Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.

How to use crypto-api-toolkit in SIM mode

das__batsayan
New Contributor I
786 Views

I am using https://github.com/intel/crypto-api-toolkit repo to learn PKCS#11, my current SGX_SDK version is 2.13 , on Ubuntu 18.04

I build the above using $ sh autogen.sh; $ ./configure; $ make SGX_MODE=SIM; $ sudo make install

Question : Does the repo supports SIM mode build? In the above build I did not face any error message.

Got following error when executing

$./p11test


76) test: UnsupportedAPITests::testWaitForSlotEvent (F) line: 120 TestsNoPINInitBase.cpp
setUp() failed
- equality assertion failed
- Expected: 0
- Actual : 48


77) test: UnsupportedAPITests::testGetFunctionStatus (F) line: 120 TestsNoPINInitBase.cpp
setUp() failed
- equality assertion failed
- Expected: 0
- Actual : 48


78) test: UnsupportedAPITests::testCancelFunction (F) line: 120 TestsNoPINInitBase.cpp
setUp() failed
- equality assertion failed
- Expected: 0
- Actual : 48


Also got this error

$pkcs11-tool --module /usr/local/lib/libp11sgx.so --init-token --label "ctk" --slot 0 --so-pin 1234 --init-pin --pin 1234

error: PKCS11 function C_Initialize failed: rv = CKR_DEVICE_ERROR (0x30)
Aborting.


Any help on what I am missing will be appreciated.

--Batsayan

Labels (2)
0 Kudos
1 Solution
Sankar_V
Employee
667 Views

In addition to the other file, please also make the below change in src/p11/untrusted/Makefile.am

HW:
-AM_LDFLAGS = -L$(SGXSSLDIR)/lib64 -lsgx_usgxssl -L$(SGXSDKDIR)/lib64 $(DCAP_LIB) -lsgx_urts -lsgx_uprotected_fs \

SIM:
+AM_LDFLAGS = -L$(SGXSSLDIR)/lib64 -lsgx_usgxssl -L$(SGXSDKDIR)/lib64 $(DCAP_LIB) -lsgx_urts_sim -lsgx_uae_service_sim -lsgx_uprotected_fs \

And, please also delete the /opt/intel/cryptoapitoolkit directory before you do a sudo make install. I just checked, and it worked.

View solution in original post

8 Replies
JesusG_Intel
Moderator
746 Views

Hello Batsayan,


The Crypto API Toolkit for Intel SGX does not support Intel SGX Simulation mode. Refer to the Prerequisites section for a full list of system and software requirements to run the Crypto API Toolkit.


Sincerely,

Jesus G.

Intel Customer Support


JesusG_Intel
Moderator
739 Views

Hello Batsayan,


I just received an update from engineering:


"Yes, Crypto API Toolkit will work in the simulation mode, but we have not explicitly enabled the Makefile for it (but we don’t test it). We have to make changes manually."


We will soon have a response for you on what needs to be done in the Makefile.


Sincerely,

Jesus G.

Intel Customer Support




Sankar_V
Employee
727 Views

You can make the below change to enable simulation mode runs:

In src/p11/trusted/Makefile.am

HW:

-m64 -Wall -O2 -D_FORTIFY_SOURCE=2 -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now -pie -L$(SGXSSLDIR)/lib64 -Wl,--whole-archive -lsgx_tsgxssl -Wl,--no-whole-archive -lsgx_tsgxssl_crypto -L$(SGXSDKDIR)/lib64 -Wl,--whole-archive -lsgx_trts -Wl,--no-whole-archive -Wl,--start-group -lsgx_tstdc -lsgx_tcxx -lsgx_tcrypto -lsgx_tservice -lsgx_tprotected_fs -Wl,--end-group -Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined -Wl,-pie,-eenclave_entry -Wl,--export-dynamic -Wl,--defsym,__ImageBase=0 -Wpragmas -Wl,-soname -Wl,libp11SgxEnclave.so.0 -o .libs/libp11SgxEnclave.so.0.0.0

SIM:

-m64 -Wall -O2 -D_FORTIFY_SOURCE=2 -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now -pie -L$(SGXSSLDIR)/lib64 -Wl,--whole-archive -lsgx_tsgxssl -Wl,--no-whole-archive -lsgx_tsgxssl_crypto -L$(SGXSDKDIR)/lib64 -Wl,--whole-archive -lsgx_trts_sim -Wl,--no-whole-archive -Wl,--start-group -lsgx_tstdc -lsgx_tcxx -lsgx_tcrypto -lsgx_tservice_sim -lsgx_tprotected_fs -Wl,--end-group -Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined -Wl,-pie,-eenclave_entry -Wl,--export-dynamic -Wl,--defsym,__ImageBase=0 -Wpragmas -Wl,-soname -Wl,libp11SgxEnclave.so.0 -o .libs/libp11SgxEnclave.so.0.0.0

das__batsayan
New Contributor I
717 Views


What I did


git clone https://github.com/intel/crypto-api-toolkit
cd crypto-api-toolkit
changed src/p11/trusted/Makefile.am for SIM as suggested above
sh autogen.sh
make SGX_MODE=SIM
sudo make install
cd src/test
./p11test


$ ./p11test
.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F.F


!!!FAILURES!!!
Test Results:
Run: 78 Failures: 78 Errors: 0


1) test: SymmetricAlgorithmTests::testAesEncryptDecrypt (F) line: 120 TestsNoPINInitBase.cpp
setUp() failed
- equality assertion failed
- Expected: 0
- Actual : 48


2) test: SymmetricAlgorithmTests::testAesWrapUnwrap (F) line: 120 TestsNoPINInitBase.cpp
setUp() failed
- equality assertion failed
- Expected: 0
- Actual : 48

 

JesusG_Intel
Moderator
678 Views

Hello Batsayan,


I reproduced your issue. Engineering is investigating this issue. We will respond to this thread as soon as we have an update.


Sincerely,

Jesus G.

Intel Customer Support


Sankar_V
Employee
668 Views

In addition to the other file, please also make the below change in src/p11/untrusted/Makefile.am

HW:
-AM_LDFLAGS = -L$(SGXSSLDIR)/lib64 -lsgx_usgxssl -L$(SGXSDKDIR)/lib64 $(DCAP_LIB) -lsgx_urts -lsgx_uprotected_fs \

SIM:
+AM_LDFLAGS = -L$(SGXSSLDIR)/lib64 -lsgx_usgxssl -L$(SGXSDKDIR)/lib64 $(DCAP_LIB) -lsgx_urts_sim -lsgx_uae_service_sim -lsgx_uprotected_fs \

And, please also delete the /opt/intel/cryptoapitoolkit directory before you do a sudo make install. I just checked, and it worked.

das__batsayan
New Contributor I
644 Views

Thanks for quick reply, the SIM build issue is solved by the methods mentioned by you. 

--Batsayan

 

JesusG_Intel
Moderator
620 Views

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


Reply