在真实硬件上启动CapsuleManager失败

[zzx-QDU]

大佬，您好！我在真实机器上启用CapsuleManager时失败，错误为： [2024-04-30 01:09:05.268] [info] [sgx2_generator.cc:102] Start generating sgx2 report [get_platform_quote_cert_data ../qe_logic.cpp:388] Error returned from the p_sgx_get_quote_config API. 0xe019 thread 'main' panicked at capsule-manager/src/main.rs:53:6: capsule_manager init error: Error { code: InternalErr, details: Some("runified_attestation_generate_auth_report err: \"[Enforce fail at trustedflow/attestation/generation/sgx2/sgx2_generator.cc:115] ioctl(sgx_fd, SGXIOC_GET_DCAP_QUOTE_SIZE, &quote_size) == 0. -1 vs 0.Fail to get quote size, errno = 22\0\""), location: Some(ErrorLocation { line: 198, file: "capsule-manager/src/server.rs" }) } note: run with RUST_BACKTRACE=1 environment variable to display a backtrace 请问这是我们的设置问题还是硬件上的问题？

[zimu-yuxi]

方便发一下硬件信息吗

[zzx-QDU]

Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Address sizes: 46 bits physical, 57 bits virtual Byte Order: Little Endian CPU(s): 64 On-line CPU(s) list: 0-63 Vendor ID: GenuineIntel Model name: Intel(R) Xeon(R) Silver 4314 CPU @ 2.40GHz CPU family: 6 Model: 106 Thread(s) per core: 2 Core(s) per socket: 16 Socket(s): 2 Stepping: 6 CPU max MHz: 3400.0000 CPU min MHz: 800.0000 BogoMIPS: 4800.00 Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclm ulqdq dtes64 ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid dca sse4_1 s se4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb cat_l3 invpcid_single intel_ppin ssbd mba ibrs ibpb s tibp ibrs_enhanced tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust sgx bmi1 avx2 smep bmi2 erms invpcid cqm rdt_a avx512f avx512dq rdseed adx smap av x512ifma clflushopt clwb intel_pt avx512cd sha_ni avx512bw avx512vl xsaveopt xsavec xgetbv1 xsaves cqm_llc cqm_occup_llc cqm_mbm_total cqm_mbm_local split_lock_detect wbnoinvd dtherm ida arat pln pts avx512vbmi umip pku ospke avx512_vbmi2 gfni vaes vpclmulqdq avx512_vnni avx512_bitalg tme avx512_vpopcntdq la57 rdpid sgx_lc fsrm md _clear pconfig flush_l1d arch_capabilities Virtualization features: Virtualization: VT-x Caches (sum of all):
L1d: 1.5 MiB (32 instances) L1i: 1 MiB (32 instances) L2: 40 MiB (32 instances) L3: 48 MiB (2 instances) NUMA:
NUMA node(s): 2 NUMA node0 CPU(s): 0-15,32-47 NUMA node1 CPU(s): 16-31,48-63 Vulnerabilities:
Gather data sampling: Mitigation; Microcode Itlb multihit: Not affected L1tf: Not affected Mds: Not affected Meltdown: Not affected Mmio stale data: Mitigation; Clear CPU buffers; SMT vulnerable Retbleed: Not affected Spec rstack overflow: Not affected Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl and seccomp Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization Spectre v2: Mitigation; Enhanced IBRS, IBPB conditional, RSB filling, PBRSB-eIBRS SW sequence Srbds: Not affected Tsx async abort: Not affected

[zzx-QDU]

使用cpuid | grep SGX2也可以看到所有选项都是支持的。

[zheyang0825]

0xe019 错误一般就是 PCCS 访问不通，检查一下有没有配置是否正确。 参考：https://www.secretflow.org.cn/zh-CN/docs/trustedflow/0.2.0b0.post0/quick_start/step1#id7

[zzx-QDU]

您是指sgx_default_qcnl.conf配置错了还是我们在部署PCCS时出错？

[zzx-QDU]

2024-04-30 07:03:55.505 [error]: Error: The platform was not found in the cache. at ReqCachingMode.getPckCertFromPCS (file:///home/h/predictor/sd/SGXDataCenterAttestationPrimitives/QuoteGeneration/pccs/services/caching_modes/cachingMode.js:72:11) at CachingModeManager.getPckCertFromPCS (file:///home/h/predictor/sd/SGXDataCenterAttestationPrimitives/QuoteGeneration/pccs/services/caching_modes/cachingModeManager.js:54:23) at Module.getPckCert (file:///home/h/predictor/sd/SGXDataCenterAttestationPrimitives/QuoteGeneration/pccs/services/pckcertService.js:115:41) at async getPckCert (file:///home/h/predictor/sd/SGXDataCenterAttestationPrimitives/QuoteGeneration/pccs/controllers/pckcertController.js:77:25) 2024-04-30 07:03:55.518 [info]: 127.0.0.1 - - [30/Apr/2024:07:03:55 +0000] "GET /sgx/certification/v3/pckcert?qeid=83495CC1CDC5BE73CEF70D7E70611126&encrypted_ppid=107806A7AB3BF31924DADF2D5985D650F45D0315D81AB9A4A6A87ACC4ADC7A60E5CD8364DA4CC5B504AB5E6402D1D882F252535C4560CA7AA86D9B9C0FF3397E41697C5610F656CF83C844E5AF25647422A6F6AED803421CB391E66FB3E9B9AD452CCF7EDA5E0ED8FA999508704ADBDB02AA3A0F5A5E67D57D57D52DBD93D8119759C4F6328F93D80E447C28E26694BEC9250A1AE4F4D7083DDD162CA3E7219BEA509097124033EDFC3EA27BEA8EC968EAAB13FDB0E614784F59318985B249E9266BC39AFC4E68F9FCC69E2273EBE311F7701FF113D259A7D95A08E2F887812842D1F541477248A60909F60100A5283E6C1255170CBEBA3FA7E3FDFA510F7B8CAA575672E2A66DB70D95677B388E38C46006B4EA57B2162260C1AD95DBF050B038C7C5A69BB21ADA840045F3A26855FA232BA8A33AF003465D04544801D716B2A4BC685A726FF410AC13FB25058EE3360A761478981C696C7FB47728937E731DA9BB3F52D9064F4D632156083A878FAE9C8089C5CC739F50F5B590BC5B0453DE&cpusvn=060D0C0CFFFF00000000000000000000&pcesvn=0F00&pceid=0000 HTTP/1.1" 461 40 "-" "-"

2024-04-30 07:04:34.416 [info]: Client Request-ID : 4e53a101927e4da7b35ebb6918468bc6 2024-04-30 07:04:34.422 [error]: Error: The platform was not found in the cache. at ReqCachingMode.getPckCertFromPCS (file:///home/h/predictor/sd/SGXDataCenterAttestationPrimitives/QuoteGeneration/pccs/s

[zzx-QDU]

我重启PCCS的服务，原来0xe019 错误没有了，现在的错误是0xe047。 [2024-04-30 07:05:10.052] [info] [sgx2_generator.cc:102] Start generating sgx2 report [get_platform_quote_cert_data ../qe_logic.cpp:388] Error returned from the p_sgx_get_quote_config API. 0xe047 thread 'main' panicked at capsule-manager/src/main.rs:53:6: capsule_manager init error: Error { code: InternalErr, details: Some("runified_attestation_generate_auth_report err: \"[Enforce fail at trustedflow/attestation/generation/sgx2/sgx2_generator.cc:115] ioctl(sgx_fd, SGXIOC_GET_DCAP_QUOTE_SIZE, &quote_size) == 0. -1 vs 0.Fail to get quote size, errno = 22\0\""), location: Some(ErrorLocation { line: 198, file: "capsule-manager/src/server.rs" }) } note: run with RUST_BACKTRACE=1 environment variable to display a backtrace

我同事在部署PCCS的过程中生成了一个证书，请问是否要将这个证书放到docker的指定位置？还是应该在部署PCCS时避免生成证书。

[zzx-QDU]

我们去订阅了api接口并重新在lazy模式（之前时req模式）下部署了pccs服务，可以成功启动CapsuleManager。 感谢帮助！