Code Monkey home page Code Monkey logo

microsoft-azure-attestation's Introduction

page_type languages products description
sample
c
csharp
azure
Learn how to perform Intel® SGX Attestation using Microsoft Azure Attestation

Sample code for Intel® SGX Attestation using Microsoft Azure Attestation

Intel® SGX Attestation sample code demonstrates how to generate a quote from an SGX enclave using Open Enclave SDK / Intel SDK and then get it validated by Microsoft Azure Attestation. The "enclave held data" for the quote is populated with public key component that's held within the enclave.

The components used in the sample code are outlined in the following diagram: SGX Attestation Overview Diagram

The flow is:

  1. Build an SGX enclave
  2. Launch an SGX enclave and get SGX quote
  3. Persist SGX quote and Enclave Held Data (EHD) to JSON file
  4. Call Azure Attestation for validation
  5. Output validation results

See code sample to perform SGX attestation using Open Enclave SDK

See code sample to perform SGX attestation using Intel SDK

Sample code to manage trusted signing certificates for Isolated providers

The Microsoft Azure Attestation service (MAA) allows users to manage their own attestation provider instance. Furthermore, MAA enables users to operate their instance in Isolated mode. This means:

  • all updates to attestation policy must be authorized by signing the request with a user managed private key
  • all updates to the set of trusted signing keys must be authorized by signing the request with a user managed private key

The user must manage an X509 certificate for each private key. Additionally, to share a signed request with the MAA service, the user must create a specific JWT format as defined in the MAA documentation here. The JWT format is described in great detail in RFC 7519.

See a code sample to manage trusted signing certificates and keys for Isolated providers here

Customer code samples leveraging Azure Attestation

microsoft-azure-attestation's People

Contributors

gkostal avatar katexochen avatar larryosterman avatar microsoft-github-operations[bot] avatar microsoftopensource avatar mssindhurid avatar olkroshk avatar rloutlaw avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

dgoltzsche isabella232 johnvenn gkostal larryosterman clauverjat dingelish pavel-petrenko alcarasj jerryrhyu csegarragonz hdxia olkroshk askraja saiakhil2012 kboxoxx

microsoft-azure-attestation's Issues

Build failing for Sample Code for Open Enclave SDK

This issue is for a: (mark with an x)

- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Getting linker error while building sgx.attest.sample.

Minimal steps to reproduce

On executing:

cd sgx.attest.sample/genquotes
make build

Getting a linker error, in the last command for make build i.e. this line of the Makefile.

OS and Version?

Trying to build this on an ACC Ubuntu 18.04 VM, with Open Enclave 0.14.0, installed using sudo apt install open-enclave.

Detailed Output

The output of make build command:

Compilers used: clang-8, clang++-8
LDFLAGS: -L/opt/openenclave/share/pkgconfig/../../lib/openenclave/enclave -nostdlib -nodefaultlibs -nostartfiles -Wl,--no-undefined -Wl,-Bstatic -Wl,-Bsymbolic -Wl,--export-dynamic -Wl,-pie -Wl,--build-id -Wl,-z,noexecstack -Wl,-z,now -Wl,-gc-sections -loeenclave -loelibcxx -loelibc -loesyscall -loecore
INCDIR: /opt/openenclave/share/pkgconfig/../../include
CXXFLAGS: -nostdinc -m64 -fPIE -ftls-model=local-exec -fvisibility=hidden -fstack-protector-strong -fno-omit-frame-pointer -ffunction-sections -fdata-sections -mllvm -x86-speculative-load-hardening -I/opt/openenclave/share/pkgconfig/../../include/openenclave/3rdparty/libcxx -I/opt/openenclave/share/pkgconfig/../../include/openenclave/3rdparty/libc -I/opt/openenclave/share/pkgconfig/../../include/openenclave/3rdparty -I/opt/openenclave/share/pkgconfig/../../include
oeedger8r ../remoteattestation.edl --trusted --trusted-dir ../common --search-path /opt/openenclave/share/pkgconfig/../../include --search-path /opt/openenclave/share/pkgconfig/../../include/openenclave/edl/sgx
Generating edge routine, for the Open Enclave SDK.
Processing ../remoteattestation.edl.
Processing /opt/openenclave/share/pkgconfig/../../include/openenclave/edl/sgx/platform.edl.
Processing /opt/openenclave/share/pkgconfig/../../include/openenclave/edl/sgx/attestation.edl.
Processing /opt/openenclave/share/pkgconfig/../../include/openenclave/edl/sgx/cpu.edl.
Processing /opt/openenclave/share/pkgconfig/../../include/openenclave/edl/sgx/debug.edl.
Processing /opt/openenclave/share/pkgconfig/../../include/openenclave/edl/sgx/thread.edl.
Processing /opt/openenclave/share/pkgconfig/../../include/openenclave/edl/sgx/switchless.edl.
Success.
clang++-8 -g -c -nostdinc -m64 -fPIE -ftls-model=local-exec -fvisibility=hidden -fstack-protector-strong -fno-omit-frame-pointer -ffunction-sections -fdata-sections -mllvm -x86-speculative-load-hardening -I/opt/openenclave/share/pkgconfig/../../include/openenclave/3rdparty/libcxx -I/opt/openenclave/share/pkgconfig/../../include/openenclave/3rdparty/libc -I/opt/openenclave/share/pkgconfig/../../include/openenclave/3rdparty -I/opt/openenclave/share/pkgconfig/../../include  -I. -I.. -std=c++11 -DOE_API_VERSION=2 ecalls.cpp ../common/attestation.cpp ../common/crypto.cpp ../common/dispatcher.cpp
clang-8 -g -c -nostdinc -m64 -fPIE -ftls-model=local-exec -fvisibility=hidden -fstack-protector-strong -fno-omit-frame-pointer -ffunction-sections -fdata-sections -mllvm -x86-speculative-load-hardening -I/opt/openenclave/share/pkgconfig/../../include/openenclave/3rdparty/libc -I/opt/openenclave/share/pkgconfig/../../include/openenclave/3rdparty -I/opt/openenclave/share/pkgconfig/../../include  -I.. -DOE_API_VERSION=2 ../common/remoteattestation_t.c
clang++-8 -o genquote_enclave attestation.o crypto.o ecalls.o dispatcher.o remoteattestation_t.o -L/opt/openenclave/share/pkgconfig/../../lib/openenclave/enclave -nostdlib -nodefaultlibs -nostartfiles -Wl,--no-undefined -Wl,-Bstatic -Wl,-Bsymbolic -Wl,--export-dynamic -Wl,-pie -Wl,--build-id -Wl,-z,noexecstack -Wl,-z,now -Wl,-gc-sections -loeenclave -loelibcxx -loelibc -loesyscall -loecore
crypto.o: In function `Crypto::init_mbedtls()':
/home/shubham/microsoft-azure-attestation/sgx.attest.sample/genquotes/enclave/../common/crypto.cpp:31: undefined reference to `mbedtls_ctr_drbg_init'
/home/shubham/microsoft-azure-attestation/sgx.attest.sample/genquotes/enclave/../common/crypto.cpp:32: undefined reference to `mbedtls_entropy_init'
/home/shubham/microsoft-azure-attestation/sgx.attest.sample/genquotes/enclave/../common/crypto.cpp:33: undefined reference to `mbedtls_pk_init'
/home/shubham/microsoft-azure-attestation/sgx.attest.sample/genquotes/enclave/../common/crypto.cpp:33: undefined reference to `mbedtls_entropy_func'
/home/shubham/microsoft-azure-attestation/sgx.attest.sample/genquotes/enclave/../common/crypto.cpp:36: undefined reference to `mbedtls_ctr_drbg_seed'
/home/shubham/microsoft-azure-attestation/sgx.attest.sample/genquotes/enclave/../common/crypto.cpp:46: undefined reference to `mbedtls_pk_info_from_type'
/home/shubham/microsoft-azure-attestation/sgx.attest.sample/genquotes/enclave/../common/crypto.cpp:45: undefined reference to `mbedtls_pk_setup'
/home/shubham/microsoft-azure-attestation/sgx.attest.sample/genquotes/enclave/../common/crypto.cpp:56: undefined reference to `mbedtls_ctr_drbg_random'
/home/shubham/microsoft-azure-attestation/sgx.attest.sample/genquotes/enclave/../common/crypto.cpp:55: undefined reference to `mbedtls_rsa_gen_key'
/home/shubham/microsoft-azure-attestation/sgx.attest.sample/genquotes/enclave/../common/crypto.cpp:68: undefined reference to `mbedtls_pk_write_pubkey_pem'
crypto.o: In function `Crypto::cleanup_mbedtls()':
