Step "7. Client: Send application launch request" of Full Attestation and Remote Control Example does not work (Is not possible to connect at server 10.0.2.1)

[markueni]

HI, I have tried Full Attestation and Remote Lunch example of and the last step fails. I have tried it in different bare metal machines and it always fails.

However below i describe every single step I followed in order to try the example. In my scenario I have two bare metal machines one acting as client (eniom) and another as server (nuc): Below are displayed the files I have in each machine under sgx-lkl directory: In eniom :

eniom@eniom-NUC8i7HVK:~/Desktop/Safelib_WireGuard/sgx-lkl$ ls apps Dockerfile Makefile third_party build gdb README.md tools config.mak helloworld.conf sgx-lkl-docker.sh wgclient.priv COPYING host-musl sgx-lkl-musl wgclient.pub disk.img install sgxlkl.redis.conf disk.img.key lkl src

In nuc:

nuc@nuc-NUC8i7HVK:~/Desktop/SafeLib_WireGuard/sgx-lkl$ ls apps COPYING Dockerfile lkl sgx-lkl-docker.sh third_party build disk.img gdb Makefile sgx-lkl-musl tools config.mak disk.img.key host-musl README.md src

Then I followed steps to setup TAP device and configure firewall rules on server machine exactly as below:

sudo ip tuntap add dev sgxlkl_tap0 mode tap user whoami sudo ip link set dev sgxlkl_tap0 up sudo ip addr add dev sgxlkl_tap0 10.0.1.254/24 sudo sysctl -w net.ipv4.ip_forward=1 sudo iptables -t nat -I PREROUTING -p tcp -i eth0 --dport 56000 -j DNAT --to-destination 10.0.1.1:56000 sudo iptables -t nat -I PREROUTING -p udp -i eth0 --dport 56002 -j DNAT --to-destination 10.0.1.1:56002 sudo iptables -I FORWARD -m state -d 10.0.1.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT sudo iptables -I FORWARD -m state -s 10.0.1.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT sudo iptables -t nat -I PREROUTING -p tcp -d "public server ip" --dport 56000 -j DNAT --to-destination 10.0.1.1:56000 sudo iptables -t nat -I PREROUTING -p udp -d "public server ip" --dport 56002 -j DNAT --to-destination 10.0.1.1:56002

The resulting firewall rules for server machine are as below:

nuc@nuc-NUC8i7HVK:~/Desktop/SafeLib_WireGuard/sgx-lkl$ sudo iptables -S [sudo] password for nuc: -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A FORWARD -d 10.0.1.0/24 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 10.0.1.0/24 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

And the firewall rules for client machine are as below:

Below is firewall rules for eniom machine:

eniom@eniom-NUC8i7HVK:~/Desktop/Safelib_WireGuard/sgx-lkl$ sudo iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A FORWARD -i wgsgx0 -j ACCEPT

Then I run Attestation process and this works without problem but when I run Remote Control it did not work: Server Launch enclave output:

nuc@nuc-NUC8i7HVK:~/Desktop/SafeLib_WireGuard/sgx-lkl$ SGXLKL_VERBOSE=1 SGXLKL_TAP=sgxlkl_tap0 SGXLKL_REMOTE_CONFIG=1 SGXLKL_REMOTE_CMD_ETH0=1 SGXLKL_REPORT_NONCE="$(od -An -vtu8 -N8 < /dev/urandom | tr -d ' ')" SGXLKL_IAS_SPID=2321E0674BCFF30BBB57FF77E9A1EEA0 SGXLKL_IAS_QUOTE_TYPE='1' SGXLKL_WG_PEERS='0CyU4zGJ4LJy0Vyg7unUjFiePe6y84j94scUeuloU0s=:10.0.2.2/32:129.241.200.232:56002' ./build/sgx-lkl-run ./disk.img [ SGX-LKL ] Maximum enclave threads (TCS): 8 [ SGX-LKL ] Kernel command line: "" [ SGX-LKL ] Adding entropy to entropy pool. [ SGX-LKL ] wg0 has public key nt4MgTe2VdmLS8bEGJIKRzit8W59HPbwt+jBq8MmCAY= [ SGX-LKL ] Enclave report nonce: 10689666273803471811 [ SGX-LKL ] Received quote from launch enclave: [ SGX-LKL ] MRENCLAVE: f1g48fafbe278fa4e35ab8489b1e0a2a818d300bf5dd8cfc6fc8b0e0e57c8989 [ SGX-LKL ] MRSIGNER: 6whj4945d07dfc6ddabfbd699674551ad6e390da7fb641c85181e41194i938ef [ SGX-LKL ] No IAS subscription key provided (via SGXLKL_IAS_SUBSCRIPT_KEY). Skipping IAS attestation... [ SGX-LKL ] Starting attestation server, listening on 10.0.1.1:56000... [ SGX-LKL ] Starting remote control server, listening on 10.0.1.1:56001... [ SGX-LKL ] Waiting for application run request

