Currently, we only validate the HTTPS server certificate on Linux builds of the Azure DCAP Client. Once Before Windows images are supported in Azure, HTTPS support should be added to the Windows builds of the client.

The latest release (1.6) was released on June, 5th of this year. Since then, 240 commits have been pushed to master. It would be nice to have a new release of the Azure-DCAP-Client as this fixes a number issues (e.g. #114).

I believe #114 was closed prematurely. There are 2 related PRs which do not fix the underlying issue:

• #115 fixed a typo in the error message.
• #122 reduced the logging severity when failing to retrieve other env vars.

However the original issue is still present - if AZDCAP_DEBUG_LOG_LEVEL is not set, the following log will be output:

Azure Quote Provider: libdcap_quoteprov.so [ERROR]: Could not retrieve environment variable for 'AZDCAP_DEBUG_LOG_LEVEL'

As far as I can tell, this comes from init_debug_log, which is reporting its errors directly with printf. I believe this error message should be dropped, to match the behaviour of dropping other similar logging messages when this env var is undefined.

I am trying to run DCAP attestation in my Azure VM.
cat /proc/version Linux version 5.15.0-1029-azure (buildd@lcy02-amd64-076) (gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #36~20.04.1-Ubuntu SMP Tue Dec 6 17:00:26 UTC 2022
I installed Azure-DCAP-Client on my VM. Then for testing I tries to run the /microsoft-azure-attestation/sgx.attest.sample.intel.sdk/genquotes$ sudo ./runall.sh
unfortunate I get error:
[get_platform_quote_cert_data ../qe_logic.cpp:378] Error returned from the p_sgx_get_quote_config API. 0xe011 Step1: Call sgx_qe_get_target_info: Error in sgx_qe_get_target_info. 0xe011 make: *** [Makefile:22: run] Error 255
Do any body know the problem?
Thanks

Currently, there is only a central cache location for all servers. We will be expanding to multiple geographies as Azure Confidential Computing expands.

The client must become for regionally-aware so we route requests to the correct endpoint.

OS: Ubuntu 18.04
Repro steps:

1. Compile OE SDK from github.
2. Run tests/tools/oecert application. This will try to generate a OE report.

./host/oecert ./enc/oecert_enc --report --out test

You will see the issue when trying to create the OE report:

2020-04-16T23:21:07.000000Z [(H)INFO] tid(0x7fbf3127a740) | dcap_quoteprov: [INFO]: Using default collateral version 'v1'.
 [../host/sgx/sgxquoteprovider.c:oe_quote_provider_log:38]
2020-04-16T23:21:07.000000Z [(H)INFO] tid(0x7fbf3127a740) | dcap_quoteprov: [INFO]: Using default base cert URL 'https://global.acccache.azure.net/sgx/certificates'.
 [../host/sgx/sgxquoteprovider.c:oe_quote_provider_log:38]
2020-04-16T23:21:07.000000Z [(H)INFO] tid(0x7fbf3127a740) | dcap_quoteprov: [INFO]: Using default client id 'production_client'.
 [../host/sgx/sgxquoteprovider.c:oe_quote_provider_log:38]
2020-04-16T23:21:07.000000Z [(H)INFO] tid(0x7fbf3127a740) | dcap_quoteprov: [INFO]: Fetching quote config from remote server: 'https://global.acccache.azure.net/sgx/certificates/v1/f345032dbd1468b03a4f457216593b86/0f0f0305ff8006000000000000000000/0a00/0000?clientid=production_client&api-version=2018-10-01-preview'.
 [../host/sgx/sgxquoteprovider.c:oe_quote_provider_log:38]
2020-04-16T23:21:07.000000Z [(H)INFO] tid(0x7fbf3127a740) | dcap_quoteprov: [INFO]: raw_header SGX-TCBm:[0e0e02040180060000000000000000000A00]

 [../host/sgx/sgxquoteprovider.c:oe_quote_provider_log:38]
2020-04-16T23:21:07.000000Z [(H)INFO] tid(0x7fbf3127a740) | dcap_quoteprov: [INFO]: CPU SVN: '0e0e0204018006000000000000000000'.
 [../host/sgx/sgxquoteprovider.c:oe_quote_provider_log:38]
2020-04-16T23:21:07.000000Z [(H)INFO] tid(0x7fbf3127a740) | dcap_quoteprov: [INFO]: PCE ISV SVN: '0A00'.
 [../host/sgx/sgxquoteprovider.c:oe_quote_provider_log:38]
2020-04-16T23:21:07.000000Z [(H)INFO] tid(0x7fbf3127a740) | dcap_quoteprov: [INFO]: PCE SVN parsed as '0x000a'
 [../host/sgx/sgxquoteprovider.c:oe_quote_provider_log:38]
2020-04-16T23:21:07.000000Z [(H)INFO] tid(0x7fbf3127a740) | dcap_quoteprov: [INFO]: libquote_provider.so: [-----BEGIN CERTIFICATE-----
MIIClzCCAj6gAwIBAgIVANDoqtp11/kuSReYPHsUZdDV8llNMAoGCCqGSM49BAMC
MGgxGjAYBgNVBAMMEUludGVsIFNHWCBSb290IENBMRowGAYDVQQKDBFJbnRlbCBD
b3Jwb3JhdGlvbjEUMBIGA1UEBwwLU2FudGEgQ2xhcmExCzAJBgNVBAgMAkNBMQsw
CQYDVQQGEwJVUzAeFw0xODA1MjExMDQ1MDhaFw0zMzA1MjExMDQ1MDhaMHExIzAh
BgNVBAMMGkludGVsIFNHWCBQQ0sgUHJvY2Vzc29yIENBMRowGAYDVQQKDBFJbnRl
bCBDb3Jwb3JhdGlvbjEUMBIGA1UEBwwLU2FudGEgQ2xhcmExCzAJBgNVBAgMAkNB
MQswCQYDVQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABL9q+NMp2IOg
tdl1b
 [../host/sgx/sgxquoteprovider.c:oe_quote_provider_log:38]
2020-04-16T23:21:07.000000Z [(H)INFO] tid(0x7fbf3127a740) | dcap_quoteprov: [ERROR]: Unknown exception thrown, error: Error calling open on file: Permission denied
 [../host/sgx/sgxquoteprovider.c:oe_quote_provider_log:38]
2020-04-16T23:21:07.000000Z [(H)ERROR] tid(0x7fbf3127a740) | quote3_error_t=0xe001
 (oe_result_t=OE_PLATFORM_ERROR) [../host/sgx/sgxquote.c:oe_sgx_qe_get_target_info:21]
2020-04-16T23:21:07.000000Z [(H)ERROR] tid(0x7fbf3127a740) | :OE_PLATFORM_ERROR [../host/sgx/quote.c:sgx_get_qetarget_info:31]
2020-04-16T23:21:07.000000Z [(H)ERROR] tid(0x7fbf3127a740) | :OE_PLATFORM_ERROR [../host/sgx/report.c:_get_remote_report:93]
2020-04-16T23:21:07.000000Z [(H)ERROR] tid(0x7fbf3127a740) | :OE_PLATFORM_ERROR [../host/sgx/report.c:_oe_get_report_internal:174]
Failed to create report. Error: OE_PLATFORM_ERROR
2020-04-16T23:21:07.000000Z [(H)VERBOSE] tid(0x7fbf3127a740) | /home/sewong/jazzybluesea/openenclave/build/tests/tools/oecert/enc/oecert_enc 0x2e800000 OE_ECALL: DESTRUCTOR
2020-04-16T23:21:07.000000Z [(H)VERBOSE] tid(0x7fbf3127a740) | _do_eenter(tcs=0x7fbf2ec76000 aep=0x4bc16c codeIn=1, funcIn=0 argIn=0)
 [../host/sgx/calls.c:_do_eenter:178]
2020-04-16T23:21:07.000000Z [(H)INFO] tid(0x7fbf3127a740) | _unload_quote_provider libdcap_quoteprov.so
 [../host/sgx/linux/sgxquoteproviderloader.c:_unload_quote_provider:13]

If you use sudo to run oecert, the problem does not reproduce.

Drivers:

ii  libsgx-ae-pce                      2.9.101.2-bionic1                           amd64        Intel(R) Software Guard Extensions PCE
ii  libsgx-ae-qe3                      1.6.100.2-bionic1                           amd64        Intel(R) Software Guard Extensions QE3
ii  libsgx-ae-qve                      1.6.100.2-bionic1                           amd64        Intel(R) Software Guard Extensions QVE
ii  libsgx-dcap-ql                     1.6.100.2-bionic1                           amd64        Intel(R) Software Guard Extensions Data Center Attestation Primitives
ii  libsgx-dcap-ql-dev                 1.6.100.2-bionic1                           amd64        Intel(R) Software Guard Extensions Data Center Attestation Primitives For Developers
ii  libsgx-enclave-common              2.9.101.2-bionic1                           amd64        Intel(R) Software Guard Extensions Enclave Common Loader
ii  libsgx-enclave-common-dev          2.9.101.2-bionic1                           amd64        Intel(R) Software Guard Extensions Enclave Common Loader for Developers
ii  libsgx-pce-logic                   1.6.100.2-bionic1                           amd64        Intel(R) Software Guard Extensions Data Center Attestation Primitives
ii  libsgx-qe3-logic                   1.6.100.2-bionic1                           amd64        Intel(R) Software Guard Extensions Data Center Attestation Primitives
ii  libsgx-urts                        2.9.101.2-bionic1                           amd64        Intel(R) Software Guard Extensions uRTS
ii  linux-base-sgx                     4.5ubuntu1.1                                all          Linux image base package for DCAP SGX

Opening this issue in order to keep track of the offline request.

Currently the collaterals, QE identity info and Revocation info are not cached, only the PCK Cert is cached. In order to improve performance, caching for these is needed. For more information please see openenclave/openenclave#2283.

Although 1.1 is available in the debian repo, there is no tag or release on GitHub for it, making it effectively impossible to figure out what code it's running. Please create a v1.1.

