Looking for help with Graphene Shielded Containers - examples fail with connect_aesmd error 30

110 views
Skip to first unread message

Marohn, Byron

unread,
May 18, 2021, 2:44:15 AM5/18/21
to sup...@graphene-project.io

Hi, I’m trying to get graphene shielded containers (GSC) working on bleeding edge system and having trouble, I believe with software config.

Basic problem is that I’m unable to run any of the GSC examples. For example:


cd graphene/Tools/gsc/test
make INTEL_SGX_DEVICE=sgx/enclave ADDITIONAL_DEVICES= test-1-ubuntu18.04


This builds the images fine, but they fail to run:


docker run  --device=/dev/sgx/enclave  --volume /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket gsc-ubuntu18.04-python3 -c 'print("HelloWorld!")' 2>&1 | tee out

+ '[' -z '' ']'

+ GSC_PAL=Linux-SGX

+ /graphene/python/graphene-sgx-get-token -output /entrypoint.token -sig /entrypoint.sig

Attributes:

    mr_enclave:  8ff749344b09bee1452b44db5b1fb7e35473802a9a1a41b7c54820606dffaef3

    mr_signer:   3fdd47e2c09356301d810349b9e04b4132624a6dc0e4ae86d7c5f5e726a904f4

    isv_prod_id: 0

    isv_svn:     0

    attr.flags:  0600000000000000

    attr.xfrm:   e702000000000000

    misc_select: 00000000

    misc_mask:   00000000

    modulus:     79c5133e354983e08dab48c019c90508...

    exponent:    3

    signature:   a6ba381a40441854ca62067199f30c12...

    date:        2021-05-18

Traceback (most recent call last):

  File "/graphene/python/graphene-sgx-get-token", line 5, in <module>

    sys.exit(main())

  File "/graphene/python/graphenelibos/sgx_get_token.py", line 205, in main

    token = connect_aesmd(attr)

  File "/graphene/python/graphenelibos/sgx_get_token.py", line 126, in connect_aesmd

    raise Exception(f'Failed. (Error Code = {ret_msg.ret.error})')

Exception: Failed. (Error Code = 30)

grep -q "HelloWorld!" out

make: *** [Makefile:122: test-1-ubuntu18.04] Error 1

 

Any help would be greatly appreciated. I suspect I’m just not passing something to the docker container that I need to. Thanks!


System is:
- Ubuntu 20.04
- 5.11 stock Ubuntu ppa kernel (5.11.0-051100-generic).
- Hardware should be latest/greatest SGX support (DCAP enabled, I think?)
- Graphene build from May 13 - 8c7ac33f80d403b388248ea7827996cb0cc74019

I’ve also tried cleaning and testing with INTEL_SGX_DEVICE=sgx_enclave, with the same result. I’m not using the /dev/isgx driver, which I believe was old / prior to in-kernel support (?).

I’m able to run both SGX SDK and graphene sample applications on the host without problem. The aesmd service is running on the host, and the /var/run/aesmd/aesm.socket exists. I am running this from within a corporate environment (Intel), but I don’t know how/where the container would even need to be aware of this since it’s using the host’s aesmd service?

Output from other working SGX-enabled apps:

 

cd graphene/Examples/bash
graphene-sgx ./bash -c "ls"

error: Using insecure argv source. Graphene will continue application execution, but this configuration must not be used in production!

Makefile

README.md

bash.manifest

bash.manifest.sgx

bash.sig

bash.token

dev

lib

manifest.template

proc

scripts

sys

 

source /opt/intel/sgxsdk/environment

cd ~/linux-sgx/SampleCode/LocalAttestation

make clean

make

cd bin

./app

succeed to load enclaves.

succeed to establish secure channel.

Succeed to exchange secure message...

Succeed to close Session...

 

Thanks again,

 

-Byron

Kuvaiskii, Dmitrii

unread,
May 18, 2021, 3:03:20 AM5/18/21
to Marohn, Byron, sup...@graphene-project.io

Dear Byron,

 

GSC needs to know what Intel SGX driver to expect on your host system. Currently, you don’t specify anything during “make”, so GSC uses the default value: https://github.com/oscarlab/graphene/blob/ede48f27cc701b7b8c99564da172276723f32503/Tools/gsc/test/Makefile#L10

 

This default value happens to be the “legacy” Intel SGX driver (which corresponds to /dev/isgx). This is *not* what you want. You seem to use the in-kernel SGX driver.

 

For this, you need to tell make to use the right values. The right values are described here: https://github.com/oscarlab/graphene/blob/ede48f27cc701b7b8c99564da172276723f32503/Tools/gsc/config.yaml.template#L11

 

So in your case, you should simply specify empty values for SGXDRIVER_REPO and SGXDRIVER_BRANCH. Then Graphene and GSC will expect the modern in-kernel SGX driver. So your make command line should be like this:

```

make SGXDRIVER_REPO= SGXDRIVER_BRANCH= INTEL_SGX_DEVICE=sgx/enclave ADDITIONAL_DEVICES= test-1-ubuntu18.04

```

 

Hope this helps.

 

--

Dmitrii

--
You received this message because you are subscribed to the Google Groups "Graphene Support Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graphene-suppo...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graphene-support/MWHPR11MB14234BA5ECCC2988A4BBA6029E2C9%40MWHPR11MB1423.namprd11.prod.outlook.com.

Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva  
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928

Marohn, Byron

unread,
May 18, 2021, 4:58:06 PM5/18/21
to Kuvaiskii, Dmitrii, sup...@graphene-project.io

Awesome, this works! Thanks for your help Dmitirii. Now to try to get my own application working… 😊

-Byron

Reply all
Reply to author
Forward
0 new messages