Quote verification with Microsoft Azure Attestation Service

[Lio101]

Hi,
I am trying to use the ra-tls-mbedtls example workflow but in place of using Intel Attestation Service, I am trying to use Microsoft Azure Attestation and specifically Azure Attestation Python Client Library.

Azure Attestation Service require a JSON file that contains QuoteHex and EnclaveHeldDataHex(Report Data).

I am able to extract the quote and report data(Public key of crt) from ra_tls_verify_dcap.c and save it to a binary files.
Next I am rading the two binary files, converting their data to hexadecimal format and passing them to the Azure Attestation Python Client Library script.

But I am getting error "InvalidQuote".

A similar issue was mentioned in the Graphene project but I am not able to find any update regarding this in Gramine.

[dimakuv]

Next I am rading the two binary files, converting their data to hexadecimal format

How do you convert the Quote and the Data to the hex format? IIRC, the Azure Attestation API requires Base64 encoding, not just hex.

Also, do you perform this on a MS Azure virtual machine? Again, IIRC, it is impossible to submit your locally generated SGX Quote to Azure Attestation. The SGX quote must be generated on the MS Azure CC VM.

[Lio101]

@dimakuv Thanks for reply.

I am using MS Azure CC VM for Quote generation.

As for Quote and report data, I am first converting them to Base64 encoding and then to hex.

from azure.identity import DefaultAzureCredential
from azure.security.attestation import AttestationClient

import base64
import binascii


with open('quote1', 'rb') as f:
    encodedQuote= base64.b64encode(f.read())
#print(binascii.hexlify(encodedQuote).decode())

with open('key_der', 'rb') as f:
    encodedKey = base64.b64encode(f.read())
#print(binascii.hexlify(encodedKey).decode())


my_quote =  binascii.hexlify(encodedQuote).decode()

my_runtime =binascii.hexlify(encodedKey).decode()

quote = bytes.fromhex(my_quote)

runtime_data = bytes.fromhex(my_runtime)

[dimakuv]

@Lio101 Your code snippet looks correct. I can't see anything wrong about it.

Can you ask this question to the Microsoft Azure Attestation team? I'd be also interested in their replies, and how to trouble-shoot such InvalidQuote issues.

[Lio101]

Problem solved, the issue was with the format of the quote file. MS attestation service need quote hex in Open enclave format that is different from the quote generated by Intel SGX driver. To change it to OE format we just need to append 0100000002000000XXXX000000000000 at the starting of quote hex, where XXXX is the size of the quote.

You can look into these 2 quote files for reference:

• Generated using Intel SDK
• Generated using Open Enclave SDK

[dimakuv]

MS attestation service need quote hex in Open enclave format that is different from the quote generated by Intel SGX driver.

Thanks @Lio101 for this investigation. This is very interesting to know.

I think I understand what you were missing previously. You seem to have forgotten to install the Azure DCAP client plugin: https://github.com/microsoft/Azure-DCAP-Client. This plugin (as I understand it) interposes between Gramine and the Intel SGX DCAP software stack, and "transforms" Intel-formatted quotes into OE-formatted quotes.

That's why I didn't have similar problems to your when I tried it out. I'll be glad if you'll verify my theory by installing the Azure DCAP client plugin and re-doing your experiment again.

[Lio101]

@dimakuv
Thanks for the information, quote verification works fine when Azure DCAP client plugin is installed, without making changes to the quote.