MPA start failed and get pckcert 404

[reclock]

Hello, I currently have a physical server machine with an Intel (R) Xeon (R) Silver 4310 * 2 CPU. The system is using Ubuntu 22.04, which was virtualized using EXSI7.0. Currently, the machine cannot be connected to the network.

1. I found that machines with multiple CPUs need to register to use SGX. I installed the MPA service, but the service exited after starting it
   

2. I have enabled SGX reset mode and checked the log file/var/log/mpa_ Registration.log:

[22-01-2024 09:36:10] INFO: SGX Registration Agent version: 1.18.100.1
[22-01-2024 09:36:10] INFO: Starts Registration Agent Flow
[22-01-2024 09:36:10] Error: readUEFIVar: failed to open uefi variable/sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45, error: No such file or directory
[22-01-2024 09:36:10] Error: getRegistrationStatus: SgxRegistrationStatus UEFI variable was not found or size not as expected
[22-01-2024 09:36:10] Error: getRegistrationStatus: SgxRegistrationStatus automatic size: 0, expected size: 7
[22-01-2024 09:36:10] Error: Registration Flow - getRegistrationStatus failed, error: 4
[22-01-2024 09:36:10] INFO: setRegistrationStatus: status. status=0x1a, statusUefi. status=0x02
[22-01-2024 09:36:10] Error: writeUEFIVar: failed to open uefi variable/sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45, error: No such file or directory
[22-01-2024 09:36:10] Error: setRegistrationStatus: failed to write uefi variable
[22-01-2024 09:36:10] Error: setRegistrationStatus failed, error: 4
[22-01-2024 09:36:10] INFO: Completed Registration Agent Flow

3. This is my BISO settings:
   

4. this is my ESXI settings:
   

My question is：

Q1: Do MPA services need to be connected to the internet in order to be used? Is it impossible to complete registration without connecting to the internet? Because I saw Intel_ SGX_ DCAP_ Multipackage_ The document SW.pdf states that networking is required

[jsun39]

1. Network is needed for MPA.
2. MPA need be executed in host/bare-metal platform.

[jsun39]

Of course, registration has two ways: 1. MPA is used to do direct registration. 2. PCKIDretrieval tool could be used to do indirect registration. You can refer to : https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/DCAP_ECDSA_Orientation.pdf
section 2.

[reclock]

root@shudun:/opt/intel/sgx-pck-id-retrieval-tool# ./PCKIDRetrievalTool
Intel(R) Software Guard Extensions PCK Cert ID Retrieval Tool Version 1.19.100.3
Warning: platform manifest is not available or current platform is not multi-package platform.
Error: network error, please check the network setting or whether the cache server is down.
pckid_retrieval.csv has been generated successfully, however the data couldn't be sent to cache server!

this is pckid_retrieval.csv
pckid_retrieval.csv

I obtained the platform using the Python pccsadmin. py collect platform_list.json
this is platform_list.json
platform_list.json

Afterwards, I will use the platform_list.json failed to apply for PCK certificate from Intel
python3 .\pccsadmin.py fetch

Request get: https://api.trustedservices.intel.com/sgx/certification/v4/pckcerts?encrypted_ppid=4e2f65f095740d8db28212925f0080e87a35349bd0df4b17de10e3867d90f35f2dbb257e1406ae29ef5893fdbe366025a9dea2a4989706d982d88097fe8bb4f3a5e827af79454fac85154c7d1ab9c883e62a485ac3ad4fcb5c43f4102b1c49b9cb4dcbd927a13ef010c265c5d5af67e1f605604b0de993083fd50fda0985b87b56e145b0f7031db8144cdcc2b89c97168d41465f52a281fbc536f54fd88361d298c37ecad1cc8cae90c6d75aded8efcf0ba51588eaf0650a315317194891d5e02e9f4f853d755991f933e7b23124cebf8f7bbf2b50cf23c84de0ed8dab72091c81d061e33636c21cd24cb8c29188302982a6b672e6a70f945a096a146af6b698bc33b869513c287dbc5215a1f805e5f11cdcdbeb07f518b3f30a598d938f878f63226590fef4b4fa89aebd972ddf627187283a2ce3bcc2477a576bb3c073e5a6d9d6fa8d4b48d5dcb93532cd086ab9bb2afd5e42c63d9f423990d3c1efa162f5d6d26ec1e8f19a42e50d2b6f5479f12fb7d12a0ca1ca11b55ab7dbfbf17d2f45&pceid=0000
response: 404

Failed to get PCK certs for platform enc_ppid:4e2f65f095740d8db28212925f0080e87a35349bd0df4b17de10e3867d90f35f2dbb257e1406ae29ef5893fdbe366025a9dea2a4989706d982d88097fe8bb4f3a5e827af79454fac85154c7d1ab9c883e62a485ac3ad4fcb5c43f4102b1c49b9cb4dcbd927a13ef010c265c5d5af67e1f605604b0de993083fd50fda0985b87b56e145b0f7031db8144cdcc2b89c97168d41465f52a281fbc536f54fd88361d298c37ecad1cc8cae90c6d75aded8efcf0ba51588eaf0650a315317194891d5e02e9f4f853d755991f933e7b23124cebf8f7bbf2b50cf23c84de0ed8dab72091c81d061e33636c21cd24cb8c29188302982a6b672e6a70f945a096a146af6b698bc33b869513c287dbc5215a1f805e5f11cdcdbeb07f518b3f30a598d938f878f63226590fef4b4fa89aebd972ddf627187283a2ce3bcc2477a576bb3c073e5a6d9d6fa8d4b48d5dcb93532cd086ab9bb2afd5e42c63d9f423990d3c1efa162f5d6d26ec1e8f19a42e50d2b6f5479f12fb7d12a0ca1ca11b55ab7dbfbf17d2f45, pce_id:0000

[reclock]

in platform_list.json the platform_manifest is null

[jsun39]

did you execute this PCKIDRetrieval tool in host/bare-mental environment?

[reclock]

I executed PCKIDRetrieval on the virtual system Ubuntu 22.04 on ESXI because the machine already has ESXI installed. Do you mean that the host cannot install ESXI and should be installed directly on Ubuntu systems?

[jsun39]

No.
You need execute PCKIDRetrieval tool in host. Running it in VM could not do registration.

[dashuaic]

Can you check if these 2 variables exist on your host? They are needed for registration.
/sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45 , /sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45

[reclock]

No. You need execute PCKIDRetrieval tool in host. Running it in VM could not do registration.

That means I need to uninstall VM and reinstall Ubuntu, and run PCKIDRetrieval directly in Ubuntu. Is this okay？

[reclock]

Can you check if these 2 variables exist on your host? They are needed for registration. /sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45 , /sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45

At present, I can only access the VM host, which does not have this file

[dashuaic]

Can you check if these 2 variables exist on your host? They are needed for registration. /sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45 , /sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45

At present, I can only access the VM host, which does not have this file

You can't register your platform on VM because the registration process need the information stored in these 2 variables. you need to register your platfrom on host(which owns these 2 variables), after that you can do normal action in VM.

[reclock]

Can you check if these 2 variables exist on your host? They are needed for registration. /sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45 , /sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45

At present, I can only access the VM host, which does not have this file

You can't register your platform on VM because the registration process need the information stored in these 2 variables. you need to register your platfrom on host(which owns these 2 variables), after that you can do normal action in VM.

I understand what you said, but one issue is that if other services are deployed on this machine, I cannot reinstall the system on the machine, which is not realistic. I can use another hard drive to enter the system and complete the registration. Can we replace it with the original hard drive and import the PCK certificate for remote authentication?

[dashuaic]

Can you check if these 2 variables exist on your host? They are needed for registration. /sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45 , /sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45

At present, I can only access the VM host, which does not have this file

You can't register your platform on VM because the registration process need the information stored in these 2 variables. you need to register your platfrom on host(which owns these 2 variables), after that you can do normal action in VM.

I understand what you said, but one issue is that if other services are deployed on this machine, I cannot reinstall the system on the machine, which is not realistic. I can use another hard drive to enter the system and complete the registration. Can we replace it with the original hard drive and import the PCK certificate for remote authentication?

Yes, you can replace hard drive and do registration to check.

[reclock]

OK
Now I can see that there is /sys/firmware/efi/efivars/SgxRegistrationStatus f236c5dc-a491-4bbe bcdd-8885770df45 on the host, but I will report an error when using PCKIDRetrievalTool:

sudo LD_LIBRARY_PATH=. ./PCKIDRetrievalTool -platform_id "219d07423c796a6cb7a8e69622bc90ac
Intel(R)Software Guard Extensions PcK cert ID Retrieval Tool version 1.20.100.2
Error: the retrieved data doesn't save to file,and it doesn't upload to cache server.

This machine does not have PCCS installed. PCCS is on another machine and is not connected to the network. It was deployed using the OFF_LINE mode.

How should I generate a pckid_ Where is the retrieval.csv file?

