You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@teaclave.apache.org by Andrew Miller <no...@github.com> on 2020/07/01 19:03:26 UTC
[apache/incubator-teaclave] error when following first function
example SGX_ERROR_SERVICE_UNAVAILABLE (#377)
After following the instructions: at my-first-function, I get the following error when running the services from docker-compose
```
$ (cd docker && docker-compose -f docker-compose-ubuntu-1804.yml up)
Recreating teaclave-authentication-service ... done
Recreating teaclave-access-control-service ... done
Recreating teaclave-storage-service ... done
Recreating teaclave-management-service ... done
Recreating teaclave-scheduler-service ... done
Recreating teaclave-execution-service ... done
Recreating teaclave-frontend-service ... done
Attaching to teaclave-access-control-service, teaclave-storage-service, teaclave-scheduler-service, teaclave-execution-service, teaclave-authentication-service, teaclave-management-service, teaclave-frontend-service
teaclave-execution-service | [2020-07-01T18:57:07Z ERROR teaclave_execution_service_enclave] Failed to start the service: Failed to initialize quote : SGX_ERROR_SERVICE_UNAVAILABLE
teaclave-access-control-service | [2020-07-01T18:57:06Z ERROR teaclave_access_control_service_enclave] Failed to start the service: Failed to initialize quote : SGX_ERROR_SERVICE_UNAVAILABLE
teaclave-authentication-service | [2020-07-01T18:57:07Z ERROR teaclave_authentication_service_enclave] Failed to start the service: Failed to initialize quote : SGX_ERROR_SERVICE_UNAVAILABLE
teaclave-execution-service exited with code 0
teaclave-access-control-service exited with code 0
teaclave-scheduler-service | [2020-07-01T18:57:06Z ERROR teaclave_scheduler_service_enclave] Failed to start the service: Failed to initialize quote : SGX_ERROR_SERVICE_UNAVAILABLE
teaclave-storage-service | [2020-07-01T18:57:05Z ERROR teaclave_storage_service_enclave] Failed to start the service: Failed to initialize quote : SGX_ERROR_SERVICE_UNAVAILABLE
teaclave-scheduler-service exited with code 0
teaclave-storage-service exited with code 0
teaclave-management-service | [2020-07-01T18:57:08Z ERROR teaclave_management_service_enclave] Failed to start the service: Failed to initialize quote : SGX_ERROR_SERVICE_UNAVAILABLE
teaclave-authentication-service exited with code 0
teaclave-management-service exited with code 0
teaclave-frontend-service | [2020-07-01T18:57:08Z ERROR teaclave_frontend_service_enclave] Failed to start the service: Failed to initialize quote : SGX_ERROR_SERVICE_UNAVAILABLE
teaclave-frontend-service exited with code 0
```
The code indicates this relates to the AESM service, but as far as I can tell the AESM service is running, `/var/run/aesmd/aesm.socket` is vailable
```
$ sudo service aesmd status
● aesmd.service - Intel(R) Architectural Enclave Service Manager
Loaded: loaded (/lib/systemd/system/aesmd.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2020-07-01 13:48:14 CDT; 14min ago
.....
```
https://github.com/apache/incubator-teaclave/blob/7b15990b56b701a9771b45b8ac754d1d83791ec9/common/protected_fs_rs/protected_fs_c/inc/sgx_error.h#L65
Any suggestions how to debug further?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/377
Re: [apache/incubator-teaclave] error when following first function
example SGX_ERROR_SERVICE_UNAVAILABLE (#377)
Posted by Andrew Miller <no...@github.com>.
I had all of those packages installed except for the "-dev" versions. After installing those, I restarted the aesmd service and rebuilt teaclave but the behavior is the same
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/377#issuecomment-652672543
Re: [apache/incubator-teaclave] error when following first function
example SGX_ERROR_SERVICE_UNAVAILABLE (#377)
Posted by Zhaofeng Chen <no...@github.com>.
Hi @amiller , could you execute `sudo journalctl -b -u aesmd.service` to check if there is any additional information for the aesmd service?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/377#issuecomment-652682051
Re: [apache/incubator-teaclave] error when following first function
example SGX_ERROR_SERVICE_UNAVAILABLE (#377)
Posted by Andrew Miller <no...@github.com>.
Closed #377.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/377#event-3507932686
Re: [apache/incubator-teaclave] error when following first function
example SGX_ERROR_SERVICE_UNAVAILABLE (#377)
Posted by Mingshen Sun <no...@github.com>.