/home/shubham/microsoft-azure-attestation/sgx.attest.sample/genquotes/enclave/../common/crypto.cpp:86: undefined reference to `mbedtls_pk_free'
/home/shubham/microsoft-azure-attestation/sgx.attest.sample/genquotes/enclave/../common/crypto.cpp:87: undefined reference to `mbedtls_entropy_free'
/home/shubham/microsoft-azure-attestation/sgx.attest.sample/genquotes/enclave/../common/crypto.cpp:88: undefined reference to `mbedtls_ctr_drbg_free'
crypto.o: In function `Crypto::Sha256(unsigned char const*, unsigned long, unsigned char*)':
/home/shubham/microsoft-azure-attestation/sgx.attest.sample/genquotes/enclave/../common/crypto.cpp:107: undefined reference to `mbedtls_sha256_init'
/home/shubham/microsoft-azure-attestation/sgx.attest.sample/genquotes/enclave/../common/crypto.cpp:109: undefined reference to `mbedtls_sha256_starts_ret'
/home/shubham/microsoft-azure-attestation/sgx.attest.sample/genquotes/enclave/../common/crypto.cpp:113: undefined reference to `mbedtls_sha256_update_ret'
/home/shubham/microsoft-azure-attestation/sgx.attest.sample/genquotes/enclave/../common/crypto.cpp:117: undefined reference to `mbedtls_sha256_finish_ret'
/home/shubham/microsoft-azure-attestation/sgx.attest.sample/genquotes/enclave/../common/crypto.cpp:122: undefined reference to `mbedtls_sha256_free'
/opt/openenclave/share/pkgconfig/../../lib/openenclave/enclave/liboeenclave.a(report.c.o): In function `oe_verify_raw_sgx_report':
/source/openenclave/enclave/sgx/report.c:69: undefined reference to `oe_aes_cmac_sign'
/opt/openenclave/share/pkgconfig/../../lib/openenclave/enclave/liboeenclave.a(link.c.o):(.data.oe_link_enclave.symbols+0x28): undefined reference to `oe_crypto_initialize'
/opt/openenclave/share/pkgconfig/../../lib/openenclave/enclave/liboeenclave.a(quote.c.o): In function `oe_get_quote_cert_chain_internal':
/source/openenclave/common/sgx/quote.c:416: undefined reference to `oe_cert_chain_read_pem'
/opt/openenclave/share/pkgconfig/../../lib/openenclave/enclave/liboeenclave.a(quote.c.o): In function `oe_verify_quote_internal':
/source/openenclave/common/sgx/quote.c:263: undefined reference to `oe_cert_chain_read_pem'
/source/openenclave/common/sgx/quote.c:270: undefined reference to `oe_cert_chain_get_leaf_cert'
/source/openenclave/common/sgx/quote.c:274: undefined reference to `oe_cert_chain_get_root_cert'
/source/openenclave/common/sgx/quote.c:278: undefined reference to `oe_cert_chain_get_cert'
/source/openenclave/common/sgx/quote.c:284: undefined reference to `oe_cert_get_ec_public_key'
/source/openenclave/common/sgx/quote.c:288: undefined reference to `oe_cert_get_ec_public_key'
/source/openenclave/common/sgx/quote.c:294: undefined reference to `oe_ec_public_key_read_pem'
/source/openenclave/common/sgx/quote.c:371: undefined reference to `oe_ec_public_key_free'
/source/openenclave/common/sgx/quote.c:372: undefined reference to `oe_ec_public_key_free'
/source/openenclave/common/sgx/quote.c:373: undefined reference to `oe_ec_public_key_free'
/source/openenclave/common/sgx/quote.c:374: undefined reference to `oe_ec_public_key_free'
/source/openenclave/common/sgx/quote.c:375: undefined reference to `oe_cert_free'
/source/openenclave/common/sgx/quote.c:376: undefined reference to `oe_cert_free'
/source/openenclave/common/sgx/quote.c:377: undefined reference to `oe_cert_free'
/source/openenclave/common/sgx/quote.c:378: undefined reference to `oe_cert_chain_free'
/source/openenclave/common/sgx/quote.c:301: undefined reference to `oe_ec_public_key_equal'
/source/openenclave/common/sgx/quote.c:332: undefined reference to `oe_sha256_init'
/source/openenclave/common/sgx/quote.c:333: undefined reference to `oe_sha256_update'
/source/openenclave/common/sgx/quote.c:338: undefined reference to `oe_sha256_update'
/source/openenclave/common/sgx/quote.c:340: undefined reference to `oe_sha256_final'
/opt/openenclave/share/pkgconfig/../../lib/openenclave/enclave/liboeenclave.a(quote.c.o): In function `_read_public_key':
/source/openenclave/common/sgx/quote.c:176: undefined reference to `oe_ec_public_key_from_coordinates'
/opt/openenclave/share/pkgconfig/../../lib/openenclave/enclave/liboeenclave.a(quote.c.o): In function `oe_get_sgx_quote_validity':
/source/openenclave/common/sgx/quote.c:719: undefined reference to `oe_cert_chain_get_leaf_cert'
/source/openenclave/common/sgx/quote.c:780: undefined reference to `oe_cert_free'
/source/openenclave/common/sgx/quote.c:781: undefined reference to `oe_cert_free'
/source/openenclave/common/sgx/quote.c:782: undefined reference to `oe_cert_free'
/source/openenclave/common/sgx/quote.c:783: undefined reference to `oe_cert_chain_free'
/source/openenclave/common/sgx/quote.c:723: undefined reference to `oe_cert_chain_get_root_cert'
/source/openenclave/common/sgx/quote.c:727: undefined reference to `oe_cert_chain_get_cert'
