gsc: Cannot open device /sgx/sgx_enclave

111 views
Skip to first unread message

Shybsmekc Msgrikwd

unread,
Jul 30, 2022, 5:50:52 PMJul 30
to us...@gramineproject.io
Hi, 
I am trying to run a graminized python container but getting this error:

error: Cannot open device /dev/sgx_enclave. Please make sure the Intel SGX kernel module is loaded.
error: load_enclave() failed with error -2

My kernel is Linux 5.15.0-41-generic x86_64 and my host machine is Ubuntu 20.04. Following is the output from is-sgx-available tool:
SGX supported by CPU: true
SGX1 (ECREATE, EENTER, ...): true
SGX2 (EAUG, EACCEPT, EMODPR, ...): false
Flexible Launch Control (IA32_SGXPUBKEYHASH{0..3} MSRs): true
SGX extensions for virtualizers (EINCVIRTCHILD, EDECVIRTCHILD, ESETCONTEXT): false
Extensions for concurrent memory management (ETRACKC, ELDBC, ELDUC, ERDINFO): false
CET enclave attributes support (See Table 37-5 in the SDM): false
Key separation and sharing (KSS) support (CONFIGID, CONFIGSVN, ISVEXTPRODID, ISVFAMILYID report fields): false
Max enclave size (32-bit): 0x80000000
Max enclave size (64-bit): 0x1000000000
EPC size: 0x5e00000
SGX driver loaded: true
AESMD installed: true
SGX PSW/libsgx installed: true

Both /dev/sgx_enclave and /dev/sgx_provision files are present on the host machine. Interestingly, /dev/sgx/enclave and /dev/sgx/provision files are also present. Both sgxsdk and gramine helloworld examples work. Only the gsc is not running. 

Following commands were used to build the image:
1. Created an empty manifest file prior to running the following command. I also used the template config file and only changed the distro to 20.04
./gsc build python python.manifest
2. Signed the image
./gsc sign-image python ~/.config/gramine/enclave-key.pem
3. I checked the signed image with 
./gsc info-image gsc-python
4. But when I try to run the following command, I get the aforementioned error message
docker run gsc-python -c 'print("Hi from enclave")'

Kindly advise. Thank you!

Best regards,
SM

Dmitrii Kuvaiskii

unread,
Aug 1, 2022, 2:53:22 AMAug 1
to Shybsmekc Msgrikwd, us...@gramineproject.io
> 4. But when I try to run the following command, I get the aforementioned error message
docker run gsc-python -c 'print("Hi from enclave")'

This last step is wrong. You need to pass an option to `docker run`
that you forward the `/dev/sgx_enclave` kernel module. See the
examples:
- https://gramine.readthedocs.io/projects/gsc/en/latest/#example (step 7)
- https://hub.docker.com/r/gramineproject/gramine
> --
> You received this message because you are subscribed to the Google Groups "Gramine Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to gramine-user...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/gramine-users/CAOe6jBHKjmqyCX9tMKk_JypcviovbA3r9LQXgy%3DYHRFOY0iX5g%40mail.gmail.com.



--
Yours sincerely,
Dmitrii Kuvaiskii
Reply all
Reply to author
Forward
0 new messages