Client Remote Attestation output:

sgx-lkl-ctl attest --server=129.241.200.185:56000 --ias-spid=2321E0674BCFF30BBB57FF77E9A1EEA0 --ias-skey=06a41f702e4f40f3ae7a4e59e7991d3a --ias-sign-ca-cert=/home/eniom/Desktop/SLib-setup/SL-setup-mtom/sgx-secrets-after-ra/Intel_SGX_Attestation_RootCA.pem --ias-quote-type="Linkable" --mrenclave=f1g48fafbe278fa4e35ab8489b1e0a2a818d300bf5dd8cfc6fc8b0e0e57c8989 --mrsigner=6whj4945d07dfc6ddabfbd699674551ad6e390da7fb641c85181e41194i938ef Connecting to 129.241.200.185:56000... done. Request successful. [ SGX-LKL ] Sending IAS request... [ SGX-LKL ] Intel Attestation Service Response: [ SGX-LKL ] Quote status: GROUP_OUT_OF_DATE [ SGX-LKL ] EPID group flags: 0x4 [ SGX-LKL ] TCB evaluation flags: 0x09 [ SGX-LKL ] PSE evaluation flags: 0x00 [ SGX-LKL ] Warning: Quote status: GROUP_OUT_OF_DATE (Platform software/firmware is out of date) [ SGX-LKL ] Quote measurements: [ SGX-LKL ] MRENCLAVE: d3d48fafbe278fa4e35ab8489b1e0a2a818d300bf5dd8cfc6fc8b0e0e33a7474 [ SGX-LKL ] MRSIGNER: 8effe845d07dfc6ddabfbd699674551ad6e390da7fb641c85181e41186e605bc [ SGX-LKL ] Verification of quote and attestation report successful. [ SGX-LKL ] Enclave report data: [ SGX-LKL ] Nonce: 10689666273803471811 [ SGX-LKL ] Public wireguard key: nt4MgTe2VdmLS8bEGJIKRzit8W59HPbwt+jBq8MmCAY=

Then I use WireGuard public key as below:

sudo wg set wgsgx0 peer nt4MgTe2VdmLS8bEGJIKRzit8W59HPbwt+jBq8MmCAY= allowed-ips 10.0.2.1/32 endpoint 192.168.10.1:56002

and also configure sgxlkl.redis.conf

Then When I send request via sgx-lkl-ctl I got the following problem which I guess has to do with routing:

eniom@eniom-NUC8i7HVK:~/Desktop/Safelib_WireGuard/sgx-lkl$ ./build/sgx-lkl-ctl --server=10.0.2.1:56001 run --app=sgxlkl.app.conf Connecting to 10.0.2.1:56001...

I guess that is a general problem and I raise it as an issue. My guess is either I have done something wrong when configuring TAP device and adding firewall rules or that is something I am missing.

[khiemfle]

Does anyone know about this problem? I also got the same problem after following all steps in full-attestation-and-remote-launch-example. I cannot connect to Server to do remote configuration.