/source/openenclave/common/sgx/quote.c:733: undefined reference to `oe_cert_get_validity_dates'
/source/openenclave/common/sgx/quote.c:737: undefined reference to `oe_cert_get_validity_dates'
/source/openenclave/common/sgx/quote.c:743: undefined reference to `oe_cert_get_validity_dates'
/opt/openenclave/share/pkgconfig/../../lib/openenclave/enclave/liboeenclave.a(quote.c.o): In function `_ecdsa_verify':
/source/openenclave/common/sgx/quote.c:197: undefined reference to `oe_sha256_init'
/source/openenclave/common/sgx/quote.c:198: undefined reference to `oe_sha256_update'
/source/openenclave/common/sgx/quote.c:199: undefined reference to `oe_sha256_final'
/source/openenclave/common/sgx/quote.c:201: undefined reference to `oe_ecdsa_signature_write_der'
/source/openenclave/common/sgx/quote.c:209: undefined reference to `oe_ec_public_key_verify'
/opt/openenclave/share/pkgconfig/../../lib/openenclave/enclave/liboeenclave.a(collateral.c.o): In function `oe_validate_revocation_list':
/source/openenclave/common/sgx/collateral.c:279: undefined reference to `oe_cert_chain_read_pem'
/source/openenclave/common/sgx/collateral.c:289: undefined reference to `oe_cert_chain_read_pem'
/source/openenclave/common/sgx/collateral.c:331: undefined reference to `oe_crl_read_der'
/source/openenclave/common/sgx/collateral.c:320: undefined reference to `oe_crl_read_pem'
/source/openenclave/common/sgx/collateral.c:331: undefined reference to `oe_crl_read_der'
/source/openenclave/common/sgx/collateral.c:320: undefined reference to `oe_crl_read_pem'
/source/openenclave/common/sgx/collateral.c:356: undefined reference to `oe_cert_verify'
/opt/openenclave/share/pkgconfig/../../lib/openenclave/enclave/liboeenclave.a(collateral.c.o): In function `_get_crl_validity':
/source/openenclave/common/sgx/collateral.c:86: undefined reference to `oe_crl_get_update_dates'
/source/openenclave/common/sgx/collateral.c:93: undefined reference to `oe_crl_get_update_dates'
/source/openenclave/common/sgx/collateral.c:93: undefined reference to `oe_crl_get_update_dates'
/opt/openenclave/share/pkgconfig/../../lib/openenclave/enclave/liboeenclave.a(collateral.c.o): In function `oe_validate_revocation_list':
/source/openenclave/common/sgx/collateral.c:447: undefined reference to `oe_cert_chain_get_leaf_cert'
/source/openenclave/common/sgx/collateral.c:451: undefined reference to `oe_cert_get_validity_dates'
/source/openenclave/common/sgx/collateral.c:475: undefined reference to `oe_crl_free'
/source/openenclave/common/sgx/collateral.c:475: undefined reference to `oe_crl_free'
/source/openenclave/common/sgx/collateral.c:477: undefined reference to `oe_cert_chain_free'
/source/openenclave/common/sgx/collateral.c:478: undefined reference to `oe_cert_chain_free'
/source/openenclave/common/sgx/collateral.c:479: undefined reference to `oe_cert_free'
/opt/openenclave/share/pkgconfig/../../lib/openenclave/enclave/liboeenclave.a(sgxcertextensions.c.o): In function `_get_sgx_extension':
/source/openenclave/common/sgx/sgxcertextensions.c:401: undefined reference to `oe_cert_find_extension'
/opt/openenclave/share/pkgconfig/../../lib/openenclave/enclave/liboeenclave.a(tcbinfo.c.o): In function `oe_verify_ecdsa256_signature':
/source/openenclave/common/sgx/tcbinfo.c:1357: undefined reference to `oe_cert_chain_get_root_cert'
/source/openenclave/common/sgx/tcbinfo.c:1384: undefined reference to `oe_ec_public_key_free'
/source/openenclave/common/sgx/tcbinfo.c:1385: undefined reference to `oe_ec_public_key_free'
/source/openenclave/common/sgx/tcbinfo.c:1386: undefined reference to `oe_ec_public_key_free'
/source/openenclave/common/sgx/tcbinfo.c:1388: undefined reference to `oe_cert_free'
/source/openenclave/common/sgx/tcbinfo.c:1389: undefined reference to `oe_cert_free'
/source/openenclave/common/sgx/tcbinfo.c:1358: undefined reference to `oe_cert_chain_get_leaf_cert'
/source/openenclave/common/sgx/tcbinfo.c:1360: undefined reference to `oe_cert_get_ec_public_key'
/source/openenclave/common/sgx/tcbinfo.c:1361: undefined reference to `oe_cert_get_ec_public_key'
/opt/openenclave/share/pkgconfig/../../lib/openenclave/enclave/liboeenclave.a(tcbinfo.c.o): In function `_ecdsa_verify':
/source/openenclave/common/sgx/tcbinfo.c:1314: undefined reference to `oe_sha256_init'
/source/openenclave/common/sgx/tcbinfo.c:1315: undefined reference to `oe_sha256_update'
/source/openenclave/common/sgx/tcbinfo.c:1316: undefined reference to `oe_sha256_final'
/source/openenclave/common/sgx/tcbinfo.c:1318: undefined reference to `oe_ecdsa_signature_write_der'
/opt/openenclave/share/pkgconfig/../../lib/openenclave/enclave/liboeenclave.a(tcbinfo.c.o): In function `oe_verify_ecdsa256_signature':
