search

edgeless-project / edgeless

MVP Implementation
Other
16 stars 1 forks source link

Error during the execution of a workflow that runs on a trusted edgeless_node SGX device. #159

Closed CSpyridakis closed 2 months ago

CSpyridakis commented 5 months ago

The environment used is represented in the following image. Screenshot from 2024-04-29 12-48-15

It is based on 385b06d4a7ca2a82369653125ea4386b0ffe1a9b commit, and it contains the minimal EDGELESS system.

The trusted image of the edgeless_node has been built (using the SecureExecutor tool) and during its evaluation process the following error is experienced. 

[SCONE|WARN] src/shielding/fs_proc.c:470:proc_fs_open(): open: /proc/self/cgroup is not supported       
[SCONE|ERROR] src/shielding/struct.c:397:fd_struct_handle_fd_syscall(): fcntl() was used with cmd 1033. 
[SCONE|ERROR] src/shielding/struct.c:398:fd_struct_handle_fd_syscall(): This is currently not supported.
thread 'tokio-runtime-worker' panicked at edgeless_node/src/wasm_runner/function_instance.rs:154:76:    
called `Result::unwrap()` on an `Err` value: cannot add seals to the memfd                              

Caused by:                                                                                              
    Function not implemented (os error 38)

The reason behind this issue, as it seams, is that a part of the code is stored directly in main memory and it is tried to be executed from there and not from inside the enclave.

ccicconetti commented 5 months ago

Uhm... it seems wasmtime may not be loaded on SGX.

Did you check in the official documentation if this is a known limitation or if there are workarounds?

@raphaelhetzel any thoughts on this?

raphaelhetzel commented 5 months ago

Wasmtime is using a JIT, so it is expected that it executes and writes to the same memory region.

I would expect that there is some way to allow this in SGX/Scone (not an expert here).

Alternatively, you can switch to the wasmi-based runtime, which can be enabled using a Rust feature. That is just a pure interpreter and should also work in SGX.

raphaelhetzel commented 2 months ago

I guess we can close this given one can use it with WASMI. If we need a JIT inside a TEE we can open a more specific issue.