intel / SGXDataCenterAttestationPrimitives

Other
277 stars 165 forks source link

Problems with PCCS installation on Debian 11 #223

Open omeg opened 2 years ago

omeg commented 2 years ago

First off, I know that Debian isn't officially supported, but it's common enough that this might be useful to someone.

I have built the SGX SDK from sources, latest commit at this time (0af6a83). I know that this repo is a submodule for the main SGX SDK one (https://github.com/intel/linux-sgx) so I'm creating the issue here. DCAP commit used was 4b2b8fc (v1.12.1). The build was OK and the SDK and PSW packages installed successfully. I then tried to install the built PCCS *.deb package and got this error:

$ sudo dpkg -i sgx-dcap-pccs_1.12.101.1-bullseye1_amd64.deb
Preparing to unpack sgx-dcap-pccs_1.12.101.1-bullseye1_amd64.deb ...
Unpacking sgx-dcap-pccs (1.12.101.1-bullseye1) ...
Setting up sgx-dcap-pccs (1.12.101.1-bullseye1) ...
Checking nodejs version ...
nodejs is installed, continue...
Checking cracklib-runtime ...
Warning: If you are upgrading PCCS from an old release, the existing cache database will be updated automatically.
         It's strongly recommended to backup your existing cache database first and then continue the installation.
         For DCAP releases 1.8 and earlier, the cache database can't be updated so you need to delete it manually.
Do you want to install PCCS now? (Y/N) :y
Check proxy server configuration for internet connection...
Enter your http proxy server address, e.g. http://proxy-server:port (Press ENTER if there is no proxy server) :
Enter your https proxy server address, e.g. http://proxy-server:port (Press ENTER if there is no proxy server) :
npm WARN invalid config proxy="" set in /opt/intel/sgx-dcap-pccs/.npmrc
npm WARN invalid config Must be full url with "http://"
npm WARN config omitting invalid config values
npm WARN invalid config https-proxy="" set in /opt/intel/sgx-dcap-pccs/.npmrc
npm WARN invalid config Must be full url with "http://"
npm WARN config omitting invalid config values
npm ERR! code 1
npm ERR! path /opt/intel/sgx-dcap-pccs/node_modules/ffi-napi
npm ERR! command failed
npm ERR! command sh -c node-gyp-build
npm ERR! gyp info it worked if it ends with ok
npm ERR! gyp info using node-gyp@3.8.0
npm ERR! gyp info using node@12.22.5 | linux | x64
npm ERR! gyp ERR! configure error
npm ERR! gyp ERR! stack Error: Command failed: /usr/bin/python -c import sys; print "%s.%s.%s" % sys.version_info[:3];
npm ERR! gyp ERR! stack   File "<string>", line 1
npm ERR! gyp ERR! stack     import sys; print "%s.%s.%s" % sys.version_info[:3];
npm ERR! gyp ERR! stack                       ^
npm ERR! gyp ERR! stack SyntaxError: invalid syntax
npm ERR! gyp ERR! stack
npm ERR! gyp ERR! stack     at ChildProcess.exithandler (child_process.js:308:12)
npm ERR! gyp ERR! stack     at ChildProcess.emit (events.js:314:20)
npm ERR! gyp ERR! stack     at maybeClose (internal/child_process.js:1022:16)
npm ERR! gyp ERR! stack     at Process.ChildProcess._handle.onexit (internal/child_process.js:287:5)
npm ERR! gyp ERR! System Linux 5.10.0-13-amd64
npm ERR! gyp ERR! command "/usr/bin/node" "/opt/intel/sgx-dcap-pccs/node_modules/.bin/node-gyp" "rebuild"
npm ERR! gyp ERR! cwd /opt/intel/sgx-dcap-pccs/node_modules/ffi-napi
npm ERR! gyp ERR! node -v v12.22.5
npm ERR! gyp ERR! node-gyp -v v3.8.0
npm ERR! gyp ERR! not ok

npm ERR! A complete log of this run can be found in:
npm ERR!     /opt/intel/sgx-dcap-pccs/.npm/_logs/2022-04-04T10_48_52_715Z-debug.log
dpkg: error processing package sgx-dcap-pccs (--install):
 installed sgx-dcap-pccs package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
 sgx-dcap-pccs

$ node --version
v12.22.5
$ npm --version
7.5.2

I think it's something with the nodejs version (this one was installed from Debian repos using apt install nodejs.

I then removed nodejs and installed the 14.x version from deb.nodesource.com. Note: PCCS README mentions that required node version is >= 10.20 which might be incorrect. After that PCCS seemed to be installed, but the configuration was apparently failing:

$ node --version
v14.19.1
$ npm --version
6.14.16

Preparing to unpack sgx-dcap-pccs_1.12.101.1-bullseye1_amd64.deb ...
Unpacking sgx-dcap-pccs (1.12.101.1-bullseye1) ...
Setting up sgx-dcap-pccs (1.12.101.1-bullseye1) ...
Checking nodejs version ...
nodejs is installed, continue...
Checking cracklib-runtime ...
Warning: If you are upgrading PCCS from an old release, the existing cache database will be updated automatically.
         It's strongly recommended to backup your existing cache database first and then continue the installation.
         For DCAP releases 1.8 and earlier, the cache database can't be updated so you need to delete it manually.
Do you want to install PCCS now? (Y/N) :y
Check proxy server configuration for internet connection...
Enter your http proxy server address, e.g. http://proxy-server:port (Press ENTER if there is no proxy server) :
Enter your https proxy server address, e.g. http://proxy-server:port (Press ENTER if there is no proxy server) :
npm WARN invalid config proxy=""
npm WARN invalid config Must be a full url with 'http://'
npm WARN invalid config https-proxy=""
npm WARN invalid config Must be a full url with 'http://'

> sqlite3@5.0.2 install /opt/intel/sgx-dcap-pccs/node_modules/sqlite3
> node-pre-gyp install --fallback-to-build

node-pre-gyp WARN Using request for node-pre-gyp https download
[sqlite3] Success: "/opt/intel/sgx-dcap-pccs/node_modules/sqlite3/lib/binding/napi-v3-linux-x64/node_sqlite3.node" is installed via remote

> ref-napi@3.0.1 install /opt/intel/sgx-dcap-pccs/node_modules/ref-napi
> node-gyp-build

> ffi-napi@3.0.1 install /opt/intel/sgx-dcap-pccs/node_modules/ffi-napi
> node-gyp-build

make: Entering directory '/opt/intel/sgx-dcap-pccs/node_modules/ffi-napi/build'
  CC(target) Release/obj.target/nothing/../node-addon-api/src/nothing.o
  AR(target) Release/obj.target/../node-addon-api/src/nothing.a
  COPY Release/nothing.a
  CC(target) Release/obj.target/ffi/deps/libffi/src/prep_cif.o
  CC(target) Release/obj.target/ffi/deps/libffi/src/types.o
  CC(target) Release/obj.target/ffi/deps/libffi/src/raw_api.o
  CC(target) Release/obj.target/ffi/deps/libffi/src/java_raw_api.o
  CC(target) Release/obj.target/ffi/deps/libffi/src/closures.o
  CC(target) Release/obj.target/ffi/deps/libffi/src/x86/ffi.o
  CC(target) Release/obj.target/ffi/deps/libffi/src/x86/ffi64.o
../deps/libffi/src/x86/ffi64.c: In function ‘classify_argument’:
../deps/libffi/src/x86/ffi64.c:181:18: warning: suggest braces around empty body in an ‘else’ statement [-Wempty-body]
  181 |    FFI_ASSERT (0);
      |                  ^
../deps/libffi/src/x86/ffi64.c:156:7: warning: this statement may fall through [-Wimplicit-fallthrough=]
  156 |       {
      |       ^
../deps/libffi/src/x86/ffi64.c:183:5: note: here
  183 |     case FFI_TYPE_FLOAT:
      |     ^~~~
  CC(target) Release/obj.target/ffi/deps/libffi/src/x86/unix64.o
  CC(target) Release/obj.target/ffi/deps/libffi/src/x86/sysv.o
  AR(target) Release/obj.target/deps/libffi/libffi.a
  COPY Release/libffi.a
  CXX(target) Release/obj.target/ffi_bindings/src/ffi.o
  CXX(target) Release/obj.target/ffi_bindings/src/callback_info.o
  CXX(target) Release/obj.target/ffi_bindings/src/threaded_callback_invokation.o
  SOLINK_MODULE(target) Release/obj.target/ffi_bindings.node
  COPY Release/ffi_bindings.node
make: Leaving directory '/opt/intel/sgx-dcap-pccs/node_modules/ffi-napi/build'
added 313 packages in 8.826s
Do you want to configure PCCS now? (Y/N) :y
Set HTTPS listening port [8081] (1024-65535) :
Set the PCCS service to accept local connections only? [Y] (Y/N) :
sed: can't read /opt/intel/sgx-dcap-pccs/config/default.json: No such file or directory
Set your Intel PCS API key (Press ENTER to skip) :
You didn't set Intel PCS API key. You can set it later in config/default.json.
Choose caching fill method : [LAZY] (LAZY/OFFLINE/REQ) :
sed: can't read /opt/intel/sgx-dcap-pccs/config/default.json: No such file or directory
Set PCCS server administrator password:
Re-enter administrator password:
sed: can't read /opt/intel/sgx-dcap-pccs/config/default.json: No such file or directory
Set PCCS server user password:
Re-enter user password:
sed: can't read /opt/intel/sgx-dcap-pccs/config/default.json: No such file or directory
Do you want to generate insecure HTTPS key and cert for PCCS service? [Y] (Y/N) :
Generating RSA private key, 2048 bit long modulus (2 primes)
................................................+++++
.......+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:PL
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Signature ok
subject=C = PL, ST = Some-State, O = Internet Widgits Pty Ltd
Getting Private key
Installing PCCS service ...Created symlink /etc/systemd/system/multi-user.target.wants/pccs.service → /lib/systemd/system/pccs.service.
finished.
Installation completed successfully.

