search

intel / linux-sgx

Intel SGX for Linux*
https://www.intel.com/content/www/us/en/developer/tools/software-guard-extensions/linux-overview.html
Other
1.33k stars 544 forks source link

SGX EPID problem #643

Open nodebreaker0-0 opened 3 years ago

nodebreaker0-0 commented 3 years ago

I have a problem with sgx not being able to use the production app at the moment due to the inability to work in FLC mode.

mainboard : asrock z490 pro4 ( bios P.150 ) cpu : intel i7-10700K os: ubuntu 20.04 sgx_v : sgx_linux_x64_driver_2.11.0_4505f07.bin sgx_linux_x64_driver_1.36.2.bin

journalctl -u aesmd.service -f

Dec 15 09:21:09 ubuntu systemd[1]: Started Intel(R) Architectural Enclave Service Manager. Dec 15 09:21:09 ubuntu aesm_service[2726]: [ADMIN]White List update requested Dec 15 09:21:09 ubuntu aesm_service[2726]: Failed to load QE3: 0x4004 Dec 15 09:21:09 ubuntu aesm_service[2726]: The server sock is 0x56190c70d740 Dec 15 09:21:09 ubuntu aesm_service[2726]: [ADMIN]White list update request successful for Version: 92 Dec 15 09:21:13 ubuntu aesm_service[2726]: [ADMIN]EPID Provisioning initiated Dec 15 09:21:14 ubuntu aesm_service[2726]: The Request ID is d1f5967806524e989f71a4d06381a7e0 Dec 15 09:21:14 ubuntu aesm_service[2726]: The Request ID is 720916745b174192af6a5217d3dd8174 Dec 15 09:21:14 ubuntu aesm_service[2726]: [ADMIN]EPID Provisioning protocol error reported by Backend (9) Dec 15 09:21:14 ubuntu aesm_service[2726]: [ADMIN]EPID Provisioning failed

sgx-detect --verbose

Detecting SGX, this may take a minute... ✔ SGX instruction set ✔ CPU support ✔ CPU configuration ✔ Enclave attributes ✔ Enclave Page Cache SGX features ✘ SGX2 ✘ EXINFO ✘ ENCLV ✘ OVERSUB ✘ KSS
Total EPC size: 94.0MiB ✘ Flexible launch control ✔ CPU support ✔ CPU configuration ✘ Able to launch production mode enclave ✔ SGX system software ✔ SGX kernel device (/dev/isgx) ✔ libsgx_enclave_common ✔ AESM service ✔ Able to launch enclaves ✔ Debug mode ✘ Production mode ✔ Production mode (Intel whitelisted)

🕮 SGX system software > Able to launch enclaves > Production mode The enclave could not be launched. This might indicate a problem with FLC.

debug: failed to load report enclave debug: cause: failed to load report enclave debug: cause: The EINITTOKEN provider didn't provide a token debug: cause: aesm error code GetLicensetokenError_6

More information: https://edp.fortanix.com/docs/installation/help/#run-enclave-prod

You're all set to start running SGX programs!

ubuntu@ubuntu:~$ lsmod | grep sgx isgx 53248 2 ubuntu@ubuntu:~$ dmesg | grep sgx [ 3.014722] isgx: loading out-of-tree module taints kernel. [ 3.014743] isgx: module verification failed: signature and/or required key missing - tainting kernel [ 3.015039] intel_sgx: Intel SGX Driver v2.11.0 [ 3.015048] intel_sgx INT0E0C:00: EPC bank 0x80200000-0x86000000 [ 3.015853] intel_sgx: second initialization call skipped

I would like to know if this is exactly the motherboard manufacturer's problem, the cpu problem, or the software problem.

zhiminghufighting commented 3 years ago

i found the same issue as below:

=====error report from aesmd luanching========================= 十二 17 17:13:21 test aesm_service[31061]: The server sock is 0x5564faa829b0 十二 17 17:16:47 test systemd[1]: Stopping Intel(R) Architectural Enclave Service Manager... 十二 17 17:16:47 test systemd[1]: Stopped Intel(R) Architectural Enclave Service Manager. 十二 17 17:16:52 test systemd[1]: Starting Intel(R) Architectural Enclave Service Manager... 十二 17 17:16:52 test systemd[1]: Started Intel(R) Architectural Enclave Service Manager. 十二 17 17:16:52 test aesm_service[31258]: [ADMIN]White List update requested 十二 17 17:16:52 test aesm_service[31258]: Failed to load QE3: 0x4004 十二 17 17:16:52 test aesm_service[31258]: The server sock is 0x558e076f0a00

================cpu info=================================== test@test:/$ cpuid | grep -i sgx SGX: Software Guard Extensions supported = true SGX_LC: SGX launch config supported = true SGX capability (0x12/0): SGX1 supported = true SGX2 supported = true SGX attributes (0x12/1): SGX EPC enumeration (0x12/n): SGX: Software Guard Extensions supported = true SGX_LC: SGX launch config supported = true SGX capability (0x12/0): SGX1 supported = true SGX2 supported = true SGX attributes (0x12/1): SGX EPC enumeration (0x12/n): ====================sgx driver==================== [366386.277682] intel_sgx: loading out-of-tree module taints kernel. [366386.277754] intel_sgx: module verification failed: signature and/or required key missing - tainting kernel [366386.278914] intel_sgx: Locked launch policy not supported [366386.278931] intel_sgx: EPC section 0x70200000-0x75ffffff [366386.283362] intel_sgx: Intel SGX DCAP Driver v1.36.2 [1317224.584434] sgx_update_lepubkeyhash_msrs+0x54/0x80 [intel_sgx] [1317224.584438] sgx_encl_init+0xcc/0x2f0 [intel_sgx] [1317224.584441] sgx_ioctl+0x2f7/0x454 [intel_sgx]

any comments?

fqiu1 commented 3 years ago

0x4004 means SGX_ERROR_SERVICE_INVALID_PRIVILEGE, you need to add your user into sgx_prv group or run as root. Please check https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/master/driver/linux/README.md#install for detail.

zhiminghufighting commented 3 years ago

@fqiu1 thanks a lot, let me try again.

ltinerary commented 3 years ago

@fqiu1 thanks a lot, let me try again. @zhiminghufighting @fqiu1 Hi,Do you have solved this issue?May I konw what does you do to sollved?I have the Same error,but I was installed by a .binfile,there is no sgx_prv group.