Failed to get quote config. Error code is 0xb033

[isha42zzz]

Describe the bug
tdx guest:

root@tdx-guest:/usr/share/doc/libtdx-attest-dev/examples# ./test_tdx_attest 

                TDX report data

 00000000: 8b 40 ec a6 2d a1 14 71 5e db 83 20 4b 39 0d 99
 00000010: 84 65 a3 e9 c7 47 d8 d9 53 78 d5 17 a0 7a 16 2b
 00000020: bb 02 d1 e8 a3 e5 59 01 c1 dc 21 0c 15 2f a5 99
 00000030: 94 48 82 5c 8f 5a 35 e2 d3 0a fa 73 85 10 9e 40

Wrote TD Report to report.dat

Failed to get the quote

System report
Please run the system-report.sh script (located in the root directory of this repo) on your host system and copy the output below.

root@user-S627G5:~/tdx# sudo ./system-report.sh
If you are running this for reporting an issue on GitHub,
copy all output between the markers below.

<======== COPY BELOW HERE ========>

Git ref

1c9ca3964b617ed2be13b47869df7663c4bd8e5f

Operating system details

Distributor ID: Ubuntu
Description:    Ubuntu 24.04.2 LTS
Release:        24.04
Codename:       noble

Kernel version

6.8.0-1028-intel #35-Ubuntu SMP PREEMPT_DYNAMIC Fri May 23 17:34:54 UTC 2025 x86_64 x86_64 GNU/Linux

TDX kernel logs

[    1.368537] virt/tdx: BIOS enabled: private KeyID range [64, 128)
[    1.368539] virt/tdx: Disable ACPI S3. Turn off TDX in the BIOS to use ACPI S3.
[   13.862277] virt/tdx: TDX module: attributes 0x0, vendor_id 0x8086, major_version 1, minor_version 5, build_date 20231008, build_num 595
[   13.862283] virt/tdx: CMR: [0x100000, 0x77800000)
[   13.862286] virt/tdx: CMR: [0x100000000, 0x106e000000)
[   14.064913] virt/tdx: 262664 KB allocated for PAMT
[   14.064923] virt/tdx: module initialized
...
[    1.368537] virt/tdx: BIOS enabled: private KeyID range [64, 128)
[    1.368539] virt/tdx: Disable ACPI S3. Turn off TDX in the BIOS to use ACPI S3.
[   13.862277] virt/tdx: TDX module: attributes 0x0, vendor_id 0x8086, major_version 1, minor_version 5, build_date 20231008, build_num 595
[   13.862283] virt/tdx: CMR: [0x100000, 0x77800000)
[   13.862286] virt/tdx: CMR: [0x100000000, 0x106e000000)
[   14.064913] virt/tdx: 262664 KB allocated for PAMT
[   14.064923] virt/tdx: module initialized

TDX CPU instruction support

CPU supports TDX according to /proc/cpuinfo

Model specific registers (MSRs)

MK_TME_ENABLED bit: 1 (expected value: 1)
SEAM_RR bit: 1 (expected value: 1)
NUM_TDX_PRIV_KEYS: 40
SGX_AND_MCHECK_STATUS: 0 (expected value: 0)
Production platform: Production (expected value: Production)

CPU details

 INTEL(R) XEON(R) SILVER 4510

QEMU package details

Status: Installed
Package: qemu-system-x86
Version: 2:8.2.2+ds-0ubuntu1.4+tdx1.1
APT-Sources: https://ppa.launchpadcontent.net/kobuk-team/tdx-release/ubuntu noble/main amd64 Packages

Libvirt package details

Status: Installed
Package: libvirt-clients
Version: 10.0.0-2ubuntu8.3+tdx1.2
APT-Sources: https://ppa.launchpadcontent.net/kobuk-team/tdx-release/ubuntu noble/main amd64 Packages

OVMF package details

Status: Installed
Package: ovmf
Version: 2024.02-3+tdx1.0
APT-Sources: https://ppa.launchpadcontent.net/kobuk-team/tdx-release/ubuntu noble/main amd64 Packages

sgx-dcap-pccs package details

Status: Installed
Package: sgx-dcap-pccs
Version: 1.21-0ubuntu1
APT-Sources: https://ppa.launchpadcontent.net/kobuk-team/tdx-attestation-release/ubuntu noble/main amd64 Packages

tdx-qgs package details

Status: Installed
Package: tdx-qgs
Version: 1.21-0ubuntu2.2
APT-Sources: https://ppa.launchpadcontent.net/kobuk-team/tdx-attestation-release/ubuntu noble/main amd64 Packages

sgx-ra-service package details

Status: Installed
Package: sgx-ra-service
Version: 1.21-0ubuntu2.2
APT-Sources: https://ppa.launchpadcontent.net/kobuk-team/tdx-attestation-release/ubuntu noble/main amd64 Packages
Description: Intel(R) Software Guard Extensions Multi-Package Registration Agent Service

sgx-pck-id-retrieval-tool package details

Status: Installed
Package: sgx-pck-id-retrieval-tool
Version: 1.21-0ubuntu2.2
APT-Sources: https://ppa.launchpadcontent.net/kobuk-team/tdx-attestation-release/ubuntu noble/main amd64 Packages

QGSD service status

● qgsd.service - Intel(R) TD Quoting Generation Service
     Loaded: loaded (/usr/lib/systemd/system/qgsd.service; enabled; preset: enabled)
     Active: active (running) since Sat 2025-09-27 14:08:31 CST; 54min ago
    Process: 1318 ExecStartPre=/bin/chown -R qgsd:qgsd /var/opt/qgsd/ (code=exited, status=0/SUCCESS)
    Process: 1342 ExecStartPre=/bin/chmod 0750 /var/opt/qgsd/ (code=exited, status=0/SUCCESS)
    Process: 1352 ExecStartPre=/usr/share/qgs/linksgx.sh (code=exited, status=0/SUCCESS)
    Process: 1387 ExecStart=/usr/bin/qgs (code=exited, status=0/SUCCESS)
   Main PID: 1393 (qgs)
      Tasks: 5 (limit: 76329)
     Memory: 17.5M (peak: 18.4M)
        CPU: 729ms
     CGroup: /system.slice/qgsd.service
             └─1393 /usr/bin/qgs

Sep 27 15:01:17 user-S627G5 qgsd[1393]: call tee_att_init_quote
Sep 27 15:01:17 user-S627G5 qgsd[1393]: [QCNL] Encountered CURL error: (60) SSL peer certificate or SSH remote key was not OK
Sep 27 15:01:17 user-S627G5 qgsd[1393]: [QPL] Failed to get quote config. Error code is 0xb033
Sep 27 15:01:17 user-S627G5 qgsd[1393]: [get_platform_quote_cert_data ../td_ql_logic.cpp:302] Error returned from the p_sgx_get_quote_config API. 0xe065
Sep 27 15:01:17 user-S627G5 qgsd[1393]: tee_att_init_quote return 0x11001
Sep 27 15:01:17 user-S627G5 qgsd[1393]: tee_att_get_quote_size return 0x1100f
Sep 27 15:01:17 user-S627G5 qgsd[1393]: Return from get_resp
Sep 27 15:01:17 user-S627G5 qgsd[1393]: About to write response in thread [7245943fd6c0]
Sep 27 15:01:17 user-S627G5 qgsd[1393]: About to shutdown and close socket
Sep 27 15:01:17 user-S627G5 qgsd[1393]: erased a connection, now [0]

PCCS service status

● pccs.service - Provisioning Certificate Caching Service (PCCS)
     Loaded: loaded (/usr/lib/systemd/system/pccs.service; enabled; preset: enabled)
     Active: active (running) since Sat 2025-09-27 14:40:33 CST; 22min ago
       Docs: https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/master/QuoteGeneration/pccs/README.md
   Main PID: 3787 (node)
      Tasks: 15 (limit: 76329)
     Memory: 45.5M (peak: 59.4M)
        CPU: 1.838s
     CGroup: /system.slice/pccs.service
             └─3787 /usr/bin/node /opt/intel/sgx-dcap-pccs/pccs_server.js

Sep 27 14:40:33 user-S627G5 systemd[1]: Started pccs.service - Provisioning Certificate Caching Service (PCCS).
Sep 27 14:40:34 user-S627G5 node[3787]: 2025-09-27 14:40:34.694 [info]: HTTPS Server is running on: https://localhost:8081

MPA registration logs (last 30 lines)

[25-09-2025 04:56:01] INFO: SGX Registration Agent version: 1.21.100.3
[25-09-2025 04:56:01] INFO: Starts Registration Agent Flow.
[25-09-2025 04:56:01] INFO: Registration Flow - Registration status indicates registration is completed successfully. MPA has nothing to do.
[25-09-2025 04:56:01] INFO: Finished Registration Agent Flow.
[25-09-2025 06:03:47] INFO: SGX Registration Agent version: 1.21.100.3
[25-09-2025 06:03:47] INFO: Starts Registration Agent Flow.
[25-09-2025 06:03:47] INFO: Registration Flow - Registration status indicates registration is completed successfully. MPA has nothing to do.
[25-09-2025 06:03:47] INFO: Finished Registration Agent Flow.
[26-09-2025 02:22:48] INFO: SGX Registration Agent version: 1.21.100.3
[26-09-2025 02:22:48] INFO: Starts Registration Agent Flow.
[26-09-2025 02:22:48] INFO: Registration Flow - Registration status indicates registration is completed successfully. MPA has nothing to do.
[26-09-2025 02:22:48] INFO: Finished Registration Agent Flow.
[27-09-2025 11:18:52] INFO: SGX Registration Agent version: 1.21.100.3
[27-09-2025 11:18:52] INFO: Starts Registration Agent Flow.
[27-09-2025 11:18:52] INFO: Registration Flow - Registration status indicates registration is completed successfully. MPA has nothing to do.
[27-09-2025 11:18:52] INFO: Finished Registration Agent Flow.
[27-09-2025 01:43:04] INFO: SGX Registration Agent version: 1.21.100.3
[27-09-2025 01:43:04] INFO: Starts Registration Agent Flow.
[27-09-2025 01:43:04] INFO: Registration Flow - Registration status indicates registration is completed successfully. MPA has nothing to do.
[27-09-2025 01:43:04] INFO: Finished Registration Agent Flow.
[27-09-2025 02:09:31] INFO: SGX Registration Agent version: 1.21.100.3
[27-09-2025 02:09:31] INFO: Starts Registration Agent Flow.
[27-09-2025 02:09:31] INFO: Registration Flow - Registration status indicates registration is completed successfully. MPA has nothing to do.
[27-09-2025 02:09:31] INFO: Finished Registration Agent Flow.

<======== COPY ABOVE HERE ========>
root@user-S627G5:~/tdx#

[syncronize-issues-to-jira]

Thank you for reporting your feedback to us!

The internal ticket has been created: https://warthogs.atlassian.net/browse/PEK-2246.

This message was autogenerated

[BFuhry]

Most certainly, your issue is related to the error [QCNL] Encountered CURL error: (60) SSL peer certificate or SSH remote key was not OK, which is reported in the QGL log.
Make sure that the QGL is configured properly to reach PCCS (see https://cc-enabling.trustedservices.intel.com/intel-tdx-enabling-guide/05/host_os_setup/#configure-qcnl for additional details).