search

aws / aws-nitro-enclaves-sdk-bootstrap

This project builds the kernel, nsm driver and bootstrap process for AWS Nitro Enclaves.
Apache License 2.0
15 stars 18 forks source link

RNG bug #15

Closed gbryant-arm closed 1 year ago

gbryant-arm commented 1 year ago

On some Nitro machines and intermittently, requesting entropy from within the enclave by whether reading /dev/random or sending a getrandom syscall results in failure: the function call hangs and does not return immediately (or ever). This might be due to entropy shortage or incorrect entropy initialisation. Might be related to https://github.com/aws/aws-nitro-enclaves-sdk-c/issues/41.

So far I have found two machines exhibiting this behaviour. Rebooting doesn't seem to make any difference.

I understand the recommended solution is to use the NSM library, but forking dependencies is not ideal. Is there a good reason why NSM's RNG is not plugged into /dev/*random directly? I thought this was implemented in https://github.com/aws/aws-nitro-enclaves-sdk-bootstrap/pull/9 but this change to the NSM kernel module is already deployed into the Nitro CLI tool I'm using (v1.1.0).

Here is my PCR1 fwiw: c35e620586e91ed40ca5ce360eedf77ba673719135951e293121cb3931220b00f87b5a15e94e25c01fecd08fc9139342

petreeftime commented 1 year ago

The NSM is now plugged into the HWRNG system and automatically seeds entropy (see #9), but this version of the driver is shipped with nitro-cli 1.2.0, and is not available in nitro-cli 1.1.0. You should be able to download just the blobs and set NITRO_CLI_BLOBS environment variable to point to them, but updating nitro-cli is recommended.

gbryant-arm commented 1 year ago

Thanks for your answer. I forgot to mention it but I'm facing the same issue on another machine with nitro-cli 1.2.0. Same PCR1

petreeftime commented 1 year ago

If it's the same PCR1, was the image built on another machine with nitro-cli 1.1.0 perhaps? Unless I mistakingly modified something on my test instance, I get "PCR1": "bcdf05fefccaa8e55bf2c8d6dee9e79bbff31e34bf28a99aa19e6b29c37ee80b214a414b7607236edf26fcb78654e63f" with the nitro-cli 1.2.0 blobs.

petreeftime commented 1 year ago

Also, with nitro-cli 1.2.0, you should be able to gain a bit more context into what the image is, via nitro-cli describe-eif command.

nitro-cli describe-eif --eif-path hello.eif
{
  "EifVersion": 4,
  "Measurements": {
    "HashAlgorithm": "Sha384 { ... }",
    "PCR0": "297caf40f22a444b7ac98e8ee68768b5c86480559bedab11ebfda0feebe8453ec7cc966d862920fb553857e0b1b554ff",
    "PCR1": "bcdf05fefccaa8e55bf2c8d6dee9e79bbff31e34bf28a99aa19e6b29c37ee80b214a414b7607236edf26fcb78654e63f",
    "PCR2": "5a10913645be73e780072fe38b25b386b0f6e1bbfc35ec076e5e10d21f14d8a5fc409316b0eebd6bb8d3c7c0b1abed15"
  },
  "IsSigned": false,
  "CheckCRC": true,
  "ImageName": "hello-world",
  "ImageVersion": "feb5d9fea6a5e9606aa995e879d862b825965ba48de054caab5ef356dc6b3412",
  "Metadata": {
    "BuildTime": "2022-10-10T14:09:32.994323426+00:00",
    "BuildTool": "nitro-cli",
    "BuildToolVersion": "1.2.0",
    "OperatingSystem": "Linux",
    "KernelVersion": "4.14.256",
    "DockerInfo": {
      "Architecture": "amd64",
      "Author": "",
      "Comment": "",
      "Config": {
        "AttachStderr": false,
        "AttachStdin": false,
        "AttachStdout": false,
        "Cmd": [
          "/hello"
        ],
        "Domainname": "",
        "Entrypoint": null,
        "Env": [
          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
        ],
        "ExposedPorts": null,
        "Hostname": "",
        "Image": "sha256:b9935d4e8431fb1a7f0989304ec86b3329a99a25f5efdc7f09f3f8c41434ca6d",
        "Labels": null,
        "OnBuild": null,
        "OpenStdin": false,
        "StdinOnce": false,
        "Tty": false,
        "User": "",
        "WorkingDir": ""
      },
      "Created": "2021-09-23T23:47:57.442225064Z",
      "DockerVersion": "20.10.7",
      "Id": "sha256:feb5d9fea6a5e9606aa995e879d862b825965ba48de054caab5ef356dc6b3412",
      "Os": "linux",
      "Parent": "",
      "RepoDigests": [
        "hello-world@sha256:62af9efd515a25f84961b70f973a798d2eca956b1b2b026d0a4a63a3b0b6a3f2"
      ],
      "RepoTags": [
        "hello-world:latest"
      ],
      "Size": 13256,
      "VirtualSize": 13256
    }
  }
}
gbryant-arm commented 1 year ago

If it's the same PCR1, was the image built on another machine with nitro-cli 1.1.0 perhaps? Unless I mistakingly modified something on my test instance, I get "PCR1": "bcdf05fefccaa8e55bf2c8d6dee9e79bbff31e34bf28a99aa19e6b29c37ee80b214a414b7607236edf26fcb78654e63f" with the nitro-cli 1.2.0 blobs.

You're correct, I got confused by the fact that the image was built on a different machine from the one running it. I'm gonna update nitro-cli and get back to you with more details.

Btw IIUC it looks like https://github.com/aws/aws-nitro-enclaves-cli/commit/b37b6a3920b80f7ed643b86df1ddf541fc5af110 was merged before 1.1.0 (https://github.com/aws/aws-nitro-enclaves-cli/commit/4fcf25d166fa2d522c5406840e68d42e6d24dd9e)

gbryant-arm commented 1 year ago

On the same machine, I was able to reproduce the bug with an image built with nitro-cli 1.0.12, but not with the same image built with nitro-cli 1.2.0. Solved! Thanks