I was able to use run SGX in hardware mode and retrieve the SigRL successfully from IAS. But I'm struggling when trying to perform the Quote attestation using their REST API. I used the REST API interface description here. I connected successfully to the server with the HTTP POST request
https://test-as.sgx.trustedservices.intel.com:443/attestation//sgx/v1/report
But I always receive an error: 400 Bad request!?
On the client side I get msg3 as follows
ret = sgx_ra_proc_msg2(this->enclave->getContext(),
this->enclave->getID(),
sgx_ra_proc_msg2_trusted,
sgx_ra_get_msg3_trusted,
p_msg2,
size,
&p_msg3,
&msg3_size);
which returns SGX_SUCCESS
.
Then I prepare the quote in the p_msg3 structure
std::string quoteStr = ConvertToString(p_msg3->quote);
quoteStr = EncodeToBase64(quoteStr);
and finally I put the quote in the JSON string which results in
{"isvEnclaveQuote": "MDIwMDAxMDBlMzBhMDAwMDA0MDA...RiMjUyYTgxOGE4NTIzMzQxZDY3"}
which is now sent as payload to the IAS.
During an Intel SGX remote attestation, the client’s quote is signed by collateral that is tied to a known TCB and the relying party uses this collateral to determine whether a client is current on security patches as of a certain date, out of date, or current but running with a sub-optimal security configuration.
With Intel SGX DCAP, software vendors are in control of the attestation process. Instead of contacting an Intel service for quote verification, the service provider or enterprise obtains the signing and verification collateral for platforms in their environment and uses this collateral to perform quote verification on premise.
ByJohn P Mechalas Intel® Software Guard Extensions (Intel® SGX) is designed with an update mechanism which allows Intel to address security issues that might arise in the future. Intel also provides a mechanism for a client to cryptographically prove that these updates—a process referred to as a Trusted Compute Base (TCB) Recovery—have taken place.
This means: all updates to attestation policy must be authorized by signing the request with a user managed private key all updates to the set of trusted signing keys must be authorized by signing the request with a user managed private key The user must manage an X509 certificate for each private key.
400 Bad Request
is generally returned if there is something wrong with your Quote.
Please double check whether the SPID and linkability options you used to create the Quote match and the one you used to register with IAS.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With