topic Re:SGX enclave attestation inside VM fails when apparmor enabled. in Intel® Software Guard Extensions (Intel® SGX)

SGX enclave attestation inside VM fails when apparmor enabled.

TFMat — Wed, 01 Mar 2023 08:05:09 GMT

Hi,

It is observed that the SGX enclave attestation inside VM fails when apparmor enabled. It works when the apparmor at the host is disabled. Set the qemu.conf as per the guideline here https://www.intel.com/content/www/us/en/developer/articles/technical/virtualizing-intel-software-guard-extensions-with-kvm-and-qemu.html.

Also, we have added exception to /dev/sgx_vepc in /etc/apparmor.d/abstractions/libvirt-qemu . However these still don't work. It works only when the apparmor is enabled. Is there anything else can be tried?

Re:SGX enclave attestation inside VM fails when apparmor enabled.

KFPW_Intel — Wed, 01 Mar 2023 08:37:52 GMT

Hi,

Thank you for your interest in Intel® SGX.

The reference that you have provided is very useful. Based on the reference provided, could you share your error messages so that we can gain insights to support your use cases.

We would like to understand the issue, if AppArmor enabled, the VM fails. And, if AppArmor is enabled with exception in sgx_vepc, the VM works?

We look forward to hearing from you. Thank you.

Regards,

Ken

Re: Re:SGX enclave attestation inside VM fails when apparmor enabled.

TFMat — Wed, 01 Mar 2023 08:47:09 GMT

Hi,

We would like to get the SGX working in VM with Apparmor enabled. So we have given exceptions given to /dev/sgx_vepc in /etc/apparmor.d/abstractions/libvirt-qemu and also added root in qemu.conf together with the steps referred in the topic "Troubleshooting->invalid object type: memory-backend-epc" of the site mentioned in my earlier post. However still it fails for same reason. But when we disable apparmor it works.

Re:SGX enclave attestation inside VM fails when apparmor enabled.

KFPW_Intel — Thu, 02 Mar 2023 02:13:50 GMT

Hi,

Thank you for the information.

We believe that you have tried to "Either disable your MAC or create an exception or profile to allow access to /dev/sgx_virt_epc" as mentioned in (3).

We would suggest to check the Kernel version. Error happens could be due to the kernel version is too old.

If this is not the case, we suggest to check the accessibility of QEMU to these devices:

/dev/sgx_enclave to launch enclaves

/dev/sgx_provision to launch the provisioning certification enclave (PCE)

/dev/sgx_vepc to assign EPC memory pages

Access to these device files will be denied by libvirt’s cgroup controllers by default.

Edit /etc/libvirt/qemu.conf and change the cgroup_device_acl via:

cgroup_device_acl = [

"/dev/null", "/dev/full", "/dev/zero",

"/dev/random", "/dev/urandom",

"/dev/ptmx", "/dev/kvm",

"/dev/rtc","/dev/hpet",

"/dev/sgx_enclave", "/dev/sgx_provision", "/dev/sgx_vepc"

]

Configure QEMU to run as root, set the user parameter in /etc/libvirt/qemu.conf:

user = "root"

Set the parameter to “apparmor”:

security_driver = [ “apparmor” ]

Modify /etc/apparmor.d/libvirt/TEMPLATE.qemu to read:

#include <tunables/global>

profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {

#include <abstractions/libvirt-qemu>

/usr/local/bin/* PUx,

}

Restart the libvirtd service:

sudo systemctl restart libvirtd

Hope that the information that I provided is useful for you. Please inform us if you have any questions.

Thank you.

Regards,

Ken

Re:SGX enclave attestation inside VM fails when apparmor enabled.

KFPW_Intel — Tue, 07 Mar 2023 00:09:02 GMT

Hi,

Thank you for the accepted solution. Hope the information I provided was helpful to you.

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.

Regards,

Ken