 03, Internal error, for debug only
        raErrUnknown = 0x03,                 // 04, Internal error, a handshake error that is not expected.
        raErrMeasurement = 0x10,             // 10, Enclave measurement mismatch error from SP RA server
        raErrKeyCheckFail = 0x11,            // 11, SP RA server error checking ga in Msg3
        raErrCmacCheckFail = 0x12,           // 12, SP RA server error checking CMACsmk in Msg3
        raErrQuoteCheckFail = 0x13,          // 13, SP RA server error checking Quote in Msg3
        raErrREPORTDATACheckFail = 0x14,     // 14, SP RA server error checking REPORTDATA field for Msg3 replay
        raErrVerificationSigCheckFail = 0x15,// 15, SP RA server error checking verification report signature from IAS
        raErrIasGetSuccess = 0xC8,           // C8, (decimal 200) GET Operation success from IAS
        raErrIasCreated = 0xC9,              // C9, (decimal 201) Create Report successful from IAS
        raErrIasBadRequest = 0x190,          // 190, (decimal 400) Invalid Evidence Payload from IAS
        raErrIasUnauth = 0x191,              // 191, (decimal 401) Unauthorized response from IAS
        raErrIasNotFound = 0x194,            // 194, (decimal 404) Not Found response from IAS
        raErrIasInternal = 0x1F4,            // 1F4, (decimal 500) Internal Error from IAS
        raErrIasUnknown = 0x208              // 208, (decimal 520) Unknown IAS Error or Connection Error
    }

 

However, in the Client code "RemoteAttestation.cpp":

pplx::task<int> PostM3Request(){
	return pplx::create_task([]() -> pplx::task<http_response>{
		...
	}).then([](http_response response) -> int{
		if (response.status_code() == status_codes::OK)	{
			...
			responseHeader[L"respStatus"] = web::json::value::string(jsonDeserial.buildJsonObject(responseMessage.respHeader.getRespStatus(), 4));
			...
			jsonDeserial.deserializeRespHeader(Pvalue1, m4ResponseMessage.respHeader);
			int status = converter.byteArrayToInt(m4ResponseMessage.respHeader.respStatus);
			if (status == 200 || status == 201){
				jsonDeserial.deserializeM4RespBody(Pvalue0, m4ResponseMessage.respMsg4Body);
			}
			else if (status == 400){
				cout <<endl<< "M4 Post response error with status code " << status << endl 
					<<"Quote Attestation with IAS Failed. Check server logs for more info"<<endl;
				AbortProcess();
			}
			else {
				cout << "M4 Post response error with status code " << status << endl;
				AbortProcess();
			}
		}
		else {
			cout << "M4 Post response error with status code " << response.status_code() << endl;
			AbortProcess();
		}
		return 0;
	});
}

When the Client receives the msg4 from the Server, the  "m4ResponseMessage.respHeader.respStatus" should be 0, right? Then the program will abort because you only accept "200" and "201". So I think here you should also accept "0", otherwise the program doesn't go through when I run with simulated IAS. BTW, after I changed it to accept "0", it indeeds encrypts/decrypts the message successfully.

Do I misunderstand the code somewhere, or is it really a bug?

Thanks,

Zhicong

Hi Surenthar,

It appears to be possible to run the remote attestation example on Linux at least in Debug mode, but communicating with the real Intel EPID server. The only thing required after standard installation of the driver, PSW and SDK is to copy the sdk/sample_libcrypto folder into SampleCode/RemoteAttestation and make the project. 

# Run from the extracted 'linux-sdk' folder
cp -R ./sdk/sample_libcrypto/ ./SampleCode/RemoteAttestation/ && cd ./SampleCode/RemoteAttestation/ && make SGX_MODE=HW SGX_DEBUG=1 && ./app

Best,

Marcell

Quote:

Surenthar Selvaraj. (Intel) wrote:

At this time there are no plans to provide a remote attestation sample for Linux OS

Leave a Comment

Please sign in to add a comment. Not a member? Join today