App shield agent attestation failure

Infrastructure & Networking DOCA Security
1

I recently learned app shield API and tried to run the app shield agent.
I followed the app shield agent steps in the documentation and tested with the apache service process.
However, it keeps failing due to attestation failure.

root@localhost:/home/ubuntu/apsh# ./doca_app_shield_agent -p 2270 -e hash.zip -m mem_regions.json -o symbols.json -f MT2125X06703MLNXS0D0F0VF1 -d mlx5_0 -t 3 -s linux
[11:02:13:332792][DOCA][INF][APSH_APP:114]: start attestation on pid=2270
[11:02:14:284910][DOCA][INF][APSH_APP:144]: attestation failed

There is no more information than the log above, even if I increase the log level, and also, no telemetry file is output.

Is there any solution to solve this problem?
Or is there a process condition for the app shield agent to work?

Also, if I test with PF1, it fails to open representor device.

root@localhost:/home/ubuntu/apsh# ./doca_app_shield_agent -p 2270 -e hash.zip -m mem_regions.json -o symbols.json -f MT2125X06703MLNXS0D0F1VF1 -d mlx5_0 -t 3 -s linux
[11:03:38:245879][DOCA][ERR][COMMON:197]: Matching device not found.
[11:03:38:258364][DOCA][ERR][APSH_APP::Core:441]: Failed to open representor device
[11:03:38:258406][DOCA][ERR][APSH_APP:80]: Failed to init application: Requested Resource Not Found

Is there any relation between PF1 failure and attestation failure of PF0VF1?

3

I figured out how to view the telemetry service and found that the initial attestation succeeded.
I’m now thinking there may be a bug in the attestation.

For the test, I disabled the attestation checking logic and printed the values involved in checking(DOCA_APSH_ATTESTATION_PAGES_PRESENT, DOCA_APSH_ATTESTATION_MATCHING_HASHES, and additionally, DOCA_APSH_ATTESTATION_PAGES_NUMBER).
I also printed DOCA_APSH_ATTESTATION_PATH_OF_MEMORY_AREA and “hash data is not present” message when DOCA_APSH_ATTESTATION_HASH_DATA_IS_PRESENT is false.

This is the log of one attestation iteration of the sshd process with the above conditions.
A few lines of the log have been omitted for ease of understanding.

[17:18:59:410809][DOCA][INF][APSH_APP:121]: start attestation on pid=2164
[17:18:59:661111][DOCA][INF][APSH_APP:132]: runtime_file_ind: 0, att_count: 62
[17:18:59:661224][DOCA][INF][APSH_APP:137]: page_number: 189, page_present: 145, matching_hashes: 145
[17:18:59:661251][DOCA][INF][APSH_APP:140]: path of memory area: sshd
[17:18:59:661299][DOCA][INF][APSH_APP:132]: runtime_file_ind: 1, att_count: 62
[17:18:59:661323][DOCA][INF][APSH_APP:137]: page_number: 3, page_present: 3, matching_hashes: 3
[17:18:59:661345][DOCA][INF][APSH_APP:140]: path of memory area: sshd
[17:18:59:661391][DOCA][INF][APSH_APP:132]: runtime_file_ind: 2, att_count: 62
[17:18:59:661418][DOCA][INF][APSH_APP:137]: page_number: 1, page_present: 1, matching_hashes: 1
[17:18:59:661446][DOCA][INF][APSH_APP:140]: path of memory area: libnss_files-2.27.so
[17:18:59:661491][DOCA][INF][APSH_APP:132]: runtime_file_ind: 3, att_count: 62
[17:18:59:661515][DOCA][INF][APSH_APP:137]: page_number: 1, page_present: 1, matching_hashes: 1
[17:18:59:661558][DOCA][INF][APSH_APP:140]: path of memory area: libnss_nis-2.27.so
[17:18:59:661608][DOCA][INF][APSH_APP:132]: runtime_file_ind: 4, att_count: 62
[17:18:59:661627][DOCA][INF][APSH_APP:137]: page_number: 1, page_present: 1, matching_hashes: 1
[17:18:59:661652][DOCA][INF][APSH_APP:140]: path of memory area: libnss_compat-2.27.so
[17:18:59:661697][DOCA][INF][APSH_APP:132]: runtime_file_ind: 5, att_count: 62
[17:18:59:661721][DOCA][INF][APSH_APP:137]: page_number: 20, page_present: 16, matching_hashes: 0
[17:18:59:661745][DOCA][INF][APSH_APP:140]: path of memory area: libgpg-e
[17:18:59:661790][DOCA][INF][APSH_APP:147]: hash data is not present
[17:18:59:661813][DOCA][INF][APSH_APP:132]: runtime_file_ind: 6, att_count: 62
[17:18:59:661835][DOCA][INF][APSH_APP:137]: page_number: 1, page_present: 1, matching_hashes: 0
[17:18:59:661858][DOCA][INF][APSH_APP:140]: path of memory area: libgpg-e
[17:18:59:661905][DOCA][INF][APSH_APP:147]: hash data is not present
[17:18:59:661930][DOCA][INF][APSH_APP:132]: runtime_file_ind: 7, att_count: 62
[17:18:59:661954][DOCA][INF][APSH_APP:137]: page_number: 23, page_present: 15, matching_hashes: 15
[17:18:59:661977][DOCA][INF][APSH_APP:140]: path of memory area: libresolv-2.27.so
[17:18:59:662026][DOCA][INF][APSH_APP:132]: runtime_file_ind: 8, att_count: 62
[17:18:59:662049][DOCA][INF][APSH_APP:137]: page_number: 1, page_present: 1, matching_hashes: 1
[17:18:59:662078][DOCA][INF][APSH_APP:140]: path of memory area: libresolv-2.27.so

