search

intel / linux-sgx

Intel SGX for Linux*
https://www.intel.com/content/www/us/en/developer/tools/software-guard-extensions/linux-overview.html
Other
1.32k stars 544 forks source link

Remote Attestation Issue for DCAP in Gramine with Intel SGX #1059

Open n7koirala opened 3 weeks ago

n7koirala commented 3 weeks ago

Hello,

I'm experiencing an issue with remote attestation using DCAP in Gramine on my Intel SGX-equipped computer. When running SGX applications with Gramine without attestation, everything works fine. The AESM service appears to be running correctly, as shown by the following output of sudo service aesmd status:


 aesmd.service - Intel(R) Architectural Enclave Service Manager
     Loaded: loaded (/lib/systemd/system/aesmd.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2024-10-03 13:09:15 EDT; 29s ago
    Process: 2975769 ExecStartPre=/opt/intel/sgx-aesm-service/aesm/linksgx.sh (code=exited, status=0/SUCCESS)
    Process: 2975782 ExecStartPre=/bin/mkdir -p /var/run/aesmd/ (code=exited, status=0/SUCCESS)
    Process: 2975784 ExecStartPre=/bin/chown -R aesmd:aesmd /var/run/aesmd/ (code=exited, status=0/SUCCESS)
    Process: 2975785 ExecStartPre=/bin/chmod 0755 /var/run/aesmd/ (code=exited, status=0/SUCCESS)
    Process: 2975786 ExecStartPre=/bin/chown -R aesmd:aesmd /var/opt/aesmd/ (code=exited, status=0/SUCCESS)
    Process: 2975787 ExecStartPre=/bin/chmod 0750 /var/opt/aesmd/ (code=exited, status=0/SUCCESS)
    Process: 2975788 ExecStart=/opt/intel/sgx-aesm-service/aesm/aesm_service (code=exited, status=0/SUCCESS)
   Main PID: 2975789 (aesm_service)
      Tasks: 4 (limit: 153983)
     Memory: 3.3M
        CPU: 74ms
     CGroup: /system.slice/aesmd.service
             └─2975789 /opt/intel/sgx-aesm-service/aesm/aesm_service

systemd[1]: Starting Intel(R) Architectural Enclave Service Manager...
aesm_service[2975788]: aesm_service: warning: Turn to daemon. Use "--no-daemon" option to execute in foreground.
systemd[1]: Started Intel(R) Architectural Enclave Service Manager.
aesm_service[2975789]: The server sock is 0x55ad3bd672f0

However, when attempting to perform remote attestation, I encounter the following errors in the AESM service logs (sudo service aesmd status):

aesm_service[2975789]: [QCNL] Encountered CURL error: (7) Couldn't connect to server
aesm_service[2975789]: [QPL] Failed to get quote config. Error code is 0xb006
aesm_service[2975789]: [get_platform_quote_cert_data ../qe_logic.cpp:388] Error returned from the p_sgx_get_quote_config API. 0xe019

The issue only occurs during remote attestation; local attestation works fine. How can I resolve this remote attestation issue for DCAP in Gramine? Are there additional configurations required for the AESM service to enable network communication for attestation? Any guidance or suggestions would be greatly appreciated, thank you!

ScottR-Intel commented 1 week ago

Hello.

Error 0xb006 == SGX_QCNL_NETWORK_COULDNT_CONNECT

This usually means you have a network or proxy issue.