Open mansishr opened 1 year ago
llly
commented
1 year ago It's network issue. https://github.com/intel/linux-sgx/blob/1efe23c20e37f868498f8287921eedfbcecdc216/psw/ae/inc/internal/aesm_error.h#L48
Can you run service aesmd status in AESM container and tail /opt/intel/sgx-dcap-pccs/logs/pccs_server.log in PCCS container to check the logs? Or change the commands according to your container configuration.
mansishr
commented
1 year ago I tried running service aesmd status in AESM container, but I got: aesmd: unrecognized service. I can't find /opt/intel/sgx-dcap-pccs inside PCCS container. Is that the issue?
mansishr
commented
1 year ago I've attached my PCCS Dockerfile here: pccsDockerfile.txt
llly
commented
1 year ago The log file for your PCCS container is /root/SGXDataCenterAttestationPrimitives/QuoteGeneration/pccs/logs/pccs_server.log
Check /etc/sgx_default_qcnl.conf in in AESM container,
"pccs_url": "https://[ip]:[port]/sgx/certification/v4/",
// To accept insecure HTTPS certificate, set this option to false
"use_secure_cert": false,The pccs_url should be accessible from inside AESM container. For example,
curl https://[ip]:[port]/sgx/certification/v4/
curl: (60) SSL certificate problem: self signed certificateis expected.
mansishr
commented
1 year ago Thanks @llly. I've made changes to /etc/sgx_default_qcnl.conf and I see that the pccs_url is now accessible from inside AESM container. But when I run a sample helloworld example using gramine inside a container with sgx.remote_attestation = "dcap", I see this error now:
error: AESM service returned error 1; this may indicate that infrastructure for the DCAP attestation requested by Gramine is missing on this machine
error: load_enclave() failed with error -1I've attached aesm dockerfile and the bash script (entrypoint.sh) that deploys both aesm and pccs here:
llly
commented
1 year ago you need to change REQ to LAZY in pccsDockerfile.
If you don't want to rebuild PCCS docker, you can also change REQ to LAZY in /root/SGXDataCenterAttestationPrimitives/QuoteGeneration/pccs/config/default.json and systemctl restart pccs.service to enable it.
error 1 is unexpected error. Now you can try again and check pccs log /root/SGXDataCenterAttestationPrimitives/QuoteGeneration/pccs/logs/pccs_server.log
mansishr
commented
1 year ago Thanks @llly. I changed the CachingMethod to LAZY and grepped the PCCS log. I've attached it here:
pccslog.txt
I do see some error at PCCS logs:
2023-06-01 18:49:21.948 [error]: Intel PCS server returns error(404).
2023-06-01 18:49:21.948 [error]: Intel PCS server returns error. Error code : 404
2023-06-01 18:49:21.949 [error]: Error: No cache data for this platform.I see that at the application side, I get the same error message but the error code changed to 44:
error: AESM service returned error 44; this may indicate that infrastructure for the DCAP attestation requested by Gramine is missing on this machine
llly
commented
1 year ago You need to register your platform to Intel PCS by installing sgx-ra-service on host.
You can refer https://github.com/intel/SGXDataCenterAttestationPrimitives/issues for DCAP issue.
mansishr
commented
1 year ago Hi @llly. I installed sgx-ra-service on my host machine but I'm still getting the same issue.
llly
commented
1 year ago Alternatively, you can install and run sgx-pck-id-retrieval-tool
(README: https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/tools/PCKRetrievalTool)
mansishr
commented
1 year ago PCKRetrieval Tool is already installed on the host, should I install it inside PCCS container?
llly
commented
1 year ago No, Just host. Need to edit config file /opt/intel/sgx-pck-id-retrieval-tool/network_setting.conf then run /opt/intel/sgx-pck-id-retrieval-tool/PCKIDRetrievalTool manually.
Hi,
I am using containerized AESMD and PCCS service to run my application with
sgx.remote_attestation = "dcap"set in the gramine manifest file. I see AESMD throw a network error:I am installing these libraries inside AESMD container: