From 9f760da23ee39bed26bdf61de62c7eb341feb678 Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Fri, 8 Mar 2024 12:29:33 +0100 Subject: [PATCH] docs: add bin/tee-self-attestation-test/README.md Signed-off-by: Harald Hoyer --- bin/tee-self-attestation-test/README.md | 74 +++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 bin/tee-self-attestation-test/README.md diff --git a/bin/tee-self-attestation-test/README.md b/bin/tee-self-attestation-test/README.md new file mode 100644 index 00000000..9106d591 --- /dev/null +++ b/bin/tee-self-attestation-test/README.md @@ -0,0 +1,74 @@ +# self-attestation-test + +## Azure DCAP + +```bash +❯ docker run -i --init --rm --privileged --device /dev/sgx_enclave --net host \ + matterlabsrobot/teepot-self-attestation-test-sgx-azure:latest \ + | base64 -d --ignore-garbage \ + | docker run -i --init --rm --net host matterlabsrobot/verify-attestation-sgx-azure:latest + +aesm_service: warning: Turn to daemon. Use "--no-daemon" option to execute in foreground. +Gramine is starting. Parsing TOML manifest file, this may take some time... +Verifying quote (4734 bytes)... +Quote verification result: SwHardeningNeeded: Software hardening is needed + Info: Advisory ID: INTEL-SA-00615 +Quote verified successfully: SwHardeningNeeded: Software hardening is needed +mrsigner: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d +mrenclave: 23267adf8144a195ede71425c50529ac8fd1aa896fe91786c28406854f246ab9 +reportdata: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +``` + +## PCCS DCAP + +Install iptables rules to forward traffic to 127.0.0.1:8081 to the PCCS server. + +```bash +❯ sudo sysctl -w net.ipv4.conf.all.route_localnet=1 +❯ sudo iptables -t nat -A OUTPUT -p tcp --dport 8081 -j DNAT --to-destination 192.168.122.1:8081 +❯ sudo iptables -t nat -A POSTROUTING -j MASQUERADE +``` + +```bash +❯ docker run -i --init --rm --privileged --device /dev/sgx_enclave --net host \ + matterlabsrobot/teepot-self-attestation-test-sgx-dcap:latest \ + | base64 -d --ignore-garbage \ + | docker run -i --init --rm --net host \ + -v /etc/sgx_default_qcnl.conf:/etc/sgx_default_qcnl.conf \ + matterlabsrobot/verify-attestation-sgx-dcap:latest + +aesm_service: warning: Turn to daemon. Use "--no-daemon" option to execute in foreground. +Gramine is starting. Parsing TOML manifest file, this may take some time... +Verifying quote (4730 bytes)... +Quote verified successfully: Ok +mrsigner: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d +mrenclave: 10cfeee8e2a65c31795104d041647415c01dc3ae4b004e05e26107f6ede82677 +reportdata: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +``` + +On an outdated machine, this might look like this: + +```bash +❯ docker run -i --init --rm --privileged --device /dev/sgx_enclave --net host \ + matterlabsrobot/teepot-self-attestation-test-sgx-dcap:latest \ + | base64 -d --ignore-garbage \ + | docker run -i --init --rm --net host \ + -v /etc/sgx_default_qcnl.conf:/etc/sgx_default_qcnl.conf \ + matterlabsrobot/verify-attestation-sgx-dcap:latest + +aesm_service: warning: Turn to daemon. Use "--no-daemon" option to execute in foreground. +Gramine is starting. Parsing TOML manifest file, this may take some time... +Verifying quote (4600 bytes)... +Quote verification result: OutOfDate: Firmware needs to be updated + Info: Advisory ID: INTEL-SA-00614 + Info: Advisory ID: INTEL-SA-00617 + Info: Advisory ID: INTEL-SA-00289 + Info: Advisory ID: INTEL-SA-00657 + Info: Advisory ID: INTEL-SA-00767 + Info: Advisory ID: INTEL-SA-00828 + Info: Advisory ID: INTEL-SA-00615 +Quote verified successfully: OutOfDate: Firmware needs to be updated +mrsigner: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d +mrenclave: 10cfeee8e2a65c31795104d041647415c01dc3ae4b004e05e26107f6ede82677 +reportdata: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +```