You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@teaclave.apache.org by algon <no...@github.com.INVALID> on 2022/01/15 11:36:17 UTC
[apache/incubator-teaclave-sgx-sdk] Running `mutual-ra` on different physical machines (Issue #369)
Hello,
I'm trying to run the `mutual-ra` sample program on different physical machines (running a server on machine A and a client on machine B), but I got `SGX_ERROR_UNEXPECTED` error on `ocall_get_update_info` [call](https://github.com/apache/incubator-teaclave-sgx-sdk/blob/565960cd7b4b36d1188459d75652619971c43f7e/samplecode/mutual-ra/enclave/src/cert.rs#L321-L324).
When I run both sides on the same machine, it works well.
Apparently, the root cause is calling `ocall_get_update_info` with the other machine's `platformInfoBlob` as an argument.
I wrote a simple [test program](https://gist.github.com/algon-320/9256454fb8d9ba8ad44bc3877d644175) which just calls `sgx_report_attestation_status` (actual function `ocall_get_update_info` calls).
When I give a machine's PIB and run the program on the same machine, it works as I expected (resulting in `SGX_SUCCESS` or `SGX_ERROR_UPDATE_NEEDED`).
However, when I give a machine's PIB and run the program on **the other machine**, it results in `SGX_ERROR_UNEXPECTED`.
I'm not completely sure about `sgx_report_attestation_status` SDK function,
but it seems to expect to be called on the same machine as the source of the `platformInfoBlob`.
So, now I have two questions:
1. Is the `mutual-ra` sample program expected to run on different physical machines?
2. Can we call `sgx_report_attestation_status` with a `platformInfoBlob` generated on another physical machine?
<details>
<summary>My configuration</summary>
- machine A:
- Motherboard: ASUS PRIME Z390-A
- CPU: Core i7-9700K
- OS: Ubuntu 20.04.3 LTS (Linux 5.11.0-46-generic)
- Driver: in-kernel
- PSW, SDK: latest
- SGX supported: Yes
- SGX launch config supported: Yes
- machine B:
- System: Lenovo ThinkPad X1 Carbon 6th
- CPU: i7-8550U
- OS: Ubuntu 20.04.3 LTS (Linux 5.11.0-46-generic) with `nosgx` parameter
- Driver: OOT-driver 2.11
- PSW, SDK: latest
- SGX supported: Yes
- SGX launch config supported: No
</details>
--
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave-sgx-sdk/issues/369
You are receiving this because you are subscribed to this thread.
Message ID: <ap...@github.com>
Re: [apache/incubator-teaclave-sgx-sdk] Running `mutual-ra` on different physical machines (Issue #369)
Posted by volcano <no...@github.com.INVALID>.
We can't call `sgx_report_attestation_status` with a `platformInfoBlob` generated on another physical machine.
Please refer to: [https://api.trustedservices.intel.com/documents/sgx-attestation-api-spec.pdf](url)
--
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave-sgx-sdk/issues/369#issuecomment-1018393715
You are receiving this because you are subscribed to this thread.
Message ID: <ap...@github.com>
Re: [apache/incubator-teaclave-sgx-sdk] Running `mutual-ra` on different physical machines (Issue #369)
Posted by algon <no...@github.com.INVALID>.
Hi, @volcano0dr.
Thank you for the information!
After that, I made several changes to call `sgx_report_attestation_status` on the correct side and confirmed it works.
> Later, I will remove the call of `ocall_get_update_info` in the function that validates the `mra` certificate.
Should I close this issue? or leave it open until you apply the change?
--
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave-sgx-sdk/issues/369#issuecomment-1022761029
You are receiving this because you are subscribed to this thread.
Message ID: <ap...@github.com>
Re: [apache/incubator-teaclave-sgx-sdk] Running `mutual-ra` on different physical machines (Issue #369)
Posted by algon <no...@github.com.INVALID>.
Thank you very much @volcano0dr . I'll close this issue.
--
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave-sgx-sdk/issues/369#issuecomment-1031177631
You are receiving this because you are subscribed to this thread.
Message ID: <ap...@github.com>
Re: [apache/incubator-teaclave-sgx-sdk] Running `mutual-ra` on different physical machines (Issue #369)
Posted by volcano <no...@github.com.INVALID>.
@algon-320 I have fixed the issue
--
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave-sgx-sdk/issues/369#issuecomment-1031146165
You are receiving this because you are subscribed to this thread.
Message ID: <ap...@github.com>
Re: [apache/incubator-teaclave-sgx-sdk] Running `mutual-ra` on different physical machines (Issue #369)
Posted by algon <no...@github.com.INVALID>.
Closed #369.
--
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave-sgx-sdk/issues/369#event-6017219864
You are receiving this because you are subscribed to this thread.
Message ID: <ap...@github.com>