gramine-sgx-ias-request: Quote is too small

[Alexander Lindner]

Hello everyone, 

I successfully created a quote using the /dev/attestation/user_report_data and /dev/attestation/quote workflow and saved my quote to a file on the host. I used the gramine-sgx-quote-dump tool to check the file and it looks correct. Now I want to verify the quote by using gramine-sgx-ias-request and later on gramine-sgx-ias-verify-report.
However, gramine-sgx-ias-request fails with
report: Quote is too small
Printed out by a size check of the data (https://github.com/gramineproject/gramine/blob/master/Pal/src/host/Linux-SGX/tools/ias-request/ias_request.c#L96) which is not in the code of the dump tool. So I don't know how to interpret this message. What is missing in my workflow?

Regards
Alex

[Dmitrii Kuvaiskii]

Dear Alex,

Could you show us the output of `gramine-sgx-quote-dump` on your quote file?

> --
> You received this message because you are subscribed to the Google Groups "Gramine Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to gramine-user...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/gramine-users/FR2P281MB0609A0F92591A38E134632B1B0519%40FR2P281MB0609.DEUP281.PROD.OUTLOOK.COM.



--
Yours sincerely,
Dmitrii Kuvaiskii

[Alexander Lindner]

Dear Dmitrii,

of course:

gramine-sgx-quote-dump -m /tmp/fileSZMRP4

quote_body        :

 version          : 0002

 sign_type        : 0001

 epid_group_id    : 00000c21

 qe_svn           : 000c

 pce_svn          : 000c

 xeid             : 00000000

 basename         : 000000000000000000000000000000007b2ce2a6d4e3bf010ee5520c91023380

report_body       :

 cpu_svn          : 00000000000000000000800104021212

 misc_select      : 00000000

 reserved1        : 000000000000000000000000

 isv_ext_prod_id  : 00000000000000000000000000000000

 attributes.flags : 0000000000000007

 attributes.xfrm  : 0000000000000007

 mr_enclave       : 06b28e3d39ad74a3010d2b0fe1710fe9eccff7208917cd9b11b9ecf8d2ff4936

 reserved2        : 0000000000000000000000000000000000000000000000000000000000000000

 mr_signer        : 45761a34bab699da5bd22b822385de5e10d85d50757dc18dccc5cac59e753add

 reserved3        : 0000000000000000000000000000000000000000000000000000000000000000

 config_id        : 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

 isv_prod_id      : 0001

 isv_svn          : 0001

 config_svn       : 0000

 reserved4        : 000000000000000000000000000000000000000000000000000000000000000000000000000000000000

 isv_family_id    : 00000000000000000000000000000000

 report_data      : 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000062614c2074646174736d7261442d5554

signature_size    : 680 (0x2a8)

Regards
Alex

---

Von: Dmitrii Kuvaiskii <dmitrii....@gmail.com>
Gesendet: Dienstag, 11. Januar 2022 14:34
An: Alexander Lindner <ma...@alindner.org>
Cc: us...@gramineproject.io <us...@gramineproject.io>
Betreff: Re: gramine-sgx-ias-request: Quote is too small

 

[Dmitrii Kuvaiskii]

The quote object looks fine. What is the size of your file where the
quote is located? Could you show the output of `ls -l
/tmp/fileSZMRP4`?

On Tue, Jan 11, 2022 at 3:01 PM 'Alexander Lindner' via Gramine Users

> To view this discussion on the web visit https://groups.google.com/d/msgid/gramine-users/FR2P281MB0609A19228E407E3A828A04EB0519%40FR2P281MB0609.DEUP281.PROD.OUTLOOK.COM.

[Alexander Lindner]

$ ll /tmp/fileSZMRP4
-rw-r--r-- 1 alindner alindner 436 Jan 11 14:40 /tmp/fileSZMRP4

---

Von: Dmitrii Kuvaiskii <dmitrii....@gmail.com>
Gesendet: Dienstag, 11. Januar 2022 15:06

[Dmitrii Kuvaiskii]

Alexander,

Something is wrong with your SGX quote or the way you save the file.

Your file is only 436 bytes in size, which means that it only contains the "sgx_quote_t" object and does *not* contain the Quoting Enclave signature (which is supposed to be of size 680).

I tried to reproduce your scenario, and I got the correct size of 1116 bytes in my quote. I used the EPID attestation.

I modified the LibOS/shim/test/regression/attestation.c test file as follows:
```
diff --git a/LibOS/shim/test/regression/attestation.c b/LibOS/shim/test/regression/attestation.c
@@ -233,6 +233,14 @@ static int test_quote_interface(void) {
     }

     sgx_quote_body_t* quote_body = (sgx_quote_body_t*)g_quote;
+    sgx_quote_t* quote = (sgx_quote_t*)g_quote;
+
+    printf("--- sizeof(sgx_quote_body)  = %lu\n", sizeof(sgx_quote_body_t));
+    printf("--- sizeof(sgx_quote)       = %lu\n", sizeof(sgx_quote_t));
+
+    printf("--- retrieved quote size    = %lu\n", (uint64_t)bytes);
+    printf("--- retrieved quote version = %lu\n", (uint64_t)quote_body->version);
+    printf("--- retrieved quote sigsize = %lu\n", (uint64_t)(quote->signature_size));

     if (quote_body->version != /*EPID*/2 && quote_body->version != /*DCAP*/3) {
         fprintf(stderr, "version of SGX quote is not EPID (2) and not ECDSA/DCAP (3)\n");
```

Then I rebuilt Gramine via `cd <gramine-root> && ninja -C build/ install`. Then I rebuilt the LibOS regression tests via `cd LibOS/shim/test/regression/ && RA_CLIENT_SPID=<my_spid> SGX=1 gramine-test build`.

Finally, when I run the test via `gramine-sgx attestation`, I see this output:
```
Test local attestation... SUCCESS
--- sizeof(sgx_quote_body)  = 432
--- sizeof(sgx_quote)       = 436
--- retrieved quote size    = 1116
--- retrieved quote version = 2
--- retrieved quote sigsize = 680
Test quote interface... SUCCESS
```

As you can see, the retrieved SGX quote has the correct size of 1116 (a sum of 436 and 680). The quote version is "2" which means the EPID quote.

So, please verify the retrieved SGX quote size by printf() in your application, and then verify how you dump this SGX quote into a file. You have a bug somewhere.

To view this discussion on the web visit https://groups.google.com/d/msgid/gramine-users/FR2P281MB06099547AE1A298DD3BA0E0EB0519%40FR2P281MB0609.DEUP281.PROD.OUTLOOK.COM.

[Alexander Lindner]

Hello Dmitrii,

thank you for your detailed response. This realy helped me a lot!

After a lot of testing the final change is:

auto typed_quote = (sgx_quote_t*)quote;
dump.write((char *) typed_quote, sizeof(*typed_quote));

to

dump.write((char *) (quote), bytes);
As always, in retrospect it is obviously :) 

During this journey I found the device /dev/attestation/report in the old graphene repo, of which I couldn't find further documentation/information. Is it deprecated?
(https://github.com/gramineproject/graphene/blob/master/LibOS/shim/test/regression/attestation.c#L220)

Thanks
Alex

---

Von: Dmitrii Kuvaiskii <dmitrii....@gmail.com>
Gesendet: Mittwoch, 12. Januar 2022 09:06

[Dmitrii Kuvaiskii]

> During this journey I found the device /dev/attestation/report in the old graphene repo, of which I couldn't find further documentation/information. Is it deprecated?

> (https://github.com/gramineproject/graphene/blob/master/LibOS/shim/test/regression/attestation.c#L220)

The /dev/attestation/report pseudo-file (or "device" as you called it) is not deprecated. It is also there in the new (renamed) gramine repo:

  https://github.com/gramineproject/gramine/blob/66881cca331402825cf1b5f8c4f949a2c758892b/LibOS/shim/test/regression/attestation.c#L145

But you are right, we don't describe this pseudo-file in our documentation: https://gramine.readthedocs.io/en/latest/attestation.html#low-level-dev-attestation-interface. I guess this is what you meant? I'll add the documentation on the missing pseudo-files to that web page.

To view this discussion on the web visit https://groups.google.com/d/msgid/gramine-users/FR2P281MB06095F395D45D210FDBBE1C2B0529%40FR2P281MB0609.DEUP281.PROD.OUTLOOK.COM.

[Alexander Lindner]

> The /dev/attestation/report pseudo-file (or "device" as you called it) is not deprecated. It is also there in the new (renamed) gramine repo:
  https://github.com/gramineproject/gramine/blob/66881cca331402825cf1b5f8c4f949a2c758892b/LibOS/shim/test/regression/attestation.c#L145

oh, somehow I missed that file.

> But you are right, we don't describe this pseudo-file in our documentation: https://gramine.readthedocs.io/en/latest/attestation.html#low-level-dev-attestation-interface. I guess this is what you meant? I'll add the documentation on the missing pseudo-files to that web page.

Would be nice. Based on the sgx_report_t type I guess is it the SGX REPORT created by EREPORT? However, I'll wait until you finished the doc. Thanks in advance.

Regards
Alex

---

Von: Dmitrii Kuvaiskii <dmitrii....@gmail.com>
Gesendet: Mittwoch, 12. Januar 2022 12:12

[Dmitrii Kuvaiskii]

> Based on the sgx_report_t type I guess is it the SGX REPORT created by EREPORT?

Yes, this is correct.

> However, I'll wait until you finished the doc.

Here you go: https://github.com/gramineproject/gramine/pull/333.
Soon-ish it will be reviewed and merged into Gramine, so you'll see
the updated text on
https://gramine.readthedocs.io/en/latest/attestation.html#low-level-dev-attestation-interface


On Wed, Jan 12, 2022 at 12:34 PM 'Alexander Lindner' via Gramine Users

> To view this discussion on the web visit https://groups.google.com/d/msgid/gramine-users/FR2P281MB06090FB46C0DED081EDC9533B0529%40FR2P281MB0609.DEUP281.PROD.OUTLOOK.COM.