Merge pull request #44 from matter-labs/self-attestation-readme

docs: add bin/tee-self-attestation-test/README.md
matter-labs · Mar 8, 2024 · 1249048 · 1249048
2 parents 932da33 + 9f760da
commit 1249048
Showing 1 changed file with 74 additions and 0 deletions.
diff --git a/bin/tee-self-attestation-test/README.md b/bin/tee-self-attestation-test/README.md
@@ -0,0 +1,74 @@
+# self-attestation-test
+
+## Azure DCAP
+
+```bash
+❯ docker run -i --init --rm --privileged  --device /dev/sgx_enclave --net host \
+    matterlabsrobot/teepot-self-attestation-test-sgx-azure:latest \
+    | base64 -d --ignore-garbage \
+    | docker run -i --init --rm --net host matterlabsrobot/verify-attestation-sgx-azure:latest
+
+aesm_service: warning: Turn to daemon. Use "--no-daemon" option to execute in foreground.
+Gramine is starting. Parsing TOML manifest file, this may take some time...
+Verifying quote (4734 bytes)...
+Quote verification result: SwHardeningNeeded: Software hardening is needed
+	Info: Advisory ID: INTEL-SA-00615
+Quote verified successfully: SwHardeningNeeded: Software hardening is needed
+mrsigner: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d
+mrenclave: 23267adf8144a195ede71425c50529ac8fd1aa896fe91786c28406854f246ab9
+reportdata: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+```
+
+## PCCS DCAP
+
+Install iptables rules to forward traffic to 127.0.0.1:8081 to the PCCS server.
+
+```bash
+❯ sudo sysctl -w net.ipv4.conf.all.route_localnet=1
+❯ sudo iptables -t nat -A OUTPUT -p tcp --dport 8081 -j DNAT --to-destination 192.168.122.1:8081
+❯ sudo iptables -t nat -A POSTROUTING -j MASQUERADE
+```
+
+```bash
+❯ docker run -i --init --rm --privileged --device /dev/sgx_enclave --net host \
+    matterlabsrobot/teepot-self-attestation-test-sgx-dcap:latest \
+    | base64 -d --ignore-garbage \
+    | docker run -i --init --rm --net host \
+    -v /etc/sgx_default_qcnl.conf:/etc/sgx_default_qcnl.conf \
+    matterlabsrobot/verify-attestation-sgx-dcap:latest
+
+aesm_service: warning: Turn to daemon. Use "--no-daemon" option to execute in foreground.
+Gramine is starting. Parsing TOML manifest file, this may take some time...
+Verifying quote (4730 bytes)...
+Quote verified successfully: Ok
+mrsigner: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d
+mrenclave: 10cfeee8e2a65c31795104d041647415c01dc3ae4b004e05e26107f6ede82677
+reportdata: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+```
+
+On an outdated machine, this might look like this:
+
+```bash
+❯ docker run -i --init --rm --privileged --device /dev/sgx_enclave --net host \
+                matterlabsrobot/teepot-self-attestation-test-sgx-dcap:latest \
+                | base64 -d --ignore-garbage \
+                | docker run -i --init --rm --net host \
+                -v /etc/sgx_default_qcnl.conf:/etc/sgx_default_qcnl.conf \
+                matterlabsrobot/verify-attestation-sgx-dcap:latest
+
+aesm_service: warning: Turn to daemon. Use "--no-daemon" option to execute in foreground.
+Gramine is starting. Parsing TOML manifest file, this may take some time...
+Verifying quote (4600 bytes)...
+Quote verification result: OutOfDate: Firmware needs to be updated
+	Info: Advisory ID: INTEL-SA-00614
+	Info: Advisory ID: INTEL-SA-00617
+	Info: Advisory ID: INTEL-SA-00289
+	Info: Advisory ID: INTEL-SA-00657
+	Info: Advisory ID: INTEL-SA-00767
+	Info: Advisory ID: INTEL-SA-00828
+	Info: Advisory ID: INTEL-SA-00615
+Quote verified successfully: OutOfDate: Firmware needs to be updated
+mrsigner: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d
+mrenclave: 10cfeee8e2a65c31795104d041647415c01dc3ae4b004e05e26107f6ede82677
+reportdata: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+```