Note the No such file or directory errors.

$ sudo journalctl -u pccs
-- Journal begins at Mon 2022-04-04 11:08:34 CEST, ends at Mon 2022-04-04 13:03:16 CEST. --
Apr 04 12:59:26 debian-vm systemd[1]: Started Provisioning Certificate Caching Service (PCCS).
Apr 04 12:59:26 debian-vm node[183434]: WARNING: No configurations found in configuration directory:/opt/intel/sgx-dcap>
Apr 04 12:59:26 debian-vm node[183434]: WARNING: To disable this warning set SUPPRESS_NO_CONFIG_WARNING in the environm>
Apr 04 12:59:26 debian-vm node[183434]: Mon, 04 Apr 2022 10:59:26 GMT morgan deprecated default format: use combined fo>
Apr 04 12:59:27 debian-vm node[183434]: 2022-04-04 12:59:27.458 [error]: uncaughtException: Configuration property "DB_>
Apr 04 12:59:27 debian-vm node[183434]: /opt/intel/sgx-dcap-pccs/node_modules/config/lib/config.js:1
Apr 04 12:59:27 debian-vm node[183434]: Error: Configuration property "DB_CONFIG" is not defined
Apr 04 12:59:27 debian-vm node[183434]:     at Proxy.Config.get (/opt/intel/sgx-dcap-pccs/node_modules/config/lib/confi>
Apr 04 12:59:27 debian-vm node[183434]:     at Object.<anonymous> (/opt/intel/sgx-dcap-pccs/dao/models/index.js:52:33)
Apr 04 12:59:27 debian-vm node[183434]:     at Generator.next (<anonymous>)
Apr 04 12:59:27 debian-vm node[183434]:     at Object.<anonymous> (/opt/intel/sgx-dcap-pccs/dao/platformsRegDao.js:1)
Apr 04 12:59:27 debian-vm node[183434]:     at Generator.next (<anonymous>)
Apr 04 12:59:27 debian-vm node[183434]:     at Object.<anonymous> (/opt/intel/sgx-dcap-pccs/services/platformsRegServic>
Apr 04 12:59:27 debian-vm systemd[1]: pccs.service: Succeeded.

I found a closed issue with the same symptoms: https://github.com/intel/SGXDataCenterAttestationPrimitives/issues/172. Adding the --force-confmiss switch mentioned in that issue to dpkg -i command solved the configuration problem and PCCS was installed and running properly.

jsun39 commented 2 years ago

Before you installed this PCCS, Have you installed one old version PCCS?

omeg commented 2 years ago

No, this was a fresh install on a pretty much clean Debian 11 that was set up on a NUC for Gramine work.

lingyuj commented 2 years ago

Thanks for reporting the issue. The installation on Debian is not well tested because it is not our target OS for this release. But we have a plan to support Debian in the near future.