The `docker-compose` file will map the domain socket file (`/var/run/aesmd/aesm.socket`) to the service containers. Did you change the `docker-compose` file? If possible, can you only run a service with debug log enabled? Like this:
```
$ cd release/services/
$ RUST_LOG=teaclave=debug ./teaclave_authentication_service
```
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/377#issuecomment-652640652
Re: [apache/incubator-teaclave] error when following first function
example SGX_ERROR_SERVICE_UNAVAILABLE (#377)
Posted by Mingshen Sun <no...@github.com>.
You are welcome. We will introduce a tool to dump information of both hardware and software to help debugging.
Feel free to ask questions at anytime. Thanks.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/377#issuecomment-653147030
Re: [apache/incubator-teaclave] error when following first function
example SGX_ERROR_SERVICE_UNAVAILABLE (#377)
Posted by Andrew Miller <no...@github.com>.
The logs for aesmd do not convey too much, in particular don't seem to indicate any errors
```
$ sudo journalctl -b -u aesmd.service
....
Jul 01 20:01:20 amiller-fractal systemd[1]: Starting Intel(R) Architectural Enclave Service Manager...
Jul 01 20:01:20 amiller-fractal systemd[1]: Started Intel(R) Architectural Enclave Service Manager.
Jul 01 20:01:20 amiller-fractal aesm_service[13515]: The server sock is 0x5616fad87fb0
Jul 01 20:01:20 amiller-fractal aesm_service[13515]: [ADMIN]White List update requested
Jul 01 20:01:20 amiller-fractal aesm_service[13515]: [ADMIN]White list update request successful for Version: 78
```
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/377#issuecomment-652719388
Re: [apache/incubator-teaclave] error when following first function
example SGX_ERROR_SERVICE_UNAVAILABLE (#377)
Posted by Mingshen Sun <no...@github.com>.
This is wired. Yes, `SGX_ERROR_SERVICE_UNAVAILABLE` means the AE service did not respond when initializing quote. I don't know what happened to your platform.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/377#issuecomment-652612069
Re: [apache/incubator-teaclave] error when following first function
example SGX_ERROR_SERVICE_UNAVAILABLE (#377)
Posted by Andrew Miller <no...@github.com>.
OK this is all resolved.
I fixed the above error by reinstalling the SGX driver. I had previously installed `sgx_linux_x64_driver_1.33.bin` which I think is mainly for DCAP, rather than IAS. After installing the `sgx_linux_x64_driver_2.6.0_95eaa6f.bin` driver and reinstalling the SDK, all of the example programs in `/opt/sgxsdk` including remote attestation work fine. Thank you both for your help debugging and suggestions to narrow in on the problem.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/377#issuecomment-653111104
Re: [apache/incubator-teaclave] error when following first function
example SGX_ERROR_SERVICE_UNAVAILABLE (#377)
Posted by Andrew Miller <no...@github.com>.
No change to the docker-compose file. The following is such output (run on the host btw not the dockerfile)
```
$ RUST_LOG=teaclave=debug ./teaclave_authentication_service
[2020-07-01T21:22:31Z DEBUG teaclave_binder::binder] EnclaveID: 2
[2020-07-01T21:22:31Z DEBUG teaclave_binder::ipc::app] ecall_ipc_app_to_tee: 1001, 4 bytes
[2020-07-01T21:22:31Z DEBUG teaclave_service_enclave_utils] Enclave initializing
[2020-07-01T21:22:31Z DEBUG teaclave_binder::ipc::app] ecall_ipc_entry_point OK. App Received Buf: [123, 34, 79, 107, 34, 58, 110, 117, 108, 108, 125]
[2020-07-01T21:22:31Z DEBUG teaclave_binder::ipc::app] ecall_ipc_app_to_tee: 1000, 32d5 bytes
[2020-07-01T21:22:31Z DEBUG teaclave_authentication_service_enclave] handle_invoke
[2020-07-01T21:22:31Z DEBUG teaclave_attestation::platform] init_quote
[2020-07-01T21:22:31Z ERROR teaclave_authentication_service_enclave] Failed to start the service: Failed to initialize quote : SGX_ERROR_SERVICE_UNAVAILABLE
[2020-07-01T21:22:31Z DEBUG teaclave_binder::ipc::app] ecall_ipc_entry_point OK. App Received Buf: [123, 34, 69, 114, 114, 34, 58, 34, 83, 101, 114, 118, 105, 99, 101, 69, 114, 114, 111, 114, 34, 125]
[2020-07-01T21:22:31Z DEBUG teaclave_binder::ipc::app] ecall_ipc_app_to_tee: 1002, 4 bytes
[2020-07-01T21:22:31Z DEBUG teaclave_authentication_service_enclave] handle_invoke
[2020-07-01T21:22:31Z DEBUG teaclave_service_enclave_utils] Enclave finalizing
[2020-07-01T21:22:31Z DEBUG teaclave_binder::ipc::app] ecall_ipc_entry_point OK. App Received Buf: [123, 34, 79, 107, 34, 58, 110, 117, 108, 108, 125]
[2020-07-01T21:22:31Z DEBUG teaclave_binder::binder] Dropping TeeBinder, start finalize().
[2020-07-01T21:22:31Z DEBUG teaclave_binder::ipc::app] ecall_ipc_app_to_tee: 1002, 4 bytes
[2020-07-01T21:22:31Z DEBUG teaclave_authentication_service_enclave] handle_invoke
[2020-07-01T21:22:31Z DEBUG teaclave_service_enclave_utils] Enclave finalizing
[2020-07-01T21:22:31Z DEBUG teaclave_binder::ipc::app] ecall_ipc_entry_point OK. App Received Buf: [123, 34, 79, 107, 34, 58, 110, 117, 108, 108, 125]
```
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/377#issuecomment-652653800
Re: [apache/incubator-teaclave] error when following first function
example SGX_ERROR_SERVICE_UNAVAILABLE (#377)
Posted by Andrew Miller <no...@github.com>.
Linkable EPID. I followed the instructions to change the default to quote type linkable in aesmd.conf. I also tried with an unlinkable key as an alternative but no difference.
When i use the same SPID and key in other remote attestation demos (graphene) these keys are working.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/377#issuecomment-652604924
Re: [apache/incubator-teaclave] error when following first function
example SGX_ERROR_SERVICE_UNAVAILABLE (#377)
Posted by Mingshen Sun <no...@github.com>.
Can you help me to check if these libraries are correctly installed? Thanks. (Some dev libraries may not be used for executing the enclave, but I just included all in case).
```
# echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' | \
tee /etc/apt/sources.list.d/intel-sgx.list
# curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add -
# apt-get update && VERSION=2.9.101.2-bionic1 apt-get install -y \
libsgx-aesm-launch-plugin=$VERSION \
libsgx-enclave-common=$VERSION \
libsgx-enclave-common-dev=$VERSION \
libsgx-epid=$VERSION \
libsgx-epid-dev=$VERSION \
libsgx-launch=$VERSION \
libsgx-launch-dev=$VERSION \
libsgx-quote-ex=$VERSION \
libsgx-quote-ex-dev=$VERSION \
libsgx-uae-service=$VERSION \
libsgx-urts=$VERSION
```
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/377#issuecomment-652658802
Re: [apache/incubator-teaclave] error when following first function
example SGX_ERROR_SERVICE_UNAVAILABLE (#377)
Posted by Andrew Miller <no...@github.com>.
Actually the remote attestation does fail, specifically at `sgx_select_att_key_id`. So maybe this is an indication of the sort of thing going wrong. I haven't been able to find much in the way of trouble shooting for this so I may start over reinstalling things until I can crack it.
```
amiller@amiller-fractal:~/installing/linux-sgx/sgxsdk/SampleCode/RemoteAttestation$ ./app
First round, we will try ECDSA algorithm.
Call sgx_get_extended_epid_group_id success.
MSG0 body generated -
4 bytes:
{
0x0, 0x0, 0x0, 0x0
}
Sending msg0 to remote attestation service provider.
Sent MSG0 to remote attestation service.
Info, call sgx_select_att_key_id fail, current platform configuration doesn't support this attestation key ID. [main]
Second round, we will try EPID algorithm.
Call sgx_get_extended_epid_group_id success.
MSG0 body generated -
4 bytes:
{
0x0, 0x0, 0x0, 0x0
}
Sending msg0 to remote attestation service provider.
Sent MSG0 to remote attestation service.
Info, call sgx_select_att_key_id fail, current platform configuration doesn't support this attestation key ID. [main]
Enter a character before exit ...
```
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/377#issuecomment-653056976
Re: [apache/incubator-teaclave] error when following first function
example SGX_ERROR_SERVICE_UNAVAILABLE (#377)
Posted by Yu Ding <no...@github.com>.
Hi @amiller , could you please try Intel's SGX samplecode on the host machine? Typically it's under `/opt/sgxsdk`.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/377#issuecomment-652763736
Re: [apache/incubator-teaclave] error when following first function
example SGX_ERROR_SERVICE_UNAVAILABLE (#377)
Posted by Mingshen Sun <no...@github.com>.
There are something wrong when initializing the quote.
https://github.com/apache/incubator-teaclave/blob/db6ddd8847216a56a3c80a4f732773727974d502/attestation/src/platform.rs#L37
What type of EPID you are using?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/377#issuecomment-652598931