Getting Quotes out of Graphene

79 views
Skip to first unread message

Hrishikesh Kamath

unread,
Feb 9, 2021, 1:08:57 AM2/9/21
to sup...@graphene-project.io
Hello, I wanted to understand how to retrieve the SGX quotes out of Graphene. From my understanding of the codebase, I don't see retrieve_quote function being called anywhere. Further, I have also noticed that the verify IAS quote API requires a quote file. Where is this file being generated from? 

--
Thanks, 
Hrishikesh Kamath 

Kuvaiskii, Dmitrii

unread,
Feb 9, 2021, 4:19:58 AM2/9/21
to Hrishikesh Kamath, sup...@graphene-project.io

Dear Kamath,

 

What exactly do you want to achieve? Do you want to use EPID or DCAP/ECDSA attestation scheme? Do you want to simply retrieve the SGX quote from within the application running inside Graphene-SGX? Or do you want to use a higher-level interface like RA-TLS?

 

Without your context, I’m assuming that you actually want to get the SGX quote from within the Graphene-SGX enclave. The interface to the SGX attestation subsystem in Graphene is through `/dev/attestation/` pseudo-filesystem. Please check this example: https://github.com/oscarlab/graphene/blob/master/LibOS/shim/test/regression/attestation.c#L279

 

Regarding IAS, I’m assuming you talk about the “ias_request” utility (https://github.com/oscarlab/graphene/tree/master/Pal/src/host/Linux-SGX/tools#intel-attestation-service-submitter). You can get the SGX quote from inside the enclave, by reading from `/dev/attestation/quote` and dumping the content into some file.

 

Feel free to outline your scenario more specifically, then we can help with more detailed info.

 

--

Dmitrii

--
You received this message because you are subscribed to the Google Groups "Graphene Support Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graphene-suppo...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graphene-support/CA%2BVKR0J24x%2BSCDWicQ7oPEDTf8r9N24byeKm2A%2Bu%2B1DngRtzGA%40mail.gmail.com.

Intel Deutschland GmbH
Registered Address: Am Campeon 10-12, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de
Managing Directors: Christin Eisenschmid, Gary Kershaw
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928

Hrishikesh Kamath

unread,
Feb 10, 2021, 12:42:20 AM2/10/21
to Kuvaiskii, Dmitrii, sup...@graphene-project.io
Thank you for your response, Dmitrii. I wanted to get the quote from Graphene. Your answer helped me find that out. 
In the bash example, I can see the quote being generated in "/dev/attestation/quote", but I am not able to view it using cat. I get the following error message.

cat: quote: Permission denied


Even after adding this to the manifest 


sgx.allowed_files.quote = "file:/dev/attestation/quote"

sgx.allowed_files.report="file:quote"


I faced a similar error in a python script 

fp=open("/dev/attestation/quote","r").read()

print(fp)



Am I missing something? 

Thank you for the response again. It was helpful. 

--
Thanks, 
Hrishikesh Kamath 

Kuvaiskii, Dmitrii

unread,
Feb 10, 2021, 3:06:53 AM2/10/21
to Hrishikesh Kamath, sup...@graphene-project.io

The quote is *not* a text file. It is a binary file with the following format: https://github.com/oscarlab/graphene/blob/master/Pal/src/host/Linux-SGX/sgx_attest.h#L47-L58. Thus, you cannot read it and expect any meaningful text. You need to dump it in a file and then use the appropriate utilities like our Quote Dump https://github.com/oscarlab/graphene/tree/master/Pal/src/host/Linux-SGX/tools#sgx-quote-dump.

 

Also note that it’s not enough to simple open-and-read /dev/attestation/quote. You also need to: (1) enable SGX remote attestation in the manifest file, see https://graphene.readthedocs.io/en/latest/manifest-syntax.html#attestation-and-quotes, and (2) write arbitrary 64 bytes into /dev/attestation/user_report_data (this is to “initialize” the SGX quote with your enclave-specific data).

 

I also suggest to google “intel sgx quote” and read through the docs. This is a rather complicated and obscure part of the SGX technology 😊

 

By the way, the /dev/attestation/quote is *not* a real file, it is a pseudo-file accessible only inside Graphene. Thus, there is no need to add things like `sgx.allowed_files.quote = “file:/dev/attestation/quote”` -- this tries to find a *host-level real* file, which is not present on your normal Linux. I also suggest to read about pseudo-files and the /dev filesystem in Linux.

 

--

Dmitrii

Vij, Mona

unread,
Feb 13, 2021, 8:30:37 PM2/13/21
to Kuvaiskii, Dmitrii, Hrishikesh Kamath, sup...@graphene-project.io

As Dmitrii mentions below we also already support remote attestation via ra-tls helper tool. Please take a look at https://github.com/oscarlab/graphene/tree/master/Pal/src/host/Linux-SGX/tools/ra-tls

 

You will find that getting the quote is very simple where you write user_report_data in /dev/attestation/user_report_data and then read quote from /dev/attestation/quote.

 

We plan to work on documenting this support in near future.

 

Thanks

Mona

Hrishikesh Kamath

unread,
Feb 13, 2021, 8:45:06 PM2/13/21
to Vij, Mona, Kuvaiskii, Dmitrii, sup...@graphene-project.io
Got it. Thank you, Mona. 
--
Thanks, 
Hrishikesh Kamath 

Kuvaiskii, Dmitrii

unread,
Feb 23, 2021, 1:35:53 PM2/23/21
to Hrishikesh Kamath, Vij, Mona, sup...@graphene-project.io

Kamath,

 

Please also look at the newly added attestation document: https://graphene.readthedocs.io/en/latest/attestation.html. Hope this helps in understanding and how to use it.

Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany


Tel: +49 89 99 8853-0, www.intel.de

Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva  

Hrishikesh Kamath

unread,
Feb 24, 2021, 6:20:23 AM2/24/21
to Kuvaiskii, Dmitrii, Vij, Mona, sup...@graphene-project.io
Thank you, Dmitrii , I will have a look at it. 
--
Thanks, 
Hrishikesh Kamath 

Reply all
Reply to author
Forward
0 new messages