/source/openenclave/common/sgx/tcbinfo.c:1367: undefined reference to `oe_ec_public_key_read_pem'
/source/openenclave/common/sgx/tcbinfo.c:1372: undefined reference to `oe_ec_public_key_equal'
/opt/openenclave/share/pkgconfig/../../lib/openenclave/enclave/liboeenclave.a(tcbinfo.c.o): In function `_ecdsa_verify':
/source/openenclave/common/sgx/tcbinfo.c:1326: undefined reference to `oe_ec_public_key_verify'
/opt/openenclave/share/pkgconfig/../../lib/openenclave/enclave/liboeenclave.a(verifier.c.o): In function `oe_verify_qve_report_and_identity':
/source/openenclave/enclave/sgx/verifier.c:215: undefined reference to `oe_sha256_init'
/source/openenclave/enclave/sgx/verifier.c:218: undefined reference to `oe_sha256_update'
/source/openenclave/enclave/sgx/verifier.c:224: undefined reference to `oe_sha256_update'
/source/openenclave/enclave/sgx/verifier.c:227: undefined reference to `oe_sha256_update'
/source/openenclave/enclave/sgx/verifier.c:231: undefined reference to `oe_sha256_update'
/source/openenclave/enclave/sgx/verifier.c:237: undefined reference to `oe_sha256_update'
/opt/openenclave/share/pkgconfig/../../lib/openenclave/enclave/liboeenclave.a(verifier.c.o):/source/openenclave/enclave/sgx/verifier.c:245: more undefined references to `oe_sha256_update' follow
/opt/openenclave/share/pkgconfig/../../lib/openenclave/enclave/liboeenclave.a(verifier.c.o): In function `oe_verify_qve_report_and_identity':
/source/openenclave/enclave/sgx/verifier.c:250: undefined reference to `oe_sha256_final'
/opt/openenclave/share/pkgconfig/../../lib/openenclave/enclave/liboeenclave.a(sha.c.o): In function `oe_sha256':
/source/openenclave/common/sha.c:11: undefined reference to `oe_sha256_init'
/source/openenclave/common/sha.c:12: undefined reference to `oe_sha256_update'
/source/openenclave/common/sha.c:13: undefined reference to `oe_sha256_final'
/opt/openenclave/share/pkgconfig/../../lib/openenclave/enclave/liboeenclave.a(asym_keys.c.o): In function `_create_asymmetric_keypair':
/source/openenclave/enclave/asym_keys.c:129: undefined reference to `oe_kdf_derive_key'
/source/openenclave/enclave/asym_keys.c:145: undefined reference to `oe_ec_valid_raw_private_key'
/source/openenclave/enclave/asym_keys.c:151: undefined reference to `oe_kdf_derive_key'
/source/openenclave/enclave/asym_keys.c:162: undefined reference to `oe_ec_generate_key_pair_from_private'
/opt/openenclave/share/pkgconfig/../../lib/openenclave/enclave/liboeenclave.a(asym_keys.c.o): In function `_export_keypair':
/source/openenclave/enclave/asym_keys.c:191: undefined reference to `oe_ec_public_key_write_pem'
/source/openenclave/enclave/asym_keys.c:193: undefined reference to `oe_ec_private_key_write_pem'
/source/openenclave/enclave/asym_keys.c:207: undefined reference to `oe_ec_public_key_write_pem'
/source/openenclave/enclave/asym_keys.c:209: undefined reference to `oe_ec_private_key_write_pem'
/opt/openenclave/share/pkgconfig/../../lib/openenclave/enclave/liboeenclave.a(asym_keys.c.o): In function `_derive_asymmetric_key':
/source/openenclave/enclave/asym_keys.c:268: undefined reference to `oe_ec_private_key_free'
/source/openenclave/enclave/asym_keys.c:269: undefined reference to `oe_ec_public_key_free'
/opt/openenclave/share/pkgconfig/../../lib/openenclave/enclave/liboeenclave.a(endorsements.c.o): In function `oe_get_sgx_endorsements':
/source/openenclave/common/sgx/endorsements.c:402: undefined reference to `oe_cert_free'
/source/openenclave/common/sgx/endorsements.c:403: undefined reference to `oe_cert_free'
/source/openenclave/common/sgx/endorsements.c:404: undefined reference to `oe_cert_chain_free'
/source/openenclave/common/sgx/endorsements.c:374: undefined reference to `oe_cert_chain_get_leaf_cert'
/source/openenclave/common/sgx/endorsements.c:378: undefined reference to `oe_cert_chain_get_cert'
/opt/openenclave/share/pkgconfig/../../lib/openenclave/enclave/liboeenclave.a(qeidentity.c.o): In function `oe_validate_qe_identity':
/source/openenclave/common/sgx/qeidentity.c:62: undefined reference to `oe_cert_chain_read_pem'
/source/openenclave/common/sgx/qeidentity.c:213: undefined reference to `oe_cert_chain_free'
/source/openenclave/common/sgx/qeidentity.c:214: undefined reference to `oe_cert_free'
/source/openenclave/common/sgx/qeidentity.c:90: undefined reference to `oe_cert_chain_get_leaf_cert'
/source/openenclave/common/sgx/qeidentity.c:94: undefined reference to `oe_cert_get_validity_dates'
/opt/openenclave/share/pkgconfig/../../lib/openenclave/enclave/liboecore.a(calls.c.o): In function `_handle_init_enclave':
/source/openenclave/enclave/core/sgx/calls.c:179: undefined reference to `oe_crypto_initialize'
clang: error: linker command failed with exit code 1 (use -v to see invocation)
Makefile:25: recipe for target 'build' failed
make: *** [build] Error 1

