Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: tee_verify_quote failed: 0xe022 #353

Open
shuk777 opened this issue Nov 14, 2023 · 4 comments
Open

Error: tee_verify_quote failed: 0xe022 #353

shuk777 opened this issue Nov 14, 2023 · 4 comments

Comments

@shuk777
Copy link

shuk777 commented Nov 14, 2023

Seems this error is about pck certificate chain verification. I checked my quote, its certification data type is ECDSA_SIG_AUX_DATA(QE Report Certification Data). I don't know how to get a cert type 5(PCK_CERT_CHAIN), the qgs seems to successfully get pck chain from pccs, but there is no cert chain in the quote.

full output:

[APP] Info: ECDSA quote path: /home/jaco/go-tdx/quote.dat
[APP] Trusted quote verification:
[APP] Info: get target info successfully returned.
[APP] Info: sgx_qv_set_enclave_load_policy successfully returned.
[APP] Info: tee_get_quote_supplemental_data_version_and_size successfully returned.
[APP] Info: latest supplemental data major version: 3, minor version: 2, size: 496
[APP] Error: App: tee_verify_quote failed: 0xe022

===========================================

[APP] Untrusted quote verification:
[APP] Info: tee_get_quote_supplemental_data_version_and_size successfully returned.
[APP] Info: latest supplemental data major version: 3, minor version: 2, size: 496
[APP] Error: App: tee_verify_quote failed: 0xe022
@shuk777
Copy link
Author

shuk777 commented Nov 14, 2023

It seems my quote is format Full TD Quote in v4? the certificate chain seems to be appended at the end of the certification data. So maybe this error is because i'm using pre-production cpu, so the trusted root is different?

@hyjiang
Copy link
Contributor

hyjiang commented Nov 14, 2023

It seems my quote is format Full TD Quote in v4? the certificate chain seems to be appended at the end of the certification data. So maybe this error is because i'm using pre-production cpu, so the trusted root is different?

Yes. SGX_QL_PCK_CERT_CHAIN_ERROR (0x22) always means you are using pre-production CPU in this case.

@shuk777
Copy link
Author

shuk777 commented Nov 14, 2023

is there a way to fix this? I was thinking changing hardcoded INTEL_ROOT_PUB_KEY to sbx root ca public key.

Also, I was following this white paper to run attestation workflow. It aims at TDX 1.5

NOTE: Since TDX module 1.5 has no production-signed version yet, TDX attestation
in Linux Stack for Intel TDX 1.5 will use SBX server. The corresponding URL and
configuration will be based on SBX server as well.

The paper leads me to verification sample code in this repo. So it is quite confusing if the verification code does not support pre-production.

@hyjiang
Copy link
Contributor

hyjiang commented Nov 14, 2023

Official DCAP QVL/QvE doesn't support pre-production silicon by default, so we only hardcode product Intel(R) root public key.

You are right, you can pass the quote verification by changing INTEL_ROOT_PUB_KEY to SBX root public key, then build your own QVL.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hyjiang @shuk777