-
Notifications
You must be signed in to change notification settings - Fork 193
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Quote verification with Microsoft Azure Attestation Service #537
Comments
How do you convert the Quote and the Data to the hex format? IIRC, the Azure Attestation API requires Base64 encoding, not just hex. Also, do you perform this on a MS Azure virtual machine? Again, IIRC, it is impossible to submit your locally generated SGX Quote to Azure Attestation. The SGX quote must be generated on the MS Azure CC VM. |
@dimakuv Thanks for reply. I am using MS Azure CC VM for Quote generation. As for Quote and report data, I am first converting them to Base64 encoding and then to hex.
|
@Lio101 Your code snippet looks correct. I can't see anything wrong about it. Can you ask this question to the Microsoft Azure Attestation team? I'd be also interested in their replies, and how to trouble-shoot such |
Problem solved, the issue was with the format of the quote file. MS attestation service need quote hex in Open enclave format that is different from the quote generated by Intel SGX driver. To change it to OE format we just need to append You can look into these 2 quote files for reference: |
Thanks @Lio101 for this investigation. This is very interesting to know. I think I understand what you were missing previously. You seem to have forgotten to install the Azure DCAP client plugin: https://github.com/microsoft/Azure-DCAP-Client. This plugin (as I understand it) interposes between Gramine and the Intel SGX DCAP software stack, and "transforms" Intel-formatted quotes into OE-formatted quotes. That's why I didn't have similar problems to your when I tried it out. I'll be glad if you'll verify my theory by installing the Azure DCAP client plugin and re-doing your experiment again. |
@dimakuv |
Hi,
I am trying to use the ra-tls-mbedtls example workflow but in place of using Intel Attestation Service, I am trying to use Microsoft Azure Attestation and specifically Azure Attestation Python Client Library.
Azure Attestation Service require a JSON file that contains QuoteHex and EnclaveHeldDataHex(Report Data).
I am able to extract the quote and report data(Public key of crt) from
ra_tls_verify_dcap.c
and save it to a binary files.Next I am rading the two binary files, converting their data to hexadecimal format and passing them to the Azure Attestation Python Client Library script.
But I am getting error "InvalidQuote".
A similar issue was mentioned in the Graphene project but I am not able to find any update regarding this in Gramine.
The text was updated successfully, but these errors were encountered: