search

aws / aws-nitro-enclaves-cli

Tooling for Nitro Enclave Management
Apache License 2.0
123 stars 81 forks source link

I tried to follow enclave workshop #644

Open jeongsoo-seo opened 23 hours ago

jeongsoo-seo commented 23 hours ago

I followed https://catalog.workshops.aws/nitro-enclaves/en-US/1-my-first-enclave page's contents I ran command below

nitro-cli run-enclave --cpu-count 2 --memory 3072 --eif-path ./hello.eif --debug-mode --enclave-cid 16

I got error below

[ E19 ] File operation failure. Such error appears when the system fails to perform the requested file operations, such as opening the EIF file when launching an enclave, or seeking to a specific offset in the EIF file, or writing to the log file. File: '/dev/nitro_enclaves', failing operation: 'Open'.

For more details, please visit https://docs.aws.amazon.com/enclaves/latest/user/cli-errors.html#E19

If you open a support ticket, please provide the error log found at "/var/log/nitro_enclaves/err2024-10-17T09:08:13.244096311+00:00.log" Failed connections: 1 [ E39 ] Enclave process connection failure. Such error appears when the enclave manager fails to connect to at least one enclave process for retrieving the description information.

For more details, please visit https://docs.aws.amazon.com/enclaves/latest/user/cli-errors.html#E39

If you open a support ticket, please provide the error log found at "/var/log/nitro_enclaves/err2024-10-17T09:08:13.244395902+00:00.log"

this is log file

Action: Run Enclave Subactions: Failed to execute command Run Failed to trigger enclave run Failed to construct EnclaveManager with given arguments Failed to create enclave handle Failed to open device file: Os { code: 2, kind: NotFound, message: "No such file or directory" } Root error file: src/enclave_proc/resource_manager.rs Root error line: 513 Version: 1.3.3

these are system info

ls -lh hello.eif -rw-r--r--. 1 ec2-user ec2-user 221655689 Oct 17 08:51 hello.eif

free -m total used free shared buff/cache available Mem: 15779 3585 8326 8 3867 11856 Swap: 488 0 488

lscpu Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Address sizes: 46 bits physical, 48 bits virtual Byte Order: Little Endian CPU(s): 4 On-line CPU(s) list: 0,2 Off-line CPU(s) list: 1,3 Vendor ID: GenuineIntel Model name: Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz CPU family: 6 Model: 85 Thread(s) per core: 2 Core(s) per socket: 1 Socket(s): 1 Stepping: 7 BogoMIPS: 4999.99 Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology nonstop_tsc cpuid aperfmp erf tsc_known_freq pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single pti fsgsbas e tsc_adjust bmi1 avx2 smep bmi2 erms invpcid mpx avx512f avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 xsaves ida arat pku ospke Virtualization features:
Hypervisor vendor: KVM Virtualization type: full Caches (sum of all):
L1d: 32 KiB (1 instance) L1i: 32 KiB (1 instance) L2: 1 MiB (1 instance) L3: 35.8 MiB (1 instance) NUMA:
NUMA node(s): 1 NUMA node0 CPU(s): 0,2 Vulnerabilities:
Gather data sampling: Unknown: Dependent on hypervisor status Itlb multihit: KVM: Mitigation: VMX unsupported L1tf: Mitigation; PTE Inversion Mds: Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown Meltdown: Mitigation; PTI Mmio stale data: Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown Reg file data sampling: Not affected Retbleed: Vulnerable Spec rstack overflow: Not affected Spec store bypass: Vulnerable Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization Spectre v2: Mitigation; Retpolines; STIBP disabled; RSB filling; PBRSB-eIBRS Not affected; BHI Retpoline Srbds: Not affected Tsx async abort: Not affected

======================================================================= I could not run "sudo amazon-linux-extras install aws-nitro-enclaves-cli -y" but I "sudo yum install aws-nitro-enclaves-cli -y"

meerd commented 22 hours ago

Hello @jeongsoo-seo,

Thank you for your interest in Nitro Enclaves. Could you confirm that you followed the configuration steps correctly?

To help us better understand the issue, please run the following command in your terminal and share the output:

ls -la /dev/nitro_enclaves

This will help us identify if the Enclaves driver is properly set up and accessible on your system.

jeongsoo-seo commented 22 hours ago

I had done configuration steps except 'sudo amazon-linux-extras install aws-nitro-enclaves-cli -y' Instead I install aws-nitro-enclaves-cli with yum. but there is no /dev/nitro_enclaves

jeongsoo-seo commented 22 hours ago

I build two docker images. REPOSITORY TAG IMAGE ID CREATED SIZE hello-app latest 5c68d7f77fd2 2 hours ago 216MB enclave_base latest f0aab7fbd16f 2 hours ago 105MB

jeongsoo-seo commented 22 hours ago

I used Amazon Linux 2023. this version did not have amazon-linux-extras. is this error related 'amazon-linux-extras'?

jeongsoo-seo commented 21 hours ago

I used Amazon Linux 2 but I got same result. It is my history list.

1  sudo amazon-linux-extras install aws-nitro-enclaves-cli -y
2  sudo yum install aws-nitro-enclaves-cli-devel -y
3  sudo usermod -aG ne $USER
4  sudo usermod -aG docker $USER
5  nitro-cli --version
6  sudo systemctl start nitro-enclaves-allocator.service && sudo systemctl enable nitro-enclaves-allocator.service
7  sudo systemctl status nitro-enclaves-allocator.service
8  sudo systemctl start docker && sudo systemctl enable docker
9  sudo shutdown -r now

10 id $USER 11 git clone --depth 1 https://github.com/aws-samples/aws-nitro-enclaves-workshop.git 12 cd ~/environment/aws-nitro-enclaves-workshop/resources/code/getting-started 13 docker build ./ -t "enclave_base" 14 pwd 15 cd 16 cd ~/environment/aws-nitro-enclaves-workshop/resources/code/my-first-enclave/nitro-enclaves-cli 17 docker build -t hello-app:latest . 18 pwd 19 ls 20 docker build -t hello-app:latest . 21 docker image ls 22 nitro-cli build-enclave --docker-uri hello-app:latest --output-file hello.eif 23 sudo systemctl stop nitro-enclaves-allocator.service 24 ALLOCATOR_YAML=/etc/nitro_enclaves/allocator.yaml 25 MEM_KEY=memory_mib 26 DEFAULT_MEM=3072 27 sudo sed -r "s/^(\s${MEM_KEY}\s:\s)./\1${DEFAULT_MEM}/" -i "${ALLOCATOR_YAML}" 28 sudo systemctl start nitro-enclaves-allocator.service && sudo systemctl enable nitro-enclaves-allocator.service 29 nitro-cli run-enclave --cpu-count 2 --memory 3072 --eif-path hello.eif --debug-mode --enclave-cid 16

is there something missed?

jeongsoo-seo commented 21 hours ago

I found my ec2 not enabled enclave support. I turned on enclave support option. It works well.

jeongsoo-seo commented 21 hours ago

I hope update workshop page ec2 should enabled enclave support. Thanks.