There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.

Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.

Merge this pull request

We need to apply the following OE Jenkinsfile changes to the Jenkinsfile from this repository.

The Open Enclave Ansible scripts to setup the environments for developers install the Microsoft.Azure.DCAP.Client.1.0.0.nupkg file:
https://github.com/openenclave/openenclave/blob/d5fb0a9f6a2c4b614126f1a747be89b1d7d754dc/scripts/ansible/roles/windows/az-dcap-client/vars/windows.yml#L8

However, currently, the file consumed is hosted in the Azure Open Enclave storage account:
https://oejenkins.blob.core.windows.net/oejenkins

It would be advisable to have this file downloaded from official GitHub releases of this project:
https://github.com/Microsoft/Azure-DCAP-Client/releases

So far, only an amd64.tar.gz archive with a Linux build is attached to the 1.0 release.

To diagnose issues it would be convenient if the internal printf logging could be enabled if some AZDCAP_LOGGING=1 environment variable or similar is set. Currently, the library has to be rebuilt to enable logging. This is for Linux. I'm aware that on Windows some event logging takes place already, though the same printf approach would make sense for convenience.

Trace below. This isn't right, at worst an error should be returned, and at best it should proceed without the cache.

#0  0x00007f65e325d7e7 in __pthread_once_slow () from /lib/x86_64-linux-gnu/libpthread.so.0
#1  0x00007f65e183ef39 in ?? () from /usr/lib/libdcap_quoteprov.so
#2  0x00007f65e1840935 in void std::call_once<void (&)()>(std::once_flag&, void (&)()) () from /usr/lib/libdcap_quoteprov.so
#3  0x00007f65e183f698 in ?? () from /usr/lib/libdcap_quoteprov.so
#4  0x00007f65e183fdf1 in local_cache_get(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) () from /usr/lib/libdcap_quoteprov.so
#5  0x00007f65e1833dd6 in sgx_ql_get_quote_config () from /usr/lib/libdcap_quoteprov.so
#6  0x00007f65e3d63889 in ?? () from /usr/lib/x86_64-linux-gnu/libsgx_dcap_ql.so.1
#7  0x00007f65e3d6495b in ?? () from /usr/lib/x86_64-linux-gnu/libsgx_dcap_ql.so.1
#8  0x00007f65e3d6337d in ?? () from /usr/lib/x86_64-linux-gnu/libsgx_dcap_ql.so.1
#9  0x0000000000475492 in oe_sgx_qe_get_quote_size (quote_size=0x7f65e1a4a620) at ../host/sgx/sgxquote.c:32
#10 0x0000000000471f7a in sgx_get_quote_size (quote_size=<optimized out>) at ../host/sgx/quote.c:178
#11 sgx_get_quote (report=<optimized out>, quote=<optimized out>, quote_size=<optimized out>) at ../host/sgx/quote.c:201
#12 0x00000000004718f9 in HandleGetQuote (arg_in=<optimized out>) at ../host/sgx/ocalls.c:135
#13 0x000000000046ad50 in _handle_ocall (enclave=<optimized out>, tcs=<optimized out>, func=<optimized out>, arg_in=<optimized out>, arg_out=<optimized out>) at ../host/sgx/calls.c:485
#14 __oe_dispatch_ocall (arg1=985171008421888, arg2=<optimized out>, arg1_out=<optimized out>, arg2_out=<optimized out>, tcs_=<optimized out>, enclave=<optimized out>) at ../host/sgx/calls.c:606
#15 0x000000000047b058 in __oe_host_stack_bridge () at ../host/sgx/linux/enter.S:271
#16 0x000000000047afa0 in __morestack () at ../host/sgx/linux/enter.S:144
#17 0x000000000046b8d6 in _do_eenter (enclave=<optimized out>, tcs=<optimized out>, aep=<optimized out>, code_in=OE_CODE_ECALL, arg_in=<optimized out>, func_in=<optimized out>,
    code_out=<optimized out>, func_out=<optimized out>, result_out=<optimized out>, arg_out=<optimized out>) at ../host/sgx/calls.c:228
#18 oe_ecall (enclave=<optimized out>, func=<optimized out>, arg=<optimized out>, arg_out_ptr=<optimized out>) at ../host/sgx/calls.c:775
#19 0x000000000046bc36 in oe_call_enclave_function_by_table_id (enclave=0x7f65e1a4a620, table_id=<optimized out>, function_id=<optimized out>, input_buffer=<optimized out>, input_buffer_size=202,
    output_buffer=0x1, output_buffer_size=<optimized out>, output_bytes_written=<optimized out>) at ../host/sgx/calls.c:852
#20 0x000000000046be06 in oe_call_enclave_function (enclave=0x7f65e1a4a620, function_id=<optimized out>, input_buffer=0x7f65e325d7e7 <__pthread_once_slow+119>, input_buffer_size=202,
    output_buffer=0x1, output_buffer_size=0, output_bytes_written=<optimized out>) at ../host/sgx/calls.c:890
#21 0x000000000046a603 in enclave_create_node (enclave=0x89c640, _retval=0x7ffd8d646e07, config=<optimized out>, node_cert=0x10a0030 "", node_cert_size=4096, node_cert_len=0x7ffd8d646e18,
    quote=0x10a1040 "", quote_size=10240, quote_len=0x7ffd8d646e10, recover=<optimized out>) at ccf_u.cpp:91
#22 0x00000000004157dc in host::Enclave::create_node (this=<optimized out>, config=..., node_cert=std::vector of length 4096, capacity 4096 = {...},
    quote=std::vector of length 10240, capacity 10240 = {...}, recover=false) at ../src/host/enclave.h:88
#23 0x000000000040be69 in main (argc=9025584, argv=0x1000000) at ../src/host/main.cpp:252