Error installing the SGX driver

Please provide us with the following information:

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [X] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

I'm referring to: https://github.com/Azure-Samples/microsoft-azure-attestation/tree/master/sgx.attest.sample.intel.sdk

Here is what I did:

  • Used the Azure portal to create a VM of the following type:
    • Security type: Confidential virtual machines
    • Image: Ubuntu Server 20.04 LTS (Confidential VM) - x64 Gen2" (although the documentation requests in point 1. to "Create an Azure Confidential Computing Ubuntu 18.04 VM." This is not possible.)
    • Size: Standard_DC2as_v5
  • On the newly launched VM:

The installation of this driver gives the following error:

Any log messages given by the failure

azureuser@sgx-test:~$ sudo ./sgx_linux_x64_driver_1.41.bin
Unpacking Intel SGX Driver ... done.
Verifying the integrity of the install package ... done.
Installing Intel SGX Driver ...
/tmp/sgx-driver-xcXmCw /home/azureuser
install -d /opt/intel/sgxdriver/package
install -d /opt/intel/sgxdriver/scripts
cp -r package/* /opt/intel/sgxdriver/package
install scripts/* /opt/intel/sgxdriver/scripts
/home/azureuser

Creating symlink /var/lib/dkms/sgx/1.41/source ->
                 /usr/src/sgx-1.41

DKMS: add completed.

Kernel preparation unnecessary for this kernel.  Skipping...

Building module:
cleaning build area...
'make' KDIR=/lib/modules/5.15.0-1036-azure/build...(bad exit status: 2)

Failed to build driver.
DKMS make.log for sgx-1.41 for kernel 5.15.0-1036-azure (x86_64)
Wed May 10 15:09:39 UTC 2023
Makefile:24: *** Can't install DCAP SGX driver with inkernel SGX support.  Stop.

Expected/desired behavior

No error.

OS and Version?

Ubuntu 20.04

Versions

20.04

Mention any other details that might be useful

NA

validatequotes fails on ubuntu 20.04

Please provide us with the following information:

This issue is for a: (mark with an x)

- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

cd validatequotes.core
./runall.sh

Any log messages given by the failure

Unhandled exception. System.AggregateException: One or more errors occurred. (SharedTokenCacheCredential authentication failed: Persistence check failed. Inspect inner exception for details)
---> Azure.Identity.AuthenticationFailedException: SharedTokenCacheCredential authentication failed: Persistence check failed. Inspect inner exception for details
---> Microsoft.Identity.Client.Extensions.Msal.MsalCachePersistenceException: Persistence check failed. Inspect inner exception for details
---> System.DllNotFoundException: Unable to load shared library 'libsecret-1.so.0' or one of its dependencies. In order to help diagnose loading problems, consider setting the LD_DEBUG environment variable: liblibsecret-1.so.0: cannot open shared object file: No such file or directory
at Microsoft.Identity.Client.Extensions.Msal.Libsecret.secret_schema_new(String name, Int32 flags, String attribute1, Int32 attribute1Type, String attribute2, Int32 attribute2Type, IntPtr end)
at Microsoft.Identity.Client.Extensions.Msal.LinuxKeyringAccessor.GetLibsecretSchema()
at Microsoft.Identity.Client.Extensions.Msal.LinuxKeyringAccessor.Write(Byte[] data)
at Microsoft.Identity.Client.Extensions.Msal.MsalCacheStorage.VerifyPersistence()
--- End of inner exception stack trace ---
at Microsoft.Identity.Client.Extensions.Msal.MsalCacheStorage.VerifyPersistence()
at Microsoft.Identity.Client.Extensions.Msal.MsalCacheHelper.VerifyPersistence()
at Azure.Identity.MsalClientBase1.GetClientAsync(Boolean async, CancellationToken cancellationToken) at Azure.Identity.MsalClientBase1.GetClientAsync(Boolean async, CancellationToken cancellationToken)
at Azure.Identity.MsalPublicClient.GetAccountsAsync(Boolean async, CancellationToken cancellationToken)
at Azure.Identity.SharedTokenCacheCredential.GetAccountAsync(Boolean async, CancellationToken cancellationToken)
at Azure.Identity.SharedTokenCacheCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex)
at Azure.Identity.SharedTokenCacheCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Identity.SharedTokenCacheCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)
at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex)
at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Identity.DefaultAzureCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueFromCredentialAsync(TokenRequestContext context, Boolean async, CancellationToken cancellationToken)
at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async)
at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async)
at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AuthenticateAndAuthorizeRequestAsync(HttpMessage message, TokenRequestContext context)
at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async) at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async)
at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
at Azure.Security.Attestation.AttestationRestClient.AttestSgxEnclaveAsync(AttestSgxEnclaveRequest request, CancellationToken cancellationToken)
at Azure.Security.Attestation.AttestationClient.AttestSgxEnclaveInternal(AttestationRequest request, Boolean async, CancellationToken cancellationToken)
at Azure.Security.Attestation.AttestationClient.AttestSgxEnclaveAsync(AttestationRequest request, CancellationToken cancellationToken)
at validatequotes.Program.RunAsync() in /home/azureuser/microsoft-azure-attestation/sgx.attest.sample.intel.sdk/validatequotes.core/Program.cs:line 79
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task.WaitAllCore(Task[] tasks, Int32 millisecondsTimeout, CancellationToken cancellationToken)
at System.Threading.Tasks.Task.WaitAll(Task[] tasks)
at validatequotes.Program.Main(String[] args) in /home/azureuser/microsoft-azure-attestation/sgx.attest.sample.intel.sdk/validatequotes.core/Program.cs:line 19

