vtikoo
commented
1 year ago Can you share some details on where you are running this? Is this an Azure VM?
Open itssme opened 1 year ago
vtikoo
commented
1 year ago Can you share some details on where you are running this? Is this an Azure VM?
radhikaj
commented
1 year ago AS @vtikoo indicates - we test on Azure VMs currently. You can also try to set up Intel QPL per the instructions here on non Azure VMs https://github.com/openenclave/openenclave/pull/4773/files, but we have not validates these instructions at this time with Mystikos
itssme
commented
1 year ago Thanks for the quick responses!
Can you share some details on where you are running this? Is this an Azure VM?
I am currently running this from a fresh Ubuntu 20.04 installation on my local machine (I setup a bootable USB M.2. SSD as my dev environment for this project). I followed the openenclave install guide and the mystikos install guide (.deb v0.11.0).
I am currently trying out different confidential computing frameworks that support SGX. For example, asylo, openenclave, Ego etc. Eventually my goal is to develop a small application that hosts an HTTPs server that I can send data to (for example a part of a pointcloud) and then processes that data securely in an enclave. So that the data cannot be seen by the cloud provider nor anyone who listens in transit. And I also intend to use remote attestation, to verify that the cloud provider is running the exact code I provided etc.
AS @vtikoo indicates - we test on Azure VMs currently. You can also try to set up Intel QPL per the instructions here on non Azure VMs https://github.com/openenclave/openenclave/pull/4773/files, but we have not validates these instructions at this time with Mystikos
Thank you for the link to the guide to setup Intel QPL, I will definitely take a look at that :+1:
I also looked at guides like: https://sgx101.gitbook.io/sgx101/sgx-bootstrap/attestation and read a bit about remote attestation etc.
If you have any more links and resources that could help me, I would very much appreciate it :+1:
itssme
commented
1 year ago You can also try to set up Intel QPL per the instructions here on non Azure VMs https://github.com/openenclave/openenclave/pull/4773/files, but we have not validates these instructions at this time with Mystikos
I followed the instruction of @radhikaj and installed the PCCS service. When running the TEE_aware example the curl errors are gone but the self signed certificate generated in the enclave cannot be validated.
Generating a signing key
openssl genrsa -out package.pem -3 3072
Generating RSA private key, 3072 bit long modulus (2 primes)
.....................................................................................++++*.....................................++++*.......................................................++++
..................................................................................................................++++*..........................................................................................................................................................++++*........................................................................................................................................................++++*..............................................................................................................................................................................................................................................................................++++*...........................................................................++++
e is 3 (0x03)
Building a ext2 file system to run in Mystikos
Dumping roothash merkel tree
Generating a signed package
Created myst/bin/gencreds
Running application outside a TEE.
appdir/bin/gencreds
****I am in unknown environment, returning
Running Mystikos packaged application inside an SGX TEE.
./myst/bin/gencreds
mystikos: info: enter.c(809): myst_enter_kernel(): Entered Mystikos kernel.
mystikos: warn: exec.c(1164): myst_exec():
The thread stack size may be too small for the given program interpreter
(link loader), which could result in stack overflows. Consider changing
the thread stack size to at least 1048576 bytes, using the --thread-stack-size
option or the ThreadStackSize configuration setting.
[interpreter=/lib64/ld-linux-x86-64.so.2]
[program=/bin/gencreds]
mystikos: info: exec.c(1259): myst_exec(): Entering CRT.
****I am in an SGX TEE, I will proceed to generate and verify TEE credentials
Generated a self-signed certificate and a private key
Assertion failed: ret == 0 (gencreds.c: main: 54)
/home/robo/Downloads/mystikos/samples/TEE_aware/gencreds/myst/bin/gencreds: error: Enclave /tmp/mystgWG3zR/lib/openenclave/mystenc.so returned 134
make: *** [Makefile:37: run] Error 134ret = syscall(SYS_myst_verify_cert, cert, cert_size, _verifier, NULL);
assert(ret == 0);In the process of installing the sgx-dcap-pccs package, a self signed certificate is generated. Do I need to change any configuration of mystikos so that the certificate is marked as trusted?
I am trying to run the TEE_aware sample, but I am getting errors when running the program.
Steps to reproduce
cd mystikos/samples/TEE_aware/gencredsexport MYSTIKOS_INSTALL_DIR=/opt/mystikos(installed version 0.11 via .deb package)make appdirmake runAm I missing something? As far as I understand, the sample should create a self signed certificate in an enclave and then verify that certificate? But what is curl trying to do, query some certificates/ or revocations lists etc.?
Any help is much appreciated :+1: