Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Error: Invalid SGX device.

Lucyan
Beginner
7,949 Views

Error Message

My computer used to be able to with SGX-protected programs, but now it fails to run them anymore.
The programs will throw errors as the following:

Info: Please make sure SGX module is enabled in the BIOS, and install SGX driver afterwards.
Error: Invalid SGX device.

I reproduce the error in SampleEnclave, from the Intel SGX SDK sample code.

$ make SGX_MODE=HW
...
$ ./app
Info: Please make sure SGX module is enabled in the BIOS, and install SGX driver afterwards.
Error: Invalid SGX device.
Enter a character before exit ...

The binary is runnable if SampleEnclave is compiled for simulation mode.

$ make SGX_MODE=SIM
...
$ ./app
Checksum(0x0x7ffca1fcc530, 100) = 0xfffd4143
Info: executing thread synchronization, please wait...
Info: SampleEnclave successfully returned.
Enter a character before exit ...

Auxiliary Information

OS: Ubuntu* 18.04 LTS Desktop 64bits
Linux Header: linux-headers-5.4.0-42-generic
CPU: Intel(R) Core(TM) i7-7700 CPU @ 3.60GHz
SGX SDK Version: sgx_linux_x64_sdk_2.11.100.2
SGX Driver: b0a445b
SGX PSW: 2.11.100.2-bionic1

$ dmesg | grep sgx
[ 2.099517] isgx: loading out-of-tree module taints kernel.
[ 2.099544] isgx: module verification failed: signature and/or required key missing - tainting kernel
[ 2.099782] intel_sgx: Intel SGX Driver v2.6.0
[ 2.099795] intel_sgx INT0E0C:00: EPC bank 0x80200000-0x85f80000
[ 2.100810] intel_sgx: second initialization call skipped
$ lsmod | grep sgx
isgx 53248 1

I ran SGX-hardware to make sure the SGX device exists.

$ ./test-sgx
...
Extended feature bits (EAX=07H, ECX=0H)
eax: 0 ebx: 29c6fbf ecx: 0 edx: 9c002600
sgx available: 1
sgx launch control: 0

CPUID Leaf 12H, Sub-Leaf 0 of Intel SGX Capabilities (EAX=12H,ECX=0)
eax: 1 ebx: 0 ecx: 0 edx: 241f
sgx 1 supported: 1
sgx 2 supported: 0
MaxEnclaveSize_Not64: 1f
MaxEnclaveSize_64: 24

 

I reinstalled the SGX SDK, PSW, and driver several times, and it didn't work.

I googled the error message but still couldn't find any viable solution.

Can anyone give me some hints to resolve this issue? I will be grateful for your help.

Labels (2)
0 Kudos
11 Replies
JesusG_Intel
Moderator
7,905 Views

Hello Lucyan,


I was able to reproduce your issue if I ran the sample before installing the launch service from the SGX PSW.


Please try installing the SGX PSW by running the commands in for Intel SGX PSW Installation on the bottom of page 7 of https://download.01.org/intel-sgx/sgx-linux/2.11/docs/Intel_SGX_Installation_Guide_Linux_2.11_Open_Source.pdf.


$ echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list

$ wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -

$ sudo apt-get update

# Installing only the launch service

$ sudo apt-get install libsgx-launch libsgx-urts


Try running the sample after you install the launch service as described above.




0 Kudos
Lucyan
Beginner
7,894 Views

Hello JesusG,

Thank you for your help. But after following the instructions, I still can't get the sample code running. Here are the outputs from the terminal.

... (the previous installation commands)
$ sudo apt-get install libsgx-launch libsgx-urts
Reading package lists... Done
Building dependency tree
Reading state information... Done
libsgx-launch is already the newest version (2.11.100.2-bionic1).
libsgx-urts is already the newest version (2.11.100.2-bionic1).
...
$ make SGX_MODE=HW
...
$ ./app
Info: Please make sure SGX module is enabled in the BIOS, and install SGX driver afterwards.
Error: Invalid SGX device.
Enter a character before exit ...

I tried rebooting my machine after installing the packages, but it didn't work either.

Please let me know if you need any other information.

0 Kudos
JesusG_Intel
Moderator
7,881 Views

Hello Lucyan,


Please provide the list of all installed SGX components by running:


$ apt list --installed | grep -i sgx



0 Kudos
Lucyan
Beginner
7,875 Views

Hello JesusG,

No problem. Here you go.

$ apt list --installed | grep -i sgx

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

libsgx-ae-epid/unknown,now 2.11.100.2-bionic1 amd64 [installed,automatic]
libsgx-ae-le/unknown,now 2.11.100.2-bionic1 amd64 [installed,auto-removable]
libsgx-ae-pce/unknown,now 2.11.100.2-bionic1 amd64 [installed,automatic]
libsgx-ae-qe3/unknown,now 1.8.100.2-bionic1 amd64 [installed,automatic]
libsgx-ae-qve/unknown,now 1.8.100.2-bionic1 amd64 [installed,automatic]
libsgx-aesm-ecdsa-plugin/unknown,now 2.11.100.2-bionic1 amd64 [installed,automatic]
libsgx-aesm-epid-plugin/unknown,now 2.11.100.2-bionic1 amd64 [installed,automatic]
libsgx-aesm-pce-plugin/unknown,now 2.11.100.2-bionic1 amd64 [installed,automatic]
libsgx-aesm-quote-ex-plugin/unknown,now 2.11.100.2-bionic1 amd64 [installed,automatic]
libsgx-dcap-ql/unknown,now 1.8.100.2-bionic1 amd64 [installed]
libsgx-dcap-quote-verify/unknown,now 1.8.100.2-bionic1 amd64 [installed,automatic]
libsgx-enclave-common/unknown,now 2.11.100.2-bionic1 amd64 [installed]
libsgx-enclave-common-dbgsym/unknown,now 2.11.100.2-bionic1 amd64 [installed]
libsgx-enclave-common-dev/unknown,now 2.11.100.2-bionic1 amd64 [installed]
libsgx-epid/unknown,now 2.11.100.2-bionic1 amd64 [installed]
libsgx-launch/unknown,now 2.11.100.2-bionic1 amd64 [installed]
libsgx-pce-logic/unknown,now 1.8.100.2-bionic1 amd64 [installed,automatic]
libsgx-qe3-logic/unknown,now 1.8.100.2-bionic1 amd64 [installed,automatic]
libsgx-quote-ex/unknown,now 2.11.100.2-bionic1 amd64 [installed]
libsgx-urts/unknown,now 2.11.100.2-bionic1 amd64 [installed]
sgx-aesm-service/unknown,now 2.11.100.2-bionic1 amd64 [installed,automatic]
0 Kudos
JesusG_Intel
Moderator
7,862 Views

Hello Lucyan,

If aesmd is not running then you can get this type of error. Double check if aesmd is running, and check the syslog for aesmd messages.


ps aux | grep -i aesm

sudo systemctl start aesmd

cat /var/log/syslog | grep -i aesm


0 Kudos
Lucyan
Beginner
7,855 Views

Hello JesusG,

Thanks for your response. aesm seems running on my machine, but the error still occurs.

$ ps aux | grep -i aesm
aesmd 1170 0.0 0.0 354448 12440 ? Ssl Sep01 0:00 /opt/intel/sgx-aesm-service/aesm/aesm_service
...
$ sudo systemctl start aesmd
$ cat /var/log/syslog | grep -i aesm
$ ./app
Info: Please make sure SGX module is enabled in the BIOS, and install SGX driver afterwards.
Error: Invalid SGX device.
Enter a character before exit ...

"cat /var/log/syslog | grep -i aesm" outputs nothing. Does it mean something wrong?

0 Kudos
JesusG_Intel
Moderator
7,838 Views

Hello Lucyan,


We are still looking into your issue. Your aesmd seems to be fine. Can you send us the output from:


$ ldd ./app


0 Kudos
Lucyan
Beginner
7,834 Views

Hi JesusG,

I really appreciate your continued support. Here is the output:

$ ldd ./app
linux-vdso.so.1 (0x00007ffd9fdf9000)
libsgx_urts.so => /usr/lib/x86_64-linux-gnu/libsgx_urts.so (0x00007f0a39c29000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f0a39815000)
libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f0a39441000)
libgcc_s.so.1 => /home/myuserfolder/anaconda2/lib/libgcc_s.so.1 (0x00007f0a39bdf000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f0a39050000)
libsgx_enclave_common.so.1 => /usr/lib/x86_64-linux-gnu/libsgx_enclave_common.so.1 (0x00007f0a39bd5000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f0a38e4c000)
/lib64/ld-linux-x86-64.so.2 (0x00007f0a39a34000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f0a38aae000)

 

0 Kudos
bitflipper101
Beginner
7,804 Views

I have essentially the same issue, except when executing ./app I get "failed to load enclave"

running 

cat /var/log/syslog | grep -i aesm

gives  

Sep 3 13:06:24 machineName systemd[1]: Starting Remount /dev as exec to allow AESM service to boot and load enclaves into SGX...
Sep 3 13:06:24 machineName systemd[1]: Started Remount /dev as exec to allow AESM service to boot and load enclaves into SGX.
Sep 3 13:06:25machineName aesm_service[30829]: The server sock is 0x563c9772e2d0

$ ldd ./app gives

linux-vdso.so.1 (0x00007ffd637da000)
libsgx_urts.so => /usr/lib/x86_64-linux-gnu/libsgx_urts.so (0x00007fb8a571e000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fb8a513c000)
libsgx_enclave_common.so.1 => /usr/lib/x86_64-linux-gnu/libsgx_enclave_common.so.1 (0x00007fb8a5716000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fb8a4f1d000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fb8a4d19000)
libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007fb8a4990000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007fb8a4778000)
/lib64/ld-linux-x86-64.so.2 (0x00007fb8a552d000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fb8a43da000)

 

Simulation mode runs fine.

0 Kudos
JesusG_Intel
Moderator
7,687 Views

Hello Lucyan,


Unfortunately, we have exhausted our troubleshooting steps and everything looks like it should work.


This is not the answer you were looking for but we recommend a new OS build and fresh installation of all SGX components. There is nothing more we can recommend at this point.


0 Kudos
JesusG_Intel
Moderator
7,632 Views

Intel is no longer monitoring this thread. If you want a response from Intel in a follow-up question, please open a new thread.


0 Kudos
Reply