Expected/desired behavior

Example Working

OS and Version?

Ubuntu 20.04

Versions

Mention any other details that might be useful

Running the test cases for genqoutes on 20.04 works well, but the validatequotes suite breaks down looking for libsecret-1.so.0

Issue with validatequotes

This issue is for a:

- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

cd sgx.attest.sample.intel.sdk/validatequotes.core
./runone.sh

Any log messages given by the failure

dnat@myvm:~/microsoft-azure-attestation/sgx.attest.sample.intel.sdk/validatequotes.core$ ./runone.sh 
[04:42:16.901] : 
[04:42:16.923] : ************************************************************************************************************************
[04:42:16.923] : *      PARAMETERS FOR THIS RUN
[04:42:16.923] : ************************************************************************************************************************
[04:42:16.923] : Validating filename                : ../genquotes/out/enclave.info.prodid.json
[04:42:16.923] : Using attestation provider         : sharedcus.cus.attest.azure.net
[04:42:16.923] : Including details                  : True
** Message: 04:42:17.094: Remote error from secret service: org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Secret.Collection' on object at path /org/freedesktop/secrets/collection/login
Unhandled exception. System.AggregateException: One or more errors occurred. (SharedTokenCacheCredential authentication failed: Persistence check failed. Data was written but it could not be read. Possible cause: on Linux, LibSecret is installed but D-Bus isn't running because it cannot be started over SSH.)
 ---> Azure.Identity.AuthenticationFailedException: SharedTokenCacheCredential authentication failed: Persistence check failed. Data was written but it could not be read. Possible cause: on Linux, LibSecret is installed but D-Bus isn't running because it cannot be started over SSH.
 ---> Microsoft.Identity.Client.Extensions.Msal.MsalCachePersistenceException: Persistence check failed. Data was written but it could not be read. Possible cause: on Linux, LibSecret is installed but D-Bus isn't running because it cannot be started over SSH.
   at Microsoft.Identity.Client.Extensions.Msal.MsalCacheStorage.VerifyPersistence()
   at Microsoft.Identity.Client.Extensions.Msal.MsalCacheHelper.VerifyPersistence()
   at Azure.Identity.MsalClientBase`1.GetClientAsync(Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.MsalClientBase`1.GetClientAsync(Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.MsalPublicClient.GetAccountsAsync(Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.SharedTokenCacheCredential.GetAccountAsync(Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.SharedTokenCacheCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex)
   at Azure.Identity.SharedTokenCacheCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.SharedTokenCacheCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex)
   at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueFromCredentialAsync(TokenRequestContext context, Boolean async, CancellationToken cancellationToken)
   at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async)
   at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async)
   at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AuthenticateAndAuthorizeRequestAsync(HttpMessage message, TokenRequestContext context)
   at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
   at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
   at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
   at Azure.Security.Attestation.AttestationRestClient.AttestSgxEnclaveAsync(AttestSgxEnclaveRequest request, CancellationToken cancellationToken)
   at Azure.Security.Attestation.AttestationClient.AttestSgxEnclaveInternal(AttestationRequest request, Boolean async, CancellationToken cancellationToken)
   at Azure.Security.Attestation.AttestationClient.AttestSgxEnclaveAsync(AttestationRequest request, CancellationToken cancellationToken)
   at validatequotes.Program.RunAsync() in /home/dnat/microsoft-azure-attestation/sgx.attest.sample.intel.sdk/validatequotes.core/Program.cs:line 79
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task.WaitAllCore(Task[] tasks, Int32 millisecondsTimeout, CancellationToken cancellationToken)
   at System.Threading.Tasks.Task.WaitAll(Task[] tasks)
   at validatequotes.Program.Main(String[] args) in /home/dnat/microsoft-azure-attestation/sgx.attest.sample.intel.sdk/validatequotes.core/Program.cs:line 19

OS and Version?

Ubuntu 18.04

Mention any other details that might be useful

I am trying to run the intel sdk attestation example on an Azure DC8 v2 instance. The genquotes portion seems to work. However, I am getting a DBus error during the validatequotes portion (when calling maaService.AttestSgxEnclaveAsync).

I am also a little unclear about how access to “default” azure attestation providers (like sharedcus.cus.attest.azure.net) is supposed to work. Is access to services provided by these attestation providers automatic and guaranteed (assuming I have an Azure subscription), or do I need to configure something in my subscription to be able to use any of these default services? If so, could this be the issue? Thanks!

Outdated README links/code

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [x] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Mention any other details that might be useful

It appears that the sgx.attest.sample.intel.sdk readme references both files and code that no longer exist under the Remote Quote Validation via MAA Attestation heading. A similar case exists for the sgx.attest.sample.oe.sdk readme.

Signature verification

Please provide us with the following information:

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [x] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Any log messages given by the failure

Expected/desired behavior

OS and Version?

Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?)

Versions

Mention any other details that might be useful

Hello,

Thanks to your work, I was able to successfully verify an attestation generated by an Azure CVM.

However, I am struggling to understand how your code verifies the signature of a JWT. I want to ensure that the JWT generated is authentic, has not been tampered with, and was issued by Azure Attestation. Although I have reviewed your code, I am still unclear on the specific steps you are following. Could you please provide some clarity on this matter? How can i reproduce the steps without using the code. Any help you can offer would be greatly appreciated.

Thank you,

Thanks! We'll be in touch soon.

What is `InitTimeData` in the `attest/SgxEnclave` endpoint of Attestation Provider? 

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [x] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

I cannot find any information about the field InitTimeData that can be provided to the attest/SgxEnclave REST endpoint of the Attestation Provider: https://docs.microsoft.com/en-us/rest/api/attestation/attestation/attest-sgx-enclave#inittimedata

Googling doesn't help. The examples in this repo do not seem to mention/use this field as well. The official description of this field is cryptic:

Initialization data provided when the enclave is created. MAA will verify that the init data was known to the enclave. Note that InitTimeData is invalid for CoffeeLake processors.

What is the point in this field? When it can be useful?

Why do examples use plain hex representations instead of Base64Url?

The current two examples use plain hex representations of the SGX quote and EnclaveHeldData:

However, the MAA defines the Attestation Request's JSON fields as Base64Url encoded:

How can these examples work if they submit Attestation Requests with plain-hex values, even though MAA expects Base64Url-encoded values?

What is the remote user supposed to use/see?

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [x] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

From the provided samples, it is unclear what the remote user (the user of MS Azure Confidential Compute VM) is supposed to use/see on her end. For example, I start my helloworld application on MS Azure in the SGX enclave from my laptop in Portland. What should run on my laptop? What should I receive on my laptop?

Do I receive the JSON file from the remote Azure VM, run validatequotes.core from my laptop, and receive JWT to my laptop? At which point I'm starting to trust the SGX enclave executing on the remote Azure VM?

How standard is current JSON format of EnclaveInfo?

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [x] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

I would like to re-use the validatequotes.core C# utility for Microsoft Azure Attestation (MAA) in Graphene (validatequotes.core).

This utility takes a JSON file as input and sends the request to the MAA service and gets the JWT result back.

According to the MAA standard, the "Attestation Request" to the MAA service only requires two fields:

  • Quote (your typical SGX quote provided by the Quoting Enclave)
  • Enclave Held Data (basically, SGX report's reportdata)

However, the JSON file that the validatequotes.core expects has several additional fields: Type, MrenclaveHex, etc. See for example https://github.com/Azure-Samples/microsoft-azure-attestation/blob/master/intel.sdk.attest.sample/genquotes/out/enclave.info.release.json.

Given that I need to construct the "expected" JSON file in Graphene, do I actually need to specify anything other than the required Quote and Enclave Held Data? Or to ask differently: is this JSON format only an example or it may be considered standard (if I want to use validatequotes.core or a similar utility in the future)?

Project uses outdated OID for quote retrival

current valid oid for sgx quote are "1.3.6.1.4.1.311.105.1" used oid "1.2.840.113556.10.1.1"

Please update.

OE current oid:
https://github.com/openenclave/openenclave/blob/55b74b38049a40acd6ea618d2940e101cb1515eb/include/openenclave/internal/report.h#L94

Outdated usage of OID ;

microsoft-azure-attestation/sgx.attest.sample.oe.sdk/validatequotes.net/verify.metadata.certificates/VerifyMetadataCertificates.cpp

Line 19 in 5d34c17

const char* SgxExtensionOidX = "1.2.840.113556.10.1.1";

More detailled documentation of the REST API of MAA

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [ X] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Hello,

I really appreciate the work and have been able to run the sample on an ACC VM.

However, I would like to understand better how the REST API of Microsoft Azure Attestation works, but there is little documentation on it either on the docs (https://docs.microsoft.com/en-us/azure/attestation/overview) or on https://docs.microsoft.com/en-us/rest/api/attestation/

Could the process be described in more details? I more or less get how it works by reading the C# code, but a more explained documentation, with maybe a Python implementation could really help me.

Thank you

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.