[reclock]

Currently, I have completed registration and am using

curl - v - X POST -- data '{"platformManifest": "xxx", "pceid": "xxxx"}'“ https://api.trustedservices.intel.com/sgx/certification/v4/pckcerts "- H" Ocp API Subscription Key: {xxxx} "- H" Content Type: application/JSON“

We also obtained the PCK certificate JSON, but encountered an error of 400 when importing the certificate to the PCCS service.
I use the commond: pyrhon3 pccsadmin put -i pck.json

mp_pck.json

this is error:

[reclock]

1. ./PCKIDRetrievalTool generated file pckid_retrieval.csv then ./pccsadmin.py collect generated file platform_list.json

2. ./pccsadmin.py fetch , error 404
   pckid_retrieval.csv

platform_list.json

[reclock]

this is the process I am currently undergoing:

1. mpa_manage -get_platform_manifest manifest.data

2. curl -H "Content-Type: application/octet-stream" -v --data-binary manifest.data -X POST "https://api.trustedservices.intel.com/sgx/registration/v1/platform"

   response: 648ADC27E4E5BD15BBF5B04F8A987A7F

3. ./PCKIDRetrievalTool -platform_id 648ADC27E4E5BD15BBF5B04F8A987A7F

this step cannot directly generate a CSV file and prompts to write it to PCCS. if you do not use -platform_id parameter can directly generate CSV files

4. ./pccsadmin.py get
   get file：platform_list.json

5. get pck cert: curl -v -X POST --data '{"platformManifest":"...", "cpusvn":"...", "pcesvn":"...", "pceid":"..."}' "https://api.trustedservices.intel.com/sgx/certification/v4/pckcert" -H "Ocp-Apim-Subscription-Key: {subscription key}" -H "Content-Type: application/json"
   get file: mp_pck.json

[woogieboogie-jl]

@reclock Greetings!

I've encountered same problem.

Currently I'm trying to get my platform_manifest and wondering how you managed to pull it off (the 'manifest.data' file)
I've just copy-pasted the fifth column's data in the pckid_retrieval.csv file but the intel registration api keeps returning Error 400: InvalidRequestSyntax

Do you have any updates on this thread? anyone?

[FunnyShelby]

您好，我目前有一台带有 Intel （R） Xeon （R） Silver 4310 * 2 CPU 的物理服务器机器。系统使用的是 Ubuntu 22.04，它是使用 EXSI7.0 虚拟化的。目前，本机无法连接到网络。

1. 我发现具有多个 CPU 的机器需要注册才能使用 SGX。我安装了 MPA 服务，但该服务在启动后退出
   
2. 我已经启用了 SGX 重置模式并检查了日志文件/var/log/mpa_ Registration.log：

[22-01-2024 09:36:10]信息：新交所注册代理版本：1.18.100.1 [22-01-2024 09：36：10] 信息：启动注册代理流程 [22-01-2024 09：36：10] 错误：readUEFIVar：无法打开 uefi 变量/sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45，错误：没有这样的文件或目录 [22-01-2024 09：36：10] 错误：getRegistrationStatus：找不到 SgxRegistrationStatus UEFI 变量或大小不符合预期[22-01-2024 09:36:10]错误：getRegistrationStatus：SgxRegistrationStatus 自动大小：0，预期大小：7 [22-01-2024 09：36：10] 错误：注册流 - getRegistrationStatus 失败，错误：4 [22-01-2024 09：36：10] 信息：setRegistrationStatus：状态。status=0x1a，statusUefi。status=0x02 [22-01-2024 09：36：10] 错误：writeUEFIVar：无法打开 uefi 变量/sys/firmware/efi/efivars/SgxRegistrationStatus-f236c5dc-a491-4bbe-bcdd-8885770df45，错误：没有这样的文件或目录 [22-01-2024 09：36：10] 错误：setRegistrationStatus：无法写入 uefi 变量 [22-01-2024 09：36：10] 错误：setRegistrationStatus 失败，错误：4 [22-01-2024 09：36：10] 信息：已完成注册代理流程

3. 这是我的BISO设置：
   
4. 这是我的 ESXI 设置：
   

我的问题是：

Q1：MPA服务是否需要连接到互联网才能使用？如果不连接到互联网就无法完成注册吗？因为我看到了Intel_ SGX_ DCAP_ Multipackage_ 文档SW.pdf指出需要网络

Hello, bro! I just came into contact with sgx, and I don't quite understand the specific operation of the content you talked about before. The problem you raised at the beginning is the same, but I still haven't solved it yet. May I ask how you solved it step by step? (Politely)

[dashuaic]

Yes, the MPA requires a network to complete the registration process.

[FunnyShelby]

Yes, the MPA requires a network to complete the registration process.

Thank you for your reply! But I don't know how to operate to complete this part[sad]