lsds / sgx-lkl

SGX-LKL Library OS for running Linux applications inside of Intel SGX enclaves
MIT License
255 stars 89 forks source link

When I try Full Attestation and Remote Control Example I can not connect on server with IP:192.168.10.1 #88

Open kleirama opened 4 years ago

kleirama commented 4 years ago

Hi,

I am trying to run the Full Attestation example and I am sure I have followed every step of the ReadMe file but I am not able to connect to the server. The problem is given below:

The server output

SGXLKL_VERBOSE=1 SGXLKL_TAP=sgxlkl_tap0 SGXLKL_REMOTE_CONFIG=1 SGXLKL_REPORT_NONCE=10867864710722948371 SGXLKL_IAS_SPID="my SPID" SGXLKL_WG_PEERS='"wgclient.priv"=:10.0.2.2/32:192.168.10.2:56002' ./build/sgx-lkl-run ./disk.img [ SGX-LKL ] Maximum enclave threads (TCS): 8 [ SGX-LKL ] Kernel command line: "" [ SGX-LKL ] Adding entropy to entropy pool. [ SGX-LKL ] wg0 has public key 8pK13oSJCVdFSnStRdnM2I5ZUCBZx9zx7eu+p6IR0Ro= [ SGX-LKL ] Enclave report nonce: 10867864710722948371 [ SGX-LKL ] Received quote from launch enclave: [ SGX-LKL ] MRENCLAVE: d3d48fafbe278fa4e35ab8489b1e0a2a818d300bf5dd8cfc6fc8b0e0e33a7474 [ SGX-LKL ] MRSIGNER: 8effe845d07dfc6ddabfbd699674551ad6e390da7fb641c85181e41186e605bc [ SGX-LKL ] No IAS subscription key provided (via SGXLKL_IAS_SUBSCRIPT_KEY). Skipping IAS attestation... [ SGX-LKL ] Starting attestation server, listening on 10.0.1.1:56000... [ SGX-LKL ] Starting remote control server, listening on 10.0.2.1:56001... [ SGX-LKL ] Waiting for application run request...

The client output:

sgx-lkl-ctl attest --server=192.168.10.1:56000 --ias-spid="My SPID given by Intel" --ias-skey="my primary subscription key" --ias-sign-ca-cert="path ty me .pem cert" --mrenclave=d3d48fafbe278fa4e35ab8489b1e0a2a818d300bf5dd8cfc6fc8b0e0e33a7474 --mrsigner=8effe845d07dfc6ddabfbd699674551ad6e390da7fb641c85181e41186e605bc Connecting to 192.168.10.1:56000...

I believe that there should be some routing problem but I can not figure it out what exactly is going wrong here. I would appreciate any help

cpriebe commented 4 years ago

Have you set up the corresponding firewall rules and enabled port forwarding? See https://github.com/lsds/sgx-lkl#networking-support

kleirama commented 4 years ago

Hi, I figured it out the problem. I should have used the pubblic IPs of my own PCs instead of the one in the example. Now it is working

kleirama commented 4 years ago

I have one question: When we execute sgx-lkl-run in parameter _SGXLKL_WGPEERS should we place the value of file wgclient.priv ?

cpriebe commented 4 years ago

Hi @kleirama,

When you specify peers, you always use the public keys (as you would when configuring Wireguard natively). Only WG_KEY requires the private key, and that should only be used for test purposes. If you don't specify WG_KEY, SGX-LKL generates a random Wireguard key inside the enclave on startup.