Closed gbryant-arm closed 1 year ago
The NSM is now plugged into the HWRNG system and automatically seeds entropy (see #9), but this version of the driver is shipped with nitro-cli 1.2.0, and is not available in nitro-cli 1.1.0. You should be able to download just the blobs and set NITRO_CLI_BLOBS
environment variable to point to them, but updating nitro-cli is recommended.
Thanks for your answer. I forgot to mention it but I'm facing the same issue on another machine with nitro-cli 1.2.0. Same PCR1
If it's the same PCR1, was the image built on another machine with nitro-cli 1.1.0 perhaps?
Unless I mistakingly modified something on my test instance, I get
"PCR1": "bcdf05fefccaa8e55bf2c8d6dee9e79bbff31e34bf28a99aa19e6b29c37ee80b214a414b7607236edf26fcb78654e63f"
with the nitro-cli 1.2.0 blobs.
Also, with nitro-cli 1.2.0, you should be able to gain a bit more context into what the image is, via nitro-cli describe-eif
command.
nitro-cli describe-eif --eif-path hello.eif
{
"EifVersion": 4,
"Measurements": {
"HashAlgorithm": "Sha384 { ... }",
"PCR0": "297caf40f22a444b7ac98e8ee68768b5c86480559bedab11ebfda0feebe8453ec7cc966d862920fb553857e0b1b554ff",
"PCR1": "bcdf05fefccaa8e55bf2c8d6dee9e79bbff31e34bf28a99aa19e6b29c37ee80b214a414b7607236edf26fcb78654e63f",
"PCR2": "5a10913645be73e780072fe38b25b386b0f6e1bbfc35ec076e5e10d21f14d8a5fc409316b0eebd6bb8d3c7c0b1abed15"
},
"IsSigned": false,
"CheckCRC": true,
"ImageName": "hello-world",
"ImageVersion": "feb5d9fea6a5e9606aa995e879d862b825965ba48de054caab5ef356dc6b3412",
"Metadata": {
"BuildTime": "2022-10-10T14:09:32.994323426+00:00",
"BuildTool": "nitro-cli",
"BuildToolVersion": "1.2.0",
"OperatingSystem": "Linux",
"KernelVersion": "4.14.256",
"DockerInfo": {
"Architecture": "amd64",
"Author": "",
"Comment": "",
"Config": {
"AttachStderr": false,
"AttachStdin": false,
"AttachStdout": false,
"Cmd": [
"/hello"
],
"Domainname": "",
"Entrypoint": null,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"ExposedPorts": null,
"Hostname": "",
"Image": "sha256:b9935d4e8431fb1a7f0989304ec86b3329a99a25f5efdc7f09f3f8c41434ca6d",
"Labels": null,
"OnBuild": null,
"OpenStdin": false,
"StdinOnce": false,
"Tty": false,
"User": "",
"WorkingDir": ""
},
"Created": "2021-09-23T23:47:57.442225064Z",
"DockerVersion": "20.10.7",
"Id": "sha256:feb5d9fea6a5e9606aa995e879d862b825965ba48de054caab5ef356dc6b3412",
"Os": "linux",
"Parent": "",
"RepoDigests": [
"hello-world@sha256:62af9efd515a25f84961b70f973a798d2eca956b1b2b026d0a4a63a3b0b6a3f2"
],
"RepoTags": [
"hello-world:latest"
],
"Size": 13256,
"VirtualSize": 13256
}
}
}
If it's the same PCR1, was the image built on another machine with nitro-cli 1.1.0 perhaps? Unless I mistakingly modified something on my test instance, I get
"PCR1": "bcdf05fefccaa8e55bf2c8d6dee9e79bbff31e34bf28a99aa19e6b29c37ee80b214a414b7607236edf26fcb78654e63f"
with the nitro-cli 1.2.0 blobs.
You're correct, I got confused by the fact that the image was built on a different machine from the one running it. I'm gonna update nitro-cli and get back to you with more details.
Btw IIUC it looks like https://github.com/aws/aws-nitro-enclaves-cli/commit/b37b6a3920b80f7ed643b86df1ddf541fc5af110 was merged before 1.1.0 (https://github.com/aws/aws-nitro-enclaves-cli/commit/4fcf25d166fa2d522c5406840e68d42e6d24dd9e)
On the same machine, I was able to reproduce the bug with an image built with nitro-cli 1.0.12, but not with the same image built with nitro-cli 1.2.0. Solved! Thanks
On some Nitro machines and intermittently, requesting entropy from within the enclave by whether reading
/dev/random
or sending agetrandom
syscall results in failure: the function call hangs and does not return immediately (or ever). This might be due to entropy shortage or incorrect entropy initialisation. Might be related to https://github.com/aws/aws-nitro-enclaves-sdk-c/issues/41.So far I have found two machines exhibiting this behaviour. Rebooting doesn't seem to make any difference.
I understand the recommended solution is to use the NSM library, but forking dependencies is not ideal. Is there a good reason why NSM's RNG is not plugged into
/dev/*random
directly? I thought this was implemented in https://github.com/aws/aws-nitro-enclaves-sdk-bootstrap/pull/9 but this change to the NSM kernel module is already deployed into the Nitro CLI tool I'm using (v1.1.0).Here is my PCR1 fwiw:
c35e620586e91ed40ca5ce360eedf77ba673719135951e293121cb3931220b00f87b5a15e94e25c01fecd08fc9139342