New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SGX certificate extension parsing on Icelake platform fails #3134
Labels
attestation
Related to attestation
SGX
Tag indicating associated with Intel SGX
triaged
This label classifies an issue/PR as having been triaged.
Milestone
Comments
@yentsanglee Do those optional extensions only apply to Icelake or do they apply to pre-Icelake systems as well? |
According to the spec, the optional extensions apply to pre-icelake systems but Intel PCCS just never specified them. |
bors bot
pushed a commit
that referenced
this issue
Jun 19, 2020
3153: Add uniqueness check for oesign .conf values r=radhikaj a=CodeMonkeyLeet - Enforce during oesign parsing of .conf files that each attribute may only be specified once. - Fix oesign to allow overwriting the `debug` attribute at sign time. - Add tests for duplicate attribute checks in .conf files. - Add tests for overwriting SGX enclave properties defined at build time. Fixes #3134 Signed-off-by: Simon Leet <simon.leet@microsoft.com> Co-authored-by: Simon Leet <simon.leet@microsoft.com>
Wrong pull request. This issue has not been resolved. |
radhikaj
added
the
triaged
This label classifies an issue/PR as having been triaged.
label
Jun 22, 2020
qiucwang
added a commit
to qiucwang/openenclave
that referenced
this issue
Jun 30, 2020
Signed-off-by: Qiucheng Wang <qiucwang@microsoft.com>
bors bot
pushed a commit
that referenced
this issue
Jul 1, 2020
3204: Fixes #3134, update ParseSGXExtensions. r=mingweishih a=qiucwang Fixes #3134 Intel has updated their SGX custom x.509 extensions for PCK Certificates defined [here](https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_PCK_Certificate_CRL_Spec-1.4.pdf)(Page 12-14). But the `ParseSGXExtensions()` hasn't been updated yet. The SGX extensions only changed optional fields which are normally not contained in certificates. That's why current parser didn't crash. On Icelake platform, the certificate extensions contain those optional fields and led to issue#3134. SGX extension field updates: ``` 1.2.840.113741.1.13.1.(1 - 5) unchanged. Old: 1.2.840.113741.1.13.1.6: Dynamic Platform (boolean, optional) 1.2.840.113741.1.13.1.7: Cached Keys (boolean, optional) New: 1.2.840.113741.1.13.1.6: Platform Instance ID (string, optional) 1.2.840.113741.1.13.1.7: Configuration (sequence, optional) 1.2.840.113741.1.13.1.7.1: Dynamic Platform (string, optional) 1.2.840.113741.1.13.1.7.2: Cached Keys (string, optional) 1.2.840.113741.1.13.1.7.3: SMT enabled (string, optional) ``` A sample of updated parsing result: ``` // SGX Extension: 1.2.840.113741.1.13.1: 0:d=0 hl=4 l= 550 cons: SEQUENCE 4:d=1 hl=2 l= 30 cons: SEQUENCE 6:d=2 hl=2 l= 10 prim: OBJECT :1.2.840.113741.1.13.1.1 18:d=2 hl=2 l= 16 prim: OCTET STRING 0000 - 6d ff cf 33 8e bf 41 d8-4c f9 51 cc 4a 84 17 70 m..3..A.L.Q.J..p 36:d=1 hl=4 l= 355 cons: SEQUENCE 40:d=2 hl=2 l= 10 prim: OBJECT :1.2.840.113741.1.13.1.2 52:d=2 hl=4 l= 339 cons: SEQUENCE 56:d=3 hl=2 l= 16 cons: SEQUENCE 58:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.1 71:d=4 hl=2 l= 1 prim: INTEGER :01 74:d=3 hl=2 l= 16 cons: SEQUENCE 76:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.2 89:d=4 hl=2 l= 1 prim: INTEGER :01 92:d=3 hl=2 l= 16 cons: SEQUENCE 94:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.3 107:d=4 hl=2 l= 1 prim: INTEGER :00 110:d=3 hl=2 l= 16 cons: SEQUENCE 112:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.4 125:d=4 hl=2 l= 1 prim: INTEGER :00 128:d=3 hl=2 l= 16 cons: SEQUENCE 130:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.5 143:d=4 hl=2 l= 1 prim: INTEGER :00 146:d=3 hl=2 l= 16 cons: SEQUENCE 148:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.6 161:d=4 hl=2 l= 1 prim: INTEGER :00 164:d=3 hl=2 l= 16 cons: SEQUENCE 166:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.7 179:d=4 hl=2 l= 1 prim: INTEGER :00 182:d=3 hl=2 l= 16 cons: SEQUENCE 184:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.8 197:d=4 hl=2 l= 1 prim: INTEGER :00 200:d=3 hl=2 l= 16 cons: SEQUENCE 202:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.9 215:d=4 hl=2 l= 1 prim: INTEGER :00 218:d=3 hl=2 l= 16 cons: SEQUENCE 220:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.10 233:d=4 hl=2 l= 1 prim: INTEGER :00 236:d=3 hl=2 l= 16 cons: SEQUENCE 238:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.11 251:d=4 hl=2 l= 1 prim: INTEGER :00 254:d=3 hl=2 l= 16 cons: SEQUENCE 256:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.12 269:d=4 hl=2 l= 1 prim: INTEGER :00 272:d=3 hl=2 l= 16 cons: SEQUENCE 274:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.13 287:d=4 hl=2 l= 1 prim: INTEGER :00 290:d=3 hl=2 l= 16 cons: SEQUENCE 292:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.14 305:d=4 hl=2 l= 1 prim: INTEGER :00 308:d=3 hl=2 l= 16 cons: SEQUENCE 310:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.15 323:d=4 hl=2 l= 1 prim: INTEGER :00 326:d=3 hl=2 l= 16 cons: SEQUENCE 328:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.16 341:d=4 hl=2 l= 1 prim: INTEGER :00 344:d=3 hl=2 l= 16 cons: SEQUENCE 346:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.17 359:d=4 hl=2 l= 1 prim: INTEGER :09 362:d=3 hl=2 l= 31 cons: SEQUENCE 364:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.18 377:d=4 hl=2 l= 16 prim: OCTET STRING 0000 - 01 01 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 395:d=1 hl=2 l= 16 cons: SEQUENCE 397:d=2 hl=2 l= 10 prim: OBJECT :1.2.840.113741.1.13.1.3 409:d=2 hl=2 l= 2 prim: OCTET STRING 0000 - 00 00 .. 413:d=1 hl=2 l= 20 cons: SEQUENCE 415:d=2 hl=2 l= 10 prim: OBJECT :1.2.840.113741.1.13.1.4 427:d=2 hl=2 l= 6 prim: OCTET STRING 0000 - 00 60 6a 00 00 00 .`j... 435:d=1 hl=2 l= 15 cons: SEQUENCE 437:d=2 hl=2 l= 10 prim: OBJECT :1.2.840.113741.1.13.1.5 449:d=2 hl=2 l= 1 prim: ENUMERATED :01 452:d=1 hl=2 l= 30 cons: SEQUENCE 454:d=2 hl=2 l= 10 prim: OBJECT :1.2.840.113741.1.13.1.6 466:d=2 hl=2 l= 16 prim: OCTET STRING 0000 - 84 c0 0e 98 eb 61 be da-99 9d f9 9d d0 18 01 ef .....a.......... 484:d=1 hl=2 l= 68 cons: SEQUENCE 486:d=2 hl=2 l= 10 prim: OBJECT :1.2.840.113741.1.13.1.7 498:d=2 hl=2 l= 54 cons: SEQUENCE 500:d=3 hl=2 l= 16 cons: SEQUENCE 502:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.7.1 515:d=4 hl=2 l= 1 prim: BOOLEAN :255 518:d=3 hl=2 l= 16 cons: SEQUENCE 520:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.7.2 533:d=4 hl=2 l= 1 prim: BOOLEAN :255 536:d=3 hl=2 l= 16 cons: SEQUENCE 538:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.7.3 551:d=4 hl=2 l= 1 prim: BOOLEAN :255 Signature Algorithm: ecdsa-with-SHA256 30:45:02:20:2a:6d:e2:91:e5:ea:55:54:a8:fb:34:1e:67:77: d2:dc:67:45:7e:d9:64:f2:57:16:8e:5f:23:ff:f9:74:c9:1f: 02:21:00:cc:bd:e1:5e:19:4d:30:f0:a9:e6:3b:09:2d:5a:2f: 49:c9:9d:29:39:dd:8d:97:87:7d:39:34:5b:aa:8d:dc:f4 parsed qe certificate extension (1.2.840.113741.1.13.1) { ppid (hex): 6dffcf338ebf41d84cf951cc4a841770 comp_svn (hex): 01010000000000000000000000000000 pce_svn: 0x9 cpu_svn (hex): 01010000000000000000000000000000 pce_id (hex): 0000 fmspc (hex): 00606a000000 sgx_type: 1 opt_platform_instance_id (hex): 84c00e98eb61beda999df99dd01801ef opt_dynamic_platform: true opt_cached_keys: true opt_smt_enabled: true } qe cert extension ``` Signed-off-by: Qiucheng Wang <qiucwang@microsoft.com> Co-authored-by: Qiucheng Wang <qiucwang@microsoft.com> Co-authored-by: qiucwang <61811412+qiucwang@users.noreply.github.com>
bors bot
pushed a commit
that referenced
this issue
Jul 1, 2020
3204: Fixes #3134, update ParseSGXExtensions. r=mingweishih a=qiucwang Fixes #3134 Intel has updated their SGX custom x.509 extensions for PCK Certificates defined [here](https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_PCK_Certificate_CRL_Spec-1.4.pdf)(Page 12-14). But the `ParseSGXExtensions()` hasn't been updated yet. The SGX extensions only changed optional fields which are normally not contained in certificates. That's why current parser didn't crash. On Icelake platform, the certificate extensions contain those optional fields and led to issue#3134. SGX extension field updates: ``` 1.2.840.113741.1.13.1.(1 - 5) unchanged. Old: 1.2.840.113741.1.13.1.6: Dynamic Platform (boolean, optional) 1.2.840.113741.1.13.1.7: Cached Keys (boolean, optional) New: 1.2.840.113741.1.13.1.6: Platform Instance ID (string, optional) 1.2.840.113741.1.13.1.7: Configuration (sequence, optional) 1.2.840.113741.1.13.1.7.1: Dynamic Platform (string, optional) 1.2.840.113741.1.13.1.7.2: Cached Keys (string, optional) 1.2.840.113741.1.13.1.7.3: SMT enabled (string, optional) ``` A sample of updated parsing result: ``` // SGX Extension: 1.2.840.113741.1.13.1: 0:d=0 hl=4 l= 550 cons: SEQUENCE 4:d=1 hl=2 l= 30 cons: SEQUENCE 6:d=2 hl=2 l= 10 prim: OBJECT :1.2.840.113741.1.13.1.1 18:d=2 hl=2 l= 16 prim: OCTET STRING 0000 - 6d ff cf 33 8e bf 41 d8-4c f9 51 cc 4a 84 17 70 m..3..A.L.Q.J..p 36:d=1 hl=4 l= 355 cons: SEQUENCE 40:d=2 hl=2 l= 10 prim: OBJECT :1.2.840.113741.1.13.1.2 52:d=2 hl=4 l= 339 cons: SEQUENCE 56:d=3 hl=2 l= 16 cons: SEQUENCE 58:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.1 71:d=4 hl=2 l= 1 prim: INTEGER :01 74:d=3 hl=2 l= 16 cons: SEQUENCE 76:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.2 89:d=4 hl=2 l= 1 prim: INTEGER :01 92:d=3 hl=2 l= 16 cons: SEQUENCE 94:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.3 107:d=4 hl=2 l= 1 prim: INTEGER :00 110:d=3 hl=2 l= 16 cons: SEQUENCE 112:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.4 125:d=4 hl=2 l= 1 prim: INTEGER :00 128:d=3 hl=2 l= 16 cons: SEQUENCE 130:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.5 143:d=4 hl=2 l= 1 prim: INTEGER :00 146:d=3 hl=2 l= 16 cons: SEQUENCE 148:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.6 161:d=4 hl=2 l= 1 prim: INTEGER :00 164:d=3 hl=2 l= 16 cons: SEQUENCE 166:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.7 179:d=4 hl=2 l= 1 prim: INTEGER :00 182:d=3 hl=2 l= 16 cons: SEQUENCE 184:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.8 197:d=4 hl=2 l= 1 prim: INTEGER :00 200:d=3 hl=2 l= 16 cons: SEQUENCE 202:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.9 215:d=4 hl=2 l= 1 prim: INTEGER :00 218:d=3 hl=2 l= 16 cons: SEQUENCE 220:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.10 233:d=4 hl=2 l= 1 prim: INTEGER :00 236:d=3 hl=2 l= 16 cons: SEQUENCE 238:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.11 251:d=4 hl=2 l= 1 prim: INTEGER :00 254:d=3 hl=2 l= 16 cons: SEQUENCE 256:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.12 269:d=4 hl=2 l= 1 prim: INTEGER :00 272:d=3 hl=2 l= 16 cons: SEQUENCE 274:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.13 287:d=4 hl=2 l= 1 prim: INTEGER :00 290:d=3 hl=2 l= 16 cons: SEQUENCE 292:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.14 305:d=4 hl=2 l= 1 prim: INTEGER :00 308:d=3 hl=2 l= 16 cons: SEQUENCE 310:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.15 323:d=4 hl=2 l= 1 prim: INTEGER :00 326:d=3 hl=2 l= 16 cons: SEQUENCE 328:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.16 341:d=4 hl=2 l= 1 prim: INTEGER :00 344:d=3 hl=2 l= 16 cons: SEQUENCE 346:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.17 359:d=4 hl=2 l= 1 prim: INTEGER :09 362:d=3 hl=2 l= 31 cons: SEQUENCE 364:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.2.18 377:d=4 hl=2 l= 16 prim: OCTET STRING 0000 - 01 01 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 395:d=1 hl=2 l= 16 cons: SEQUENCE 397:d=2 hl=2 l= 10 prim: OBJECT :1.2.840.113741.1.13.1.3 409:d=2 hl=2 l= 2 prim: OCTET STRING 0000 - 00 00 .. 