DCAP returns outdated collateral for Azure DCsv2/v3 machines
tux3 opened this issue · 9 comments
On an Azure DCsv2 VM, the FMSPC is 00906ed50000.
This value is used by the Azure DCAP provider to retrieve the TCBInfo used as collateral for Remote Attestation of enclaves.
However, the Azure DCAP cache seems to be broken, and returns 6+ months old data for the TCBInfo. This causes the verification of remote attestation quotes to fail with a collateral_expiration_status = 1, unless the system date is set 6 months in the past.
This is evident when querying the Azure caching service API, compared with using the Intel API directly.
Running: curl 'https://global.acccache.azure.net/sgx/certificates/v3/tcb/00906ed50000?clientid=production_client&api-version=2018-10-01-preview'
Returns a tcbInfo JSON with values 'issueDate':'2021-03-31T22:03:13Z','nextUpdate':'2021-04-30T22:03:13Z'.
As you can see, the TcbInfo served by Azure has been issued in March, and has been expired since April 30th.
When querying Intel: curl 'https://api.trustedservices.intel.com/sgx/certification/v2/tcb?fmspc=00906ED50000'
We get 'issueDate':'2021-10-15T08:41:31Z','nextUpdate':'2021-11-14T08:41:31Z'
Which is correct, and allows remote attestation to work correctly.
I used Azure-DCAP-Client with DCsv3 to
https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/SampleCode
I'm trying this sample.
But the QuoteVerification fails because the nextUpdate in this API response is out of date.
With AZDCAP_COLLATERAL_VERSION=v4, most of the data is up2date, except:
https://global.acccache.azure.net/sgx/certification/v4/qe/identity
❯ AZDCAP_DEBUG_LOG_LEVEL=ignore AZDCAP_COLLATERAL_VERSION=v4 cargo run -- --quote ../RustSGXQuoteGenerationSample/quote.dat
Finished dev [unoptimized + debuginfo] target(s) in 0.03s
Running `target/debug/app --quote ../RustSGXQuoteGenerationSample/quote.dat`
Info: ECDSA quote path: ../RustSGXQuoteGenerationSample/quote.dat
Trusted quote verification:
Info: get target info successfully returned.
Info: sgx_qv_set_enclave_load_policy successfully returned.
Info: tee_get_quote_supplemental_data_version_and_size successfully returned.
Info: latest supplemental data major version: 1, minor version: 3, size: 336
Info: tee_qv_get_collateral successfully returned.
Info: App: tee_verify_quote successfully returned.
Info: Ecall: Verify QvE report and identity successfully returned.
Warning: App: Verification completed with Non-terminal result: a007
Info: Supplemental data Major Version: 3
Info: Supplemental data Minor Version: 1
Info: Advisory ID: INTEL-SA-00615,INTEL-SA-00657
===========================================
Untrusted quote verification:
Info: tee_get_quote_supplemental_data_version_and_size successfully returned.
Info: latest supplemental data major version: 1, minor version: 3, size: 336
Info: tee_qv_get_collateral successfully returned.
Info: App: tee_verify_quote successfully returned.
Warning: App: Verification completed with Non-terminal result: a007
Info: Supplemental data Major Version: 3
Info: Supplemental data Minor Version: 1
Info: Advisory ID: INTEL-SA-00615,INTEL-SA-00657
Modified to display the expiration state in any error case:
❯ AZDCAP_DEBUG_LOG_LEVEL=ignore AZDCAP_COLLATERAL_VERSION=v4 cargo run -- --quote ../RustSGXQuoteGenerationSample/quote.dat
[…]
Warning: App: Verification completed, but collateral is out of date based on 'expiration_check_date' you provided.
[…]
replacing tcb_info_url and qe_id_url with the Intel original
@@ -1333,7 +1333,7 @@ static std::string build_tcb_info_url(
tcb_info_url << base_url;
}
else
- tcb_info_url << get_base_url();
+ tcb_info_url << "https://api.trustedservices.intel.com/sgx/certification";
if (!version.empty())
{
@@ -1426,7 +1426,7 @@ static std::string build_enclave_id_url(
qe_id_url << base_url;
}
else
- qe_id_url << get_base_url();
+ qe_id_url << "https://api.trustedservices.intel.com/sgx/certification/";
// Select the correct issuer header name
if (!version.empty())gives me an up2date quote verification with:
❯ AZDCAP_DEBUG_LOG_LEVEL=ingore AZDCAP_COLLATERAL_VERSION=v4 cargo run -- --quote ../RustSGXQuoteGenerationSample/quote.dat
Finished dev [unoptimized + debuginfo] target(s) in 0.03s
Running `target/debug/app --quote ../RustSGXQuoteGenerationSample/quote.dat`
Info: ECDSA quote path: ../RustSGXQuoteGenerationSample/quote.dat
Trusted quote verification:
Info: get target info successfully returned.
Info: sgx_qv_set_enclave_load_policy successfully returned.
Info: tee_get_quote_supplemental_data_version_and_size successfully returned.
Info: latest supplemental data major version: 1, minor version: 3, size: 336
Info: tee_qv_get_collateral successfully returned.
Info: App: tee_verify_quote successfully returned.
Info: Ecall: Verify QvE report and identity successfully returned.
Warning: App: Verification completed with Non-terminal result: a007
Info: Supplemental data Major Version: 3
Info: Supplemental data Minor Version: 1
Info: Advisory ID: INTEL-SA-00615
i'm facing the same issue but the above didn't help me, i need to fetch the tcb\qe info from azure url but i keeps giving me outdated info
curl -v -X GET 'https://global.acccache.azure.net/sgx/certification/v4/tcb?fmspc=00606a000000&clientid=production_client&api-version=2021-07-22-preview&update=true'
response:
{"tcbInfo":{"id":"SGX","version":3,"issueDate":"2023-02-14T23:29:37Z","nextUpdate":"2023-03-16T23:29:37Z","fmspc":"00606a000000"...
Hello? Any statement by MS?