[17:18:59:664154][DOCA][INF][APSH_APP:132]: runtime_file_ind: 30, att_count: 62
[17:18:59:664178][DOCA][INF][APSH_APP:137]: page_number: 1, page_present: 1, matching_hashes: 1
[17:18:59:664203][DOCA][INF][APSH_APP:140]: path of memory area: libcap-ng.so.0.0.0
[17:18:59:664254][DOCA][INF][APSH_APP:132]: runtime_file_ind: 31, att_count: 62
[17:18:59:664277][DOCA][INF][APSH_APP:137]: page_number: 1, page_present: 1, matching_hashes: 1
[17:18:59:664301][DOCA][INF][APSH_APP:140]: path of memory area: libnsl-2.27.so
[17:18:59:664349][DOCA][INF][APSH_APP:132]: runtime_file_ind: 32, att_count: 62
[17:18:59:664374][DOCA][INF][APSH_APP:137]: page_number: 487, page_present: 417, matching_hashes: 0
[17:18:59:664401][DOCA][INF][APSH_APP:140]: path of memory area: libc-2.2
[17:18:59:664445][DOCA][INF][APSH_APP:147]: hash data is not present
[17:18:59:664471][DOCA][INF][APSH_APP:132]: runtime_file_ind: 33, att_count: 62
[17:18:59:664494][DOCA][INF][APSH_APP:137]: page_number: 4, page_present: 4, matching_hashes: 0
[17:18:59:664517][DOCA][INF][APSH_APP:140]: path of memory area: libc-2.2
[17:18:59:664563][DOCA][INF][APSH_APP:147]: hash data is not present
[17:18:59:664584][DOCA][INF][APSH_APP:132]: runtime_file_ind: 34, att_count: 62
[17:18:59:664607][DOCA][INF][APSH_APP:137]: page_number: 3, page_present: 3, matching_hashes: 3
[17:18:59:664630][DOCA][INF][APSH_APP:140]: path of memory area: libcom_err.so.2.1
[17:18:59:664682][DOCA][INF][APSH_APP:132]: runtime_file_ind: 35, att_count: 62
[17:18:59:664705][DOCA][INF][APSH_APP:137]: page_number: 1, page_present: 1, matching_hashes: 1
[17:18:59:664733][DOCA][INF][APSH_APP:140]: path of memory area: libcom_err.so.2.1

[17:18:59:666741][DOCA][INF][APSH_APP:132]: runtime_file_ind: 58, att_count: 62
[17:18:59:666762][DOCA][INF][APSH_APP:137]: page_number: 41, page_present: 41, matching_hashes: 41
[17:18:59:666791][DOCA][INF][APSH_APP:140]: path of memory area: ld-2.27.so
[17:18:59:666835][DOCA][INF][APSH_APP:132]: runtime_file_ind: 59, att_count: 62
[17:18:59:666858][DOCA][INF][APSH_APP:137]: page_number: 1, page_present: 1, matching_hashes: 1
[17:18:59:666880][DOCA][INF][APSH_APP:140]: path of memory area: ld-2.27.so
[17:18:59:666923][DOCA][INF][APSH_APP:132]: runtime_file_ind: 60, att_count: 62
[17:18:59:666946][DOCA][INF][APSH_APP:137]: page_number: 3, page_present: 1, matching_hashes: 0
[17:18:59:666968][DOCA][INF][APSH_APP:140]: path of memory area: Anonymous Mapping
[17:18:59:667011][DOCA][INF][APSH_APP:132]: runtime_file_ind: 61, att_count: 62
[17:18:59:667034][DOCA][INF][APSH_APP:137]: page_number: 1, page_present: 1, matching_hashes: 1
[17:18:59:667056][DOCA][INF][APSH_APP:140]: path of memory area: vdso
[17:18:59:667099][DOCA][INF][APSH_APP:156]: telemetry enabled
[17:18:59:667138][DOCA][INF][APSH_APP:173]: attestation pass

DOCA_APSH_ATTESTATION_MATCHING_HASHES shows value 0 (runtime_file_ind: 5, 6, 32, 33, 60), and this incurs attestation checking logic to fail and break the loop.
For runtime_file_ind 5, 6, 32, 33, DOCA_APSH_ATTESTATION_HASH_DATA_IS_PRESENT is false, which means there is no hash data for the attestation and DOCA_APSH_ATTESTATION_PATH_OF_MEMORY_AREA shows an invalid lib name.
For example, runtime_file_ind 5 and 6 indicate libgpg-e for the path of memory area, but the correct lib name is libgpg-error.so.0.22.0.
This can be checked in /proc//maps file and in hash.zip file.
(I have no clue about runtime_file_ind 60, which shows “Anonymous Mapping” for the path of memory area.)

Therefore, I inferred that the hash could not be retrieved because the path of memory area and the library in hash.zip do not match by name and it incurs matched hashes to be 0.
Is there any way to fix this bug, or can this bug be fixed?