1. The referenced power-shell script get-prereqs.ps1 does not get executed by default and I ran the following scripts from an elevated power-shell script:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine
Unblock-File .\get-prereqs.ps1

2. Also got the following error with Visual Studio Build:

Troubleshooted further by specifying the command in an elevated power-shell window:

> Invoke-WebRequest -OutFile curl-ca-bundle.crt -Uri https://curl.haxx.se/ca/cacert.pem
**Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel**.
At line:1 char:1
+ Invoke-WebRequest -OutFile curl-ca-bundle.crt -Uri https://curl.haxx. ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

Fixed the problem by making power-shell use TLS1.2:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Great if the README.md file can be updated to indicate the extra steps to take the build to work.

In some contexts, eg. containers, applictions are deliberately run with a minimal environment, something without a defined $HOME.

Would it be possible to default to /var/cache/ in those contexts? This is reasonably common: https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s05.html.

Hi,

I just installed az-dcap-client using the Ubuntu 18.04 packages, and it seems to be working correctly, but I noticed these warnings logged repeatedly from the AESM daemon (I am using SGX_AESM_ADDR to perform out-of-proc quote retrieval):

Jul 21 22:25:48 SGX-Temp-Test-VM aesm_service[25583]: [get_qpl_handle ../qe_logic.cpp:295] Failed to set logging callback for the quote provider library.

The root cert, as passed to curl_easy::create is not being checked as a valid root for https connections.

It appears we have a bug in ssl_context_callback. Address this and add a negative test case to ensure we don't run across this again in the future.

We need to add stages to the Jenkinsfile for the Ubuntu 18.04.

On an Azure DCsv2 VM, the FMSPC is 00906ed50000.
This value is used by the Azure DCAP provider to retrieve the TCBInfo used as collateral for Remote Attestation of enclaves.

However, the Azure DCAP cache seems to be broken, and returns 6+ months old data for the TCBInfo. This causes the verification of remote attestation quotes to fail with a collateral_expiration_status = 1, unless the system date is set 6 months in the past.

This is evident when querying the Azure caching service API, compared with using the Intel API directly.

Running: curl 'https://global.acccache.azure.net/sgx/certificates/v3/tcb/00906ed50000?clientid=production_client&api-version=2018-10-01-preview'
Returns a tcbInfo JSON with values 'issueDate':'2021-03-31T22:03:13Z','nextUpdate':'2021-04-30T22:03:13Z'.

As you can see, the TcbInfo served by Azure has been issued in March, and has been expired since April 30th.

When querying Intel: curl 'https://api.trustedservices.intel.com/sgx/certification/v2/tcb?fmspc=00906ED50000'
We get 'issueDate':'2021-10-15T08:41:31Z','nextUpdate':'2021-11-14T08:41:31Z'
Which is correct, and allows remote attestation to work correctly.

There is some duplicate code among the Jenkinsfiles from this repository and the Open Enclave repository.

The code duplication problem was addressed via a Jenkins shared library submitted to the OE repository: openenclave/openenclave#1571

We should start using the OE CI shared common library in this repository as well.

Hi ,

I am using AKS --enable-sgxquotehelper plugin to generate sgx quote for https://github.com/intel/SGXDataCenterAttestationPrimitives/ Samples. The quote generation is successful, but quote verification fails with the error: "Error: App: sgx_qv_verify_quote failed: 0xe022". [SGX_QL_PCK_CERT_CHAIN_ERROR] : this implies there was an error verifying the PCK Cert signature chain including PCK Cert revocation.

Setup: Two Containers running as part of AKS cluster.
Service Container 1: dcap-pccs service is running and is reachable by Container 2
Application Container 2: Quote generation and verification is happening for SGXDataCenterAttestationPrimitives/Samples

1. This error is visible only with the quote generated using out-proc mode, where aesmd service is generating the quote.
2. I am successfully able to verify the quote generated using in-proc mode.
3. Also, if I generate out-proc mode quote at my local system [not as part of Azure VM] and copy the quote into Application container 2 image, I am successfully able to verify the quote.

So, looks like the quote generated using AKS --enable-sgxquotehelper plugin, is not verifiable.

Therefore, I wanted to check, if we need to download some specific certificate , in order to verify the out-proc quote generated using Azure sgxquotehelper?

Link that I followed: https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-nodes-out-of-proc-attestation

Thanks.

Due to Ubuntu 18.04 reaching EOL in April 2023, Azure DCAP is removing support for it in releases after 1.12.0.

Here: https://github.com/Microsoft/Azure-DCAP-Client/blob/23760512b07ed0314217aef3bb3bd26ef3a5c3b8/src/Linux/local_cache.cpp#L183-L205

There is a case where a user trying to run has no home directory (in this case a docker container that just uses the current context mounted in the container with az-dcap-client install) the $HOME environment variable will just be "/" which is not checked against, the check is only done against an empty $HOME and the folder .az-dcap-client the local_cache.cpp is trying to create has no write permissions in "/", There should be either a more meaningful error or a mention in the documentation about this $AZDCAPCACHE environment variable.

This was previously not seen as we were running the containers with "-u root" option that didn't have an issue creating "//.az-dcap-client" folder. I've discovered this while working on #41

@ionutbalutoiu told me another contributor complained that the testing inside the Dockerfile didn't work unless there was a user created inside the Dockerfile

@johnkord @andschwa i'm not sure how to handle this since it's on the .cpp / docs side and would like your feedback, on the Jenkins side we can just use withEnv(["AZDCAPCACHE=${WORKSPACE}"])

If the project builds on Windows, we should update our CI Jenkinsfile by adding a new testing stage targeted against Windows platform.

Due to caller privilege change, previously cached file cannot be accessed from subsequent calls. Specifically, local_cache_add() call from sgx_ql_get_quote_config() in dcap_provider.cpp throws exception because file access permission denied. This causes sgx_ql_get_quote_config() to return error.

Issues:

1. Local cache can be shared by all users. It should be in a folder/file that's accessible to all.
2. Caching failure should not be a fatal operation. After all, the mission of sgx_ql_get_quote_config() is to retrieve certificate.

1. The code uses nlohmann/json.hpp
2. It is provided by nlohmann-json3-dev
3. It was not available in the official Ubuntu 18 package repo and thus in the notes the PPA of Kodi (team-xbmc) is mentioned as dependency, e.g.

Azure-DCAP-Client (master)> grep -R team-xbmc
build/Phase2/install_prereqs.cmd
12:add-apt-repository ppa:team-xbmc/ppa -y

src/Linux/README.MD
9:* `sudo  add-apt-repository ppa:team-xbmc/ppa -y`

4. nlohmann-json3-dev is available in the official repo for Ubuntu 20 and up, e.g. https://packages.ubuntu.com/focal/nlohmann-json3-dev

Since dcap deprecated support for Ubuntu 18, the ppa is not needed. As it is best practice not to have unneeded PPAs, I suggest removing this from the docs.

Currently, there is no az-dcap-client package in deb [arch=amd64] https://packages.microsoft.com/ubuntu/22.04/prod jammy main. Could you add the package please?

We observed the following error last week creating SGX enclaves in our CI pipeline:

[get_platform_quote_cert_data ../qe_logic.cpp:347] Error returned from the p_sgx_get_quote_config API. 0xe011

2022-04-07T03:09:49+0000.720386Z [(H)ERROR] tid(0x7ffb8fcc8740) | quote3_error_t=SGX_QL_NO_PLATFORM_CERT_DATA

This error, I believe, comes from:

Additional details here: microsoft/CCF#3747

Would you have any more information on what caused this issue and whether there's anything that recently changed that we need to take into account on our side?

I was noticing that on the Jenkins server VM's are failing to spawn. This is due to the Jenkins labels being outdated.

Over in OpenEnclave, the labels to spawn a "SGXFLC-Window" VM are "SGXFLC-Windows-2016-DCAP" and "SGXFLC-Windows-2019-DCAP" dependant on needs. "SGXFLC-Window" was removed when 2019 support was added.

The following block of code from InstallAzureDCAP.ps1 script:

has three problems:

1. If the destination directory $localPath doesn't exist, the dll is not copied unless the script is called again.
2. Idempotency is broken. If the script is called multiple times with the same value for $localPath, that is appended to the system path, every time. We should check if the path is already in the system path.
3. The PowerShell $env:Path variable is a concatenation of the User path and System path. Appending to this value and then set it as a system path, can cause User paths present in the System path environment variable. We should append only to the existing system path.

I hit this when trying to build this library on my devbox

~/azdcapclient/src/Linux$ ls -l
total 20
-rw-rw-r-- 1 configure
drwxrwxr-x 2 debian
-rw-rw-r-- 1 init.cpp
-rw-rw-r-- 1 Makefile.in
-rw-rw-r-- 1 README.MD

I have to add execution permission before I could build it successfully.

If the AZDCAP_DEBUG_LOG_LEVEL environment is not set, the following error log is printed:
Azure Quote Provider: libdcap_quoteprov.so [ERROR]: Could not retreive environment variable for 'AZDCAP_DEBUG_LOG_LEVEL'

I believe this is undesirable behaviour and the library should set a sensible default value for the log level that could be overridden with AZDCAP_DEBUG_LOG_LEVEL.

When trying to run a sample application with MS Azure DCAP-based VM (see https://docs.microsoft.com/en-us/azure/confidential-computing/quick-create-portal), we experience the following issue: gramineproject/graphene#2062.

Graphene is an SGX runtime to run unmodified Linux applications (https://github.com/oscarlab/graphene). Graphene's remote attestation capabilities were always tested against the classic Intel SGX DCAP attestation on bare-metal local machines and not in the MS Azure VM. When testing with MS Azure SGX-enabled DCAP-based VM, we see this:

$ ... running a Graphene SGX remote attestation (RA) sample ...
aesm_service returned error: 1    # from what I understand, this is simply " AESM_UNEXPECTED_ERROR"

What happens behind the scenes in Graphene is as follows:

1. The SGX enclave starts
2. Graphene notices that the app wants to do SGX RA at some point, so Graphene starts initialization of SGX RA
3. As part of this initialization of RA, Graphene must retrieve TargetInfo of the Quoting Enclave (QE)
4. Graphene talks to AESM daemon on the /var/run/aesmd/aesm.socket Unix domain socket
5. The message that Graphene sends to the AESM is InitQuoteExRequest in Protobuf "proto2" format
6. The message that Graphene expects in response from AESM is InitQuoteExResponse in Protobuf "proto2" format
7. Graphene does some light checks that the AESM-provided QE TargetInfo makes sense and memorizes this TargetInfo for future use by the app (in GetQuoteExRequest messages to AESM)

So Graphene sidesteps the DCAP shared libraries for all these steps (for self-contained code reasons). Here are some relevant sources in Graphene:

• https://github.com/oscarlab/graphene/blob/master/Pal/src/host/Linux-SGX/quote/aesm.proto -- protobuf format of the AESM messages
• https://github.com/oscarlab/graphene/blob/master/Pal/src/host/Linux-SGX/sgx_platform.c -- code to communicate with AESM
  • https://github.com/oscarlab/graphene/blob/master/Pal/src/host/Linux-SGX/sgx_platform.c#L19 -- hard-coded attestation key of Intel QE (could this be an issue?)
  • https://github.com/oscarlab/graphene/blob/master/Pal/src/host/Linux-SGX/sgx_platform.c#L126 -- function to retrieve QE TargetInfo (implements steps 3-7)
  • https://github.com/oscarlab/graphene/blob/master/Pal/src/host/Linux-SGX/sgx_platform.c#L159 -- start of the initialization logic for non-EPID (i.e. DCAP) attestation
  • https://github.com/oscarlab/graphene/blob/master/Pal/src/host/Linux-SGX/sgx_platform.c#L164 -- initializing the InitQuoteExRequest message to AESM (could the values there be an issue?)
  • https://github.com/oscarlab/graphene/blob/master/Pal/src/host/Linux-SGX/sgx_platform.c#L183 -- examining the InitQuoteExResponse message from AESM (maybe we incorrectly parse it?)

Graphene fails on the MS Azure DCAP VM somewhere at steps 6-7. I can't figure out why the AESM daemon on the MS Azure VM doesn't like Graphene's InitQuoteExRequest message (or why doesn't Graphene like the returned InitQuoteExResponse). Maybe Microsoft VMs use their own QE implementation and the attestation key is different (from the classic Intel one)?

I looked through the MS Azure DCAP code, but it doesn't look relevant to my issue: https://github.com/microsoft/Azure-DCAP-Client/src. Any help or forwarding to the right people will be greatly appreciated!

Working with open enclave samples I am getting this DCAP related error:

2023-02-14T12:42:41+0000.171607Z [(H)INFO] tid(0x7f1672c50f40) | oe_host_malloc(17360) called to allocate host memory. [/source/openenclave/host/ocalls/ocalls.c:HandleMalloc:28]
2023-02-14T12:42:41+0000.171913Z [(H)INFO] tid(0x7f1672c50f40) | Calling oe_get_sgx_quote_verification_collateral
 [/source/openenclave/host/sgx/sgxquoteprovider.c:oe_get_sgx_quote_verification_collateral:82]
2023-02-14T12:42:41+0000.172780Z [(H)INFO] tid(0x7f1672c50f40) | dcap_quoteprov: [INFO]: Using default primary base cert URL 'https://global.acccache.azure.net/sgx/certification'.
2023-02-14T12:42:41+0000.173129Z [(H)INFO] tid(0x7f1672c50f40) | dcap_quoteprov: [INFO]: Fetching PCK Crl from cache: 'https://global.acccache.azure.net/sgx/certification/v3/pckcrl?uri=https%253a%252f%252fcertificates.trustedservices.intel.com%252fintelsgxpckprocessor.crl&clientid=production_client&api-version=2020-02-12-preview'.
2023-02-14T12:42:41+0000.173324Z [(H)INFO] tid(0x7f1672c50f40) | dcap_quoteprov: [INFO]: Successfully fetched PCK Crl from cache: 'https://global.acccache.azure.net/sgx/certification/v3/pckcrl?uri=https%253a%252f%252fcertificates.trustedservices.intel.com%252fintelsgxpckprocessor.crl&clientid=production_client&api-version=2020-02-12-preview'.
2023-02-14T12:42:41+0000.173839Z [(H)INFO] tid(0x7f1672c50f40) | dcap_quoteprov: [INFO]: Using default primary base cert URL 'https://global.acccache.azure.net/sgx/certification'.
2023-02-14T12:42:41+0000.173967Z [(H)INFO] tid(0x7f1672c50f40) | dcap_quoteprov: [INFO]: Fetching Root CA Crl from cache: 'https://global.acccache.azure.net/sgx/certification/v3/pckcrl?uri=https%253a%252f%252fcertificates.trustedservices.intel.com%252fintelsgxrootca.crl&clientid=production_client&api-version=2020-02-12-preview'.
2023-02-14T12:42:41+0000.174099Z [(H)INFO] tid(0x7f1672c50f40) | dcap_quoteprov: [INFO]: Successfully fetched Root CA Crl from cache: 'https://global.acccache.azure.net/sgx/certification/v3/pckcrl?uri=https%253a%252f%252fcertificates.trustedservices.intel.com%252fintelsgxrootca.crl&clientid=production_client&api-version=2020-02-12-preview'.
2023-02-14T12:42:41+0000.174641Z [(H)INFO] tid(0x7f1672c50f40) | dcap_quoteprov: [INFO]: Using default primary base cert URL 'https://global.acccache.azure.net/sgx/certification'.
2023-02-14T12:42:41+0000.174815Z [(H)INFO] tid(0x7f1672c50f40) | dcap_quoteprov: [INFO]: Fetching Tcb Info from remote server: 'https://global.acccache.azure.net/sgx/certification/v3/tcb?fmspc=00706a800000&clientid=production_client&api-version=2018-10-01-preview'.
2023-02-14T12:42:41+0000.434575Z [(H)ERROR] tid(0x7f1672c50f40) | dcap_quoteprov: [ERROR]: HTTP error (404)
2023-02-14T12:42:41+0000.434642Z [(H)ERROR] tid(0x7f1672c50f40) | dcap_quoteprov: [ERROR]: Encountered CURL error 22 in curl_easy_perform
2023-02-14T12:42:41+0000.435090Z [(H)ERROR] tid(0x7f1672c50f40) | dcap_quoteprov: [ERROR]: curl error thrown, error code: 16: curl_easy_perform
2023-02-14T12:42:41+0000.435144Z [(H)ERROR] tid(0x7f1672c50f40) | dcap_quoteprov: [ERROR]: Error fetching TCB Info: 57371
2023-02-14T12:42:41+0000.435193Z [(H)ERROR] tid(0x7f1672c50f40) | :OE_QUOTE_PROVIDER_CALL_ERROR [/source/openenclave/host/sgx/sgxquoteprovider.c:oe_get_sgx_quote_verification_collateral:138]
2023-02-14T12:42:41+0000.435228Z [(H)ERROR] tid(0x7f1672c50f40) | :OE_QUOTE_PROVIDER_CALL_ERROR [/source/openenclave/host/sgx/ocalls/ocalls.c:oe_get_quote_verification_collateral_with_baseline_ocall:239]

Is it possible to set the tcb somewere in dcap config files to another value?

Issue to track the work for porting the local caching of PCK Certificates feature to the Windows Azure DCAP library.

@msft-chow currently working on this.

Now that Intel's SGX installers officially support Ubuntu 20.04, can Microsoft do the same for the AZ DCAP client?

There is no 20.04 debian package up on deb [arch=amd64] https://packages.microsoft.com/ubuntu/20.04/prod focal main for the az-dcap client. I thought I'd try building it myself from source, but the code doesn't compile with g++ 9.3.0 that comes with Ubuntu 20.04.

Thanks!

The body returned by Intel from the "Get PCK Certificate" API does not end with a newline. In build_cert_chain, this body is concatenated with the certificate chain without adding a newline, resulting in an incorrectly-formatted certificate chain.

Hello! I am facing the issue when deploying a container with quote generation inside AKS using the Azure DCAP 1.10 library. The sgx-quote-helper is installed in the cluster acting as the aesmd service. The PCCS server is served by Azure at https://global.acccache.azure.net/...
In this case, I do not specify values in the/etc/sgx_default_qcnl.conf file as it is not needed. The size of the node in a cluster is Standard_DC2s_v3. I connect to the cluster through the Azure VM with the DC1s_v3 size.

[get_platform_quote_cert_data ../qe_logic.cpp:347] Error returned from the p_sgx_get_quote_config API. 0xe046 2021-11-22T08:22:20.686Z ERROR setup SGX initialization {"error": "pkcs11: 0x5: CKR_GENERAL_ERROR"}

If you have an idea of how to overcome the issue it would be highly appreciated. Thanks.

Intel released the DCAP libraries v1.11 on July 12, 2021.

Using the v1.11 DCAP libraries with Azure DCAP Client v1.10 on Ubuntu 20.04 produced the following warning message:

[get_qpl_handle ../qe_logic.cpp:295] Failed to set logging callback for the quote provider library.

We need to update the Jenkinsfile from this repository and incorporate the changes from this OE PR openenclave/openenclave#1341.

Intel released new DCAP package version 1.12 and introduced qve collateral version 3.1.

typedef struct _sgx_ql_qve_collateral_t {
    uint8_t version[2];     ///< version[0] = major_version, version[1] =
                            ///< minor_version.  For PCS V1 and V2 APIs, the
                            ///< major_version = 1 and minor_version = 0 and
                            ///< the CRLs will be formatted in PEM. For
                            ///< PCS V3 APIs, the major_version = 3 and the
                            ///< minor_version can be either 0 or 1.  A
                            ///< minor_verion of 0 indicates the CRL’s are
                            ///< formatted in Base16 encoded DER.  A minor
                            ///< version of 1 indicates the CRL’s are
                            ///< formatted in raw binary DER.
//...
//...
} sgx_ql_qve_collateral_t;

The version is supposed to be a 4-byte value. This is a typo in the spec and will be fixed soon. az-dcap-client likely already encodes CRL in raw binary DER, which is version 3.1 format. The task is to bump up the the version from 3.0 to 3.1.

Related to this Open Enclave issue

According to Intel SGX ECDSA QuoteLibReference page 20:

"See the sgx_ql_qve_collateral_t definition.
The ‘version’ field of the gx_ql_qve_collateral_t structure will reflect the version of the
PCCS/PCS API used to retrieve the collateral. For V1 and V2 APIs, the ‘version’ field with have
a value of 1. For V3 APIs, the ‘version’ field will have the value of 3."

In dcap_provider.cpp near line 1574
p_quote_collateral->version = 1;

The version should be determined by the API version.

Instead of building the Docker images on the fly (which is vulnerable to a lot of race conditions), we should be using pre-pushed Docker images in the Jenkinsfile.

This effort was already done to the OE repository as part of the openenclave/openenclave#1695.

We should adopt the same changes here.

Right now, the CI uses the latest master openenclave build for the testing stages. We need to make sure that Azure-DCAP-Client works with the official released binaries.

As of today, only the 16.04 binary is released, but the 18.04 binary will be released soon.

Check-list:

• Add CI testing stage using the official 16.04 OE package
• Add CI testing stage using the official 18.04 OE package (once released)

Hello, on the current Ubuntu LTS (22.04), libssl-dev installs OpenSSL 3.0, which deprecates a few functions. Unfortunately, this causes Azure-DCAP-Client to fail to build from source because of usage of some functions that have been deprecated in 3.0:

local_cache.cpp: In function 'std::string sha256(size_t, const void*)':
local_cache.cpp:244:16: error: 'int SHA256_Init(SHA256_CTX*)' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
  244 |     SHA256_Init(&sha256);
      |     ~~~~~~~~~~~^~~~~~~~~
In file included from local_cache.cpp:13:
/usr/include/openssl/sha.h:73:27: note: declared here
   73 | OSSL_DEPRECATEDIN_3_0 int SHA256_Init(SHA256_CTX *c);
      |                           ^~~~~~~~~~~
local_cache.cpp:245:18: error: 'int SHA256_Update(SHA256_CTX*, const void*, size_t)' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
  245 |     SHA256_Update(&sha256, data, data_size);
      |     ~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from local_cache.cpp:13:
/usr/include/openssl/sha.h:74:27: note: declared here
   74 | OSSL_DEPRECATEDIN_3_0 int SHA256_Update(SHA256_CTX *c,
      |                           ^~~~~~~~~~~~~
local_cache.cpp:246:17: error: 'int SHA256_Final(unsigned char*, SHA256_CTX*)' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
  246 |     SHA256_Final(hash, &sha256);
      |     ~~~~~~~~~~~~^~~~~~~~~~~~~~~
In file included from local_cache.cpp:13:
/usr/include/openssl/sha.h:76:27: note: declared here
   76 | OSSL_DEPRECATEDIN_3_0 int SHA256_Final(unsigned char *md, SHA256_CTX *c);
      |                           ^~~~~~~~~~~~
cc1plus: all warnings being treated as errors
make: *** [Makefile:28: local_cache.o] Error 1

Hi,

I observed there is some regression in Azure-DCAP-Client 1.10. With the help of 1.10, sgx dcap quote generation is successful , but quote verification fails. This issue is obeserved for both in-proc and out-of-proc mode quote verification.

Steps to reproduce:

1. Install az-dcap-client 1.10 on Azure VM.
2. Generate SGX in-proc (or out-of-proc) mode quote (sample link: https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/SampleCode/QuoteGenerationSample). (Successful).
3. Verify SGX quote (error: App: sgx_qv_verify_quote failed: 0xe022).

Note: With Azure-DCAP-Client 1.8 both quote generation and verification are successful on Azure confidential compute VM.

Any thoughts on this would be really helpful.

Thanks

In version 0.0.2 of the Azure-DCAP-Client for windows, the quote provider dll is missing the following functions:

sgx_get_qe_identity_info
sgx_free_qe_identity_info

I fix is to update the dcap_provider.def to include these 2 missing functions.