keystone-demo with firesim

[Jason Kang]

Hi,

May i know does the keystone-demo work in firesim? Is there any documentation or did anyone try and can help to provide the steps to run the keystone-demo in firesim? Thks.

keystone-demo: This demo includes a small enclave server that is capable of remote attestation, secure channel creation, and performing a simple word-counting computation securely.

https://github.com/keystone-enclave/keystone-demo

[David William Kohlbrenner]

Hi Jason,

Unfortunately we don't have any instructions for this, and I haven't run it in firesim before.

It should be entirely possible to run identically to how it runs in QEMU.

You should need only to ensure that the generated keystone-demo files are included in the image used in firesim.

The automatically generated measurement for the SM may not work.

You can either run the demo with the no fail mode (ignoring invalid SM measurements) or gather the hash yourself from a failed run, and rebuild the client with the new hash.

-David

--
You received this message because you are subscribed to the Google Groups "Keystone Enclave Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keystone-enclave-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keystone-enclave-forum/2b2338d2-86f2-4d68-98c0-33fb8dfdffa2%40googlegroups.com.

[Jason Kang]

Hi David,

I have generated the image and try to run it firesim with --ignore-valid. However, it hang after [SE] NOT USING REAL RADOMNESS: TEST ONLY.

May I know how to gather the hash from a failed run, and rebuild the client with the new hash? Thks.

On Tuesday, April 21, 2020 at 1:19:24 AM UTC+8, David William Kohlbrenner wrote:

Hi Jason,

Unfortunately we don't have any instructions for this, and I haven't run it in firesim before.

It should be entirely possible to run identically to how it runs in QEMU.

You should need only to ensure that the generated keystone-demo files are included in the image used in firesim.

The automatically generated measurement for the SM may not work.

You can either run the demo with the no fail mode (ignoring invalid SM measurements) or gather the hash yourself from a failed run, and rebuild the client with the new hash.

-David

On Sun, Apr 19, 2020 at 5:46 PM Jason Kang <jason...@gmail.com> wrote:

Hi,

May i know does the keystone-demo work in firesim? Is there any documentation or did anyone try and can help to provide the steps to run the keystone-demo in firesim? Thks.

keystone-demo: This demo includes a small enclave server that is capable of remote attestation, secure channel creation, and performing a simple word-counting computation securely.

https://github.com/keystone-enclave/keystone-demo

--
You received this message because you are subscribed to the Google Groups "Keystone Enclave Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to keystone-enclave-forum+unsub...@googlegroups.com.

[David William Kohlbrenner]

Hi Jason,

It isn't entirely clear from the screenshot if it hung after [SE] NOT USING REAL RANDOMNESS: TEST ONLY.
since you then get a complete channel establishment message after that.

If it is actually hanging between those two, I'll need to debug that myself. That behavior is unexpected.

Can you confirm that those binaries work in qemu?

I just double checked that a clean build of keystone-demo runs in our dev branches in QEMU at least.

RE: getting the hash. After a complete connection is setup (failed or not) it will dump out the report information like:

[SE] NOT USING REAL RANDOMNESS: TEST ONLY
                === Security Monitor ===
Hash: 2f1b225ec135a7a2071b1a4c1bc2edef4caaa9979d64751ea89238476a06e3417df0d4b671167ad11519e2af2703fe944fc45a366bae0047594d7a71434425e0
Pubkey: 7716a47955ea4a1d31caa09902afaa06083051b6400500e4ca0fd94066251d3c
Signature: bd54bce75c75e30bee458d5dcf6413e1b8c82555ba03f2ad1469a30fd8083f42802fc28dca6b8fe47475bf4c9af993e3b809de8e76af2a6a112850b56e9f6c0f                       

That said, the issue you are having is unrelated to rebuilding with the correct hash.

-David      

On Mon, Apr 20, 2020 at 11:49 PM Jason Kang <jason...@gmail.com> wrote:

Hi David,

I have generated the image and try to run it firesim with --ignore-valid. However, it hang after [SE] NOT USING REAL RADOMNESS: TEST ONLY.

May I know how to gather the hash from a failed run, and rebuild the client with the new hash? Thks.

On Tuesday, April 21, 2020 at 1:19:24 AM UTC+8, David William Kohlbrenner wrote:

Hi Jason,

Unfortunately we don't have any instructions for this, and I haven't run it in firesim before.

It should be entirely possible to run identically to how it runs in QEMU.

You should need only to ensure that the generated keystone-demo files are included in the image used in firesim.

The automatically generated measurement for the SM may not work.

You can either run the demo with the no fail mode (ignoring invalid SM measurements) or gather the hash yourself from a failed run, and rebuild the client with the new hash.

-David

On Sun, Apr 19, 2020 at 5:46 PM Jason Kang <jason...@gmail.com> wrote:

Hi,

May i know does the keystone-demo work in firesim? Is there any documentation or did anyone try and can help to provide the steps to run the keystone-demo in firesim? Thks.

keystone-demo: This demo includes a small enclave server that is capable of remote attestation, secure channel creation, and performing a simple word-counting computation securely.

https://github.com/keystone-enclave/keystone-demo

--
You received this message because you are subscribed to the Google Groups "Keystone Enclave Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to keystone-enclave-...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/keystone-enclave-forum/2b2338d2-86f2-4d68-98c0-33fb8dfdffa2%40googlegroups.com.

--

You received this message because you are subscribed to the Google Groups "Keystone Enclave Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to keystone-enclave-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keystone-enclave-forum/f1aa2ad5-5b5b-42dd-8d2c-7dee303ae889%40googlegroups.com.

[Jason Kang]

Hi David,

The problem is what cmake3 command should i use? I have tried both "cmake3 .." and "cmake3 .. -Dfirsim=y"

1) When i use "cmake3 ..", it works for QEMU but it does not work for firesim. It hang at "commencing simulation" for firesim.

2) When i used cmake3 .. -Dfiresim=y, it hang after the "[SE] NOT USING REAL RANDOMNESS: TEST ONLY." for both QEMU and Firesim

my config_runtime.ini is using the following:

topology=no_net_config
no_net_num_nodes=1
defaulthwconfig=firesim-rocket-quadcore-no-nic-l2-llc4mb-ddr3

To unsubscribe from this group and stop receiving emails from it, send an email to keystone-enclave-forum+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/keystone-enclave-forum/2b2338d2-86f2-4d68-98c0-33fb8dfdffa2%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Keystone Enclave Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to keystone-enclave-forum+unsub...@googlegroups.com.

[Jason Kang]

Hi David,

I have noticed another issue. When i run the test.ke on firesim, it stated that the attestation report is invalid.

However when i run same test.ke on qemu, it stated that the attestation report is valid.

It seems that there are some issues with keystone attestation on firesim. Can you please help to check the issue?

Thank you.

To unsubscribe from this group and stop receiving emails from it, send an email to keystone-enclave-forum+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/keystone-enclave-forum/2b2338d2-86f2-4d68-98c0-33fb8dfdffa2%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Keystone Enclave Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to keystone-enclave-forum+unsub...@googlegroups.com.

[Dayeol Lee]

Hi Jason,

I think we didn't implement the bootrom for the latest FireSim. Thus, the attestation key must be 0.

Given your log, every test works fine except the attestation.

We haven't implemented it just because there was no strong motivation, but modifying the bootrom would be quite straightforward.

What are you trying to achieve using FireSim?

If you're trying to simulate some RocketChip modifications, I'd proceed with the current setup.

Otherwise, please let me know

Thanks,

Dayeol

To unsubscribe from this group and stop receiving emails from it, send an email to keystone-enclave-...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/keystone-enclave-forum/2b2338d2-86f2-4d68-98c0-33fb8dfdffa2%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Keystone Enclave Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to keystone-enclave-...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/keystone-enclave-forum/f1aa2ad5-5b5b-42dd-8d2c-7dee303ae889%40googlegroups.com.