413:d=1 hl=2 l= 20 cons: SEQUENCE 415:d=2 hl=2 l= 10 prim: OBJECT :1.2.840.113741.1.13.1.4 427:d=2 hl=2 l= 6 prim: OCTET STRING 0000 - 00 60 6a 00 00 00 .`j... 435:d=1 hl=2 l= 15 cons: SEQUENCE 437:d=2 hl=2 l= 10 prim: OBJECT :1.2.840.113741.1.13.1.5 449:d=2 hl=2 l= 1 prim: ENUMERATED :01 452:d=1 hl=2 l= 30 cons: SEQUENCE 454:d=2 hl=2 l= 10 prim: OBJECT :1.2.840.113741.1.13.1.6 466:d=2 hl=2 l= 16 prim: OCTET STRING 0000 - 84 c0 0e 98 eb 61 be da-99 9d f9 9d d0 18 01 ef .....a.......... 484:d=1 hl=2 l= 68 cons: SEQUENCE 486:d=2 hl=2 l= 10 prim: OBJECT :1.2.840.113741.1.13.1.7 498:d=2 hl=2 l= 54 cons: SEQUENCE 500:d=3 hl=2 l= 16 cons: SEQUENCE 502:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.7.1 515:d=4 hl=2 l= 1 prim: BOOLEAN :255 518:d=3 hl=2 l= 16 cons: SEQUENCE 520:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.7.2 533:d=4 hl=2 l= 1 prim: BOOLEAN :255 536:d=3 hl=2 l= 16 cons: SEQUENCE 538:d=4 hl=2 l= 11 prim: OBJECT :1.2.840.113741.1.13.1.7.3 551:d=4 hl=2 l= 1 prim: BOOLEAN :255 Signature Algorithm: ecdsa-with-SHA256 30:45:02:20:2a:6d:e2:91:e5:ea:55:54:a8:fb:34:1e:67:77: d2:dc:67:45:7e:d9:64:f2:57:16:8e:5f:23:ff:f9:74:c9:1f: 02:21:00:cc:bd:e1:5e:19:4d:30:f0:a9:e6:3b:09:2d:5a:2f: 49:c9:9d:29:39:dd:8d:97:87:7d:39:34:5b:aa:8d:dc:f4 parsed qe certificate extension (1.2.840.113741.1.13.1) { ppid (hex): 6dffcf338ebf41d84cf951cc4a841770 comp_svn (hex): 01010000000000000000000000000000 pce_svn: 0x9 cpu_svn (hex): 01010000000000000000000000000000 pce_id (hex): 0000 fmspc (hex): 00606a000000 sgx_type: 1 opt_platform_instance_id (hex): 84c00e98eb61beda999df99dd01801ef opt_dynamic_platform: true opt_cached_keys: true opt_smt_enabled: true } qe cert extension ``` Signed-off-by: Qiucheng Wang <qiucwang@microsoft.com> Co-authored-by: Qiucheng Wang <qiucwang@microsoft.com> Co-authored-by: qiucwang <61811412+qiucwang@users.noreply.github.com>
rs--
pushed a commit
to rs--/openenclave
that referenced
this issue
Aug 4, 2020
- Enforce during oesign parsing of .conf files that each attribute may only be specified once. - Fix oesign to allow overwriting the `debug` attribute at sign time. - Add tests for duplicate attribute checks in .conf files. - Add tests for overwriting SGX enclave properties defined at build time. Fixes openenclave#3134 Signed-off-by: Simon Leet <simon.leet@microsoft.com>
rs--
pushed a commit
to rs--/openenclave
that referenced
this issue
Aug 4, 2020
Signed-off-by: Qiucheng Wang <qiucwang@microsoft.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
attestation
Related to attestation
SGX
Tag indicating associated with Intel SGX
triaged
This label classifies an issue/PR as having been triaged.
Remote attestation fails on Icelake platform from parsing SGX certificate extension. Error OE_INVALID_SGX_CERTIFICATE_EXTENSIONS in function ParseSGXExtensions() in
openenclave\common\sgx\sgxcertextensions.c.
Current code in ParseSGXExtensions() only parses up to extension OPT_CACHED_KEYS_OID (1.2.840.113741.1.13.1.7) while more optional extension OIDs (up to 1.2.840.113741.1.13.1.7.3) are defined in SGX Spec.
The text was updated successfully, but these errors were encountered: