Solved: How to use crypto-api-toolkit in SIM mode

das__batsayan · ‎03-23-2021

I am using https://github.com/intel/crypto-api-toolkit repo to learn PKCS#11, my current SGX_SDK version is 2.13 , on Ubuntu 18.04

I build the above using $ sh autogen.sh; $ ./configure; $ make SGX_MODE=SIM; $ sudo make install

Question : Does the repo supports SIM mode build? In the above build I did not face any error message.

Got following error when executing

$./p11test

76) test: UnsupportedAPITests::testWaitForSlotEvent (F) line: 120 TestsNoPINInitBase.cpp
setUp() failed
- equality assertion failed
- Expected: 0
- Actual : 48

77) test: UnsupportedAPITests::testGetFunctionStatus (F) line: 120 TestsNoPINInitBase.cpp
setUp() failed
- equality assertion failed
- Expected: 0
- Actual : 48

78) test: UnsupportedAPITests::testCancelFunction (F) line: 120 TestsNoPINInitBase.cpp
setUp() failed
- equality assertion failed
- Expected: 0
- Actual : 48

Also got this error

$pkcs11-tool --module /usr/local/lib/libp11sgx.so --init-token --label "ctk" --slot 0 --so-pin 1234 --init-pin --pin 1234

error: PKCS11 function C_Initialize failed: rv = CKR_DEVICE_ERROR (0x30)
Aborting.

Any help on what I am missing will be appreciated.

--Batsayan

Sankar_V · ‎03-26-2021

In addition to the other file, please also make the below change in src/p11/untrusted/Makefile.am

HW:
-AM_LDFLAGS = -L$(SGXSSLDIR)/lib64 -lsgx_usgxssl -L$(SGXSDKDIR)/lib64 $(DCAP_LIB) -lsgx_urts -lsgx_uprotected_fs \

SIM:
+AM_LDFLAGS = -L$(SGXSSLDIR)/lib64 -lsgx_usgxssl -L$(SGXSDKDIR)/lib64 $(DCAP_LIB) -lsgx_urts_sim -lsgx_uae_service_sim -lsgx_uprotected_fs \

And, please also delete the /opt/intel/cryptoapitoolkit directory before you do a sudo make install. I just checked, and it worked.

View solution in original post

JesusG_Intel · ‎03-23-2021

Hello Batsayan,

The Crypto API Toolkit for Intel SGX does not support Intel SGX Simulation mode. Refer to the Prerequisites section for a full list of system and software requirements to run the Crypto API Toolkit.

Sincerely,

Jesus G.

Intel Customer Support

JesusG_Intel · ‎03-23-2021

Hello Batsayan,

I just received an update from engineering:

"Yes, Crypto API Toolkit will work in the simulation mode, but we have not explicitly enabled the Makefile for it (but we don’t test it). We have to make changes manually."

We will soon have a response for you on what needs to be done in the Makefile.

Sincerely,

Jesus G.

Intel Customer Support

Sankar_V · ‎03-24-2021

You can make the below change to enable simulation mode runs:

In src/p11/trusted/Makefile.am

HW:

-m64 -Wall -O2 -D_FORTIFY_SOURCE=2 -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now -pie -L$(SGXSSLDIR)/lib64 -Wl,--whole-archive -lsgx_tsgxssl -Wl,--no-whole-archive -lsgx_tsgxssl_crypto -L$(SGXSDKDIR)/lib64 -Wl,--whole-archive -lsgx_trts -Wl,--no-whole-archive -Wl,--start-group -lsgx_tstdc -lsgx_tcxx -lsgx_tcrypto -lsgx_tservice -lsgx_tprotected_fs -Wl,--end-group -Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined -Wl,-pie,-eenclave_entry -Wl,--export-dynamic -Wl,--defsym,__ImageBase=0 -Wpragmas -Wl,-soname -Wl,libp11SgxEnclave.so.0 -o .libs/libp11SgxEnclave.so.0.0.0

SIM:

-m64 -Wall -O2 -D_FORTIFY_SOURCE=2 -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now -pie -L$(SGXSSLDIR)/lib64 -Wl,--whole-archive -lsgx_tsgxssl -Wl,--no-whole-archive -lsgx_tsgxssl_crypto -L$(SGXSDKDIR)/lib64 -Wl,--whole-archive -lsgx_trts_sim -Wl,--no-whole-archive -Wl,--start-group -lsgx_tstdc -lsgx_tcxx -lsgx_tcrypto -lsgx_tservice_sim -lsgx_tprotected_fs -Wl,--end-group -Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined -Wl,-pie,-eenclave_entry -Wl,--export-dynamic -Wl,--defsym,__ImageBase=0 -Wpragmas -Wl,-soname -Wl,libp11SgxEnclave.so.0 -o .libs/libp11SgxEnclave.so.0.0.0

das__batsayan · ‎03-24-2021

What I did

git clone https://github.com/intel/crypto-api-toolkit
cd crypto-api-toolkit
changed src/p11/trusted/Makefile.am for SIM as suggested above
sh autogen.sh
make SGX_MODE=SIM
sudo make install
cd src/test
./p11test

$ ./p11test
.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F

!!!FAILURES!!!
Test Results:
Run: 78 Failures: 78 Errors: 0

1) test: SymmetricAlgorithmTests::testAesEncryptDecrypt (F) line: 120 TestsNoPINInitBase.cpp
setUp() failed
- equality assertion failed
- Expected: 0
- Actual : 48

2) test: SymmetricAlgorithmTests::testAesWrapUnwrap (F) line: 120 TestsNoPINInitBase.cpp
setUp() failed
- equality assertion failed
- Expected: 0
- Actual : 48

JesusG_Intel · ‎03-25-2021

Hello Batsayan,

I reproduced your issue. Engineering is investigating this issue. We will respond to this thread as soon as we have an update.

Sincerely,

Jesus G.

Intel Customer Support

Sankar_V · ‎03-26-2021

In addition to the other file, please also make the below change in src/p11/untrusted/Makefile.am

HW:
-AM_LDFLAGS = -L$(SGXSSLDIR)/lib64 -lsgx_usgxssl -L$(SGXSDKDIR)/lib64 $(DCAP_LIB) -lsgx_urts -lsgx_uprotected_fs \

SIM:
+AM_LDFLAGS = -L$(SGXSSLDIR)/lib64 -lsgx_usgxssl -L$(SGXSDKDIR)/lib64 $(DCAP_LIB) -lsgx_urts_sim -lsgx_uae_service_sim -lsgx_uprotected_fs \

And, please also delete the /opt/intel/cryptoapitoolkit directory before you do a sudo make install. I just checked, and it worked.

das__batsayan · ‎03-28-2021

Thanks for quick reply, the SIM build issue is solved by the methods mentioned by you.

--Batsayan

JesusG_Intel · ‎03-29-2021

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.

How to use crypto-api-toolkit in SIM mode

How to

SGX Tools