--

You received this message because you are subscribed to the Google Groups "Keystone Enclave Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to keystone-enclave-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keystone-enclave-forum/0c363140-28c9-488c-b8af-6c4a855eadb3%40googlegroups.com.

[Jason Kang]

Hi Dayeol,

I am working on the remote attestation for keystone in firesim.

I have encountered an issue with keystone-demo(remote attestation) in firesim. It seems to stop/hang after the "[SE] NOT USING REAL RANDOMNESS: TEST ONLY." I look at the codes. It seems that it will need to run the script get_attestation.sh. In that case, how does the image bbl, rootfs.ext2 run the get_attestation.sh script in firesim?

For tests.ke, it is local attestation right? How do i modify the bootrom?

Please advise. Thank you.

To unsubscribe from this group and stop receiving emails from it, send an email to keystone-enclave-forum+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/keystone-enclave-forum/2b2338d2-86f2-4d68-98c0-33fb8dfdffa2%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Keystone Enclave Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to keystone-enclave-forum+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/keystone-enclave-forum/f1aa2ad5-5b5b-42dd-8d2c-7dee303ae889%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Keystone Enclave Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to keystone-enclave-forum+unsub...@googlegroups.com.

[Jason Kang]

Hi Dayeol/David,

I am trying to see if i can get keystone-demo to work in firesim.

I have encountered this kernel panic issue when i run it in QEMU. Do you know why? Please advise. Thank you.

On Tuesday, April 28, 2020 at 10:45:20 AM UTC+8, Dayeol Lee wrote:

To unsubscribe from this group and stop receiving emails from it, send an email to keystone-enclave-forum+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/keystone-enclave-forum/2b2338d2-86f2-4d68-98c0-33fb8dfdffa2%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Keystone Enclave Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to keystone-enclave-forum+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/keystone-enclave-forum/f1aa2ad5-5b5b-42dd-8d2c-7dee303ae889%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Keystone Enclave Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to keystone-enclave-forum+unsub...@googlegroups.com.

[David William Kohlbrenner]

Hi Jason,

Were you able to solve this?

kpanics are not behavior we usually see under any circumstances. Current dev branch runs tests (under qemu and on the hifive) fine on our end.
I don't think we have an update on firesim status for the current dev branch though.

-David

To unsubscribe from this group and stop receiving emails from it, send an email to keystone-enclave-...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/keystone-enclave-forum/2b2338d2-86f2-4d68-98c0-33fb8dfdffa2%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Keystone Enclave Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to keystone-enclave-...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/keystone-enclave-forum/f1aa2ad5-5b5b-42dd-8d2c-7dee303ae889%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Keystone Enclave Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to keystone-enclave-...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/keystone-enclave-forum/0c363140-28c9-488c-b8af-6c4a855eadb3%40googlegroups.com.

--

You received this message because you are subscribed to the Google Groups "Keystone Enclave Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to keystone-enclave-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keystone-enclave-forum/391ceca8-5903-4b2b-9e76-993ff35d0a1a%40googlegroups.com.

[Jason Kang]

Hi David,

No i am not able to solve it despite trying for a few weeks. Do let me know if you managed to get keystone-demo(remote attestation) working in firesim in future. Thks.

To unsubscribe from this group and stop receiving emails from it, send an email to keystone-enclave-forum+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/keystone-enclave-forum/2b2338d2-86f2-4d68-98c0-33fb8dfdffa2%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Keystone Enclave Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to keystone-enclave-forum+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/keystone-enclave-forum/f1aa2ad5-5b5b-42dd-8d2c-7dee303ae889%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Keystone Enclave Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to keystone-enclave-forum+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/keystone-enclave-forum/0c363140-28c9-488c-b8af-6c4a855eadb3%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Keystone Enclave Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to keystone-enclave-forum+unsub...@googlegroups.com.