Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SGX Quote attestation with IAS

Tags:

json

rest

sgx

ias

I was able to use run SGX in hardware mode and retrieve the SigRL successfully from IAS. But I'm struggling when trying to perform the Quote attestation using their REST API. I used the REST API interface description here. I connected successfully to the server with the HTTP POST request

https://test-as.sgx.trustedservices.intel.com:443/attestation//sgx/v1/report

But I always receive an error: 400 Bad request!?

On the client side I get msg3 as follows

ret = sgx_ra_proc_msg2(this->enclave->getContext(),
                               this->enclave->getID(),
                               sgx_ra_proc_msg2_trusted,
                               sgx_ra_get_msg3_trusted,
                               p_msg2,
                               size,
                               &p_msg3,
                               &msg3_size);

which returns SGX_SUCCESS. Then I prepare the quote in the p_msg3 structure

std::string quoteStr = ConvertToString(p_msg3->quote);
quoteStr = EncodeToBase64(quoteStr);

and finally I put the quote in the JSON string which results in

{"isvEnclaveQuote": "MDIwMDAxMDBlMzBhMDAwMDA0MDA...RiMjUyYTgxOGE4NTIzMzQxZDY3"}

which is now sent as payload to the IAS.

like image 941
wasp256 Avatar asked Jan 16 '17 21:01

wasp256


People also ask

How does Intel SGX remote attestation work?

During an Intel SGX remote attestation, the client’s quote is signed by collateral that is tied to a known TCB and the relying party uses this collateral to determine whether a client is current on security patches as of a certain date, out of date, or current but running with a sub-optimal security configuration.

What is Intel SGX DCAP?

With Intel SGX DCAP, software vendors are in control of the attestation process. Instead of contacting an Intel service for quote verification, the service provider or enterprise obtains the signing and verification collateral for platforms in their environment and uses this collateral to perform quote verification on premise.

What is Intel Software Guard Extensions (SGX)?

ByJohn P Mechalas Intel® Software Guard Extensions (Intel® SGX) is designed with an update mechanism which allows Intel to address security issues that might arise in the future. Intel also provides a mechanism for a client to cryptographically prove that these updates—a process referred to as a Trusted Compute Base (TCB) Recovery—have taken place.

How are updates to the attestation policy authorized?

This means: all updates to attestation policy must be authorized by signing the request with a user managed private key all updates to the set of trusted signing keys must be authorized by signing the request with a user managed private key The user must manage an X509 certificate for each private key.


1 Answers

400 Bad Request is generally returned if there is something wrong with your Quote.

Please double check whether the SPID and linkability options you used to create the Quote match and the one you used to register with IAS.

like image 187
fzgregor Avatar answered Oct 20 '22 19:10

fzgregor