aws / aws-nitro-enclaves-cli

Tooling for Nitro Enclave Management
Apache License 2.0
123 stars 80 forks source link

Segfault in init #194

Closed jethrogb closed 3 years ago

jethrogb commented 3 years ago
Could not open /env file: No such file or directory
Could not open /env file: No such file or directory
[    0.793543] init[1]: segfault at 0 ip 0000000000410e84 sp 00007fff27e27340 error 4 in init[400000+d4000]

The IP corresponds to fclose. You can't call fclose(NULL).

jethrogb commented 3 years ago

This happens if you set ENTRYPOINT but not ENV or CMD in your Dockerfile.

alexggh commented 3 years ago

This happens if you set ENTRYPOINT but not ENV or CMD in your Dockerfile.

@jethrogb: I think you just helped us debug this: https://github.com/aws/aws-nitro-enclaves-cli/issues/188 Thank you

jethrogb commented 3 years ago

This happens if you set ENTRYPOINT but not ENV or CMD in your Dockerfile.

Not yet convinced this is the whole story.

jethrogb commented 3 years ago

Are there supposed to be two EifSectionRamdisk sections in the Eif?

jethrogb commented 3 years ago

I think there's some issue with initrd concatenation.

jethrogb commented 3 years ago

This works:

# Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0

FROM busybox

RUN truncate -s $((300*1024*1024)) /large_file

ENV HELLO="Hello from the enclave side!"

CMD ["/bin/sh", "-c", "while true; do echo \"$HELLO\"; sleep 10; done"]

This doesn't:

# Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0

FROM busybox

RUN truncate -s $((350*1024*1024)) /large_file

ENV HELLO="Hello from the enclave side!"

CMD ["/bin/sh", "-c", "while true; do echo \"$HELLO\"; sleep 10; done"]
alexggh commented 3 years ago

@jethrogb: You pointed to the exact error, the problem is the following you allocated to the enclave less memory than the linux kernel needs to unpack the ramfs.

If you look at the kernel logs with the console command you would probably first see "Failed to unpack initiramfs"

As of now the guideline is that the enclave should have allocated at least 4 times more memory than the size of the EIF.

Logging an issue, to get a proper error and enforce this in the nitro-cli.

jethrogb commented 3 years ago

Indeed it says:

[    0.268206] Unpacking initramfs...
[    0.586559] Initramfs unpacking failed: write error

But that happens in the middle of a lot of other kernel messages, so yes some more diagnostics around this would be helpful.

bercarug commented 3 years ago

Solved by https://github.com/aws/aws-nitro-enclaves-cli/pull/198