Solved: SampleEnclavePCL building error

Criston__Anna · ‎05-21-2020

Hi! I get the following building error when trying to build the SDK sample solution SampleEnclavePCL:

Error MSB3073 The command ""C:\Program Files (x86)\Intel\IntelSGXSDK\bin\win32\release\sgx_enc_ip.exe" -k key.bin -i "C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\Debug\Enclave.dll" -o "C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\Debug\Enclave.enc.dll" && "C:\Program Files (x86)\Intel\IntelSGXSDK\bin\win32\release\sgx_sign.exe" sign -key "Enclave_private.pem" -enclave "C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\Debug\Enclave.enc.dll" -out "C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\Debug\Enclave.signed.dll" -config "Enclave.config.xml"
:VCEnd" exited with code -1073741515. Enclave C:\Program Files (x86)\Microsoft Visual Studio\2017\Professional\Common7\IDE\VC\VCTargets\Microsoft.CppCommon.targets 138

and in the output of the program: Failed to read sealed_key.bin. Error: Can't open enclave file.

Details:

Target Platform: Windows 10 version 10.0.18363 Build 18363

Windows SDK version: 10.01.6299.0

Platform Toolset ; Visual Studio 2017(v141)

SGX SDK version: 2.7.101.2

SGX PSW version: 2.7.101.2

SGX Device version: 2.7.100.2

I do not know where the problem is. If anybody could help me solve it.

JesusG_Intel · ‎05-21-2020

Hi Anna,

In Visual Studio

1. Right click the project Enclave->Properties->Build Events->Post-Build Event->Change Command line to read as below. I bolded the only change. This step encrypts the enclave.dll then needs to sign the encrypted version, which is called enclave.enc.dll.

"$(SGXSDKInstallPath)bin\x64\release\sgx_enc_ip.exe" -k key.bin -i "$(OutDir)Enclave.dll" -o "$(OutDir)Enclave.enc.dll" && "$(SGXSDKInstallPath)bin\x64\release\sgx_sign.exe" sign -key "Enclave_private.pem" -enclave "$(OutDir)Enclave.enc.dll" -out "$(OutDir)Enclave.signed.enc.dll" -config "Enclave.config.xml"

I found this in the document Intel Software Guard Extensions Developer Reference for Windows OS, page 101. There is a list there called, "Modifications to IP Enclave" for modifications needed to compile this enclave.

Regards,

Jesus

Intel Customer Support

View solution in original post

JesusG_Intel · ‎05-21-2020

Hi Anna, I got the same error. I'm looking into it.

Jesus

Intel Customer Support

JesusG_Intel · ‎05-21-2020

Hi Anna,

In Visual Studio

1. Right click the project Enclave->Properties->Build Events->Post-Build Event->Change Command line to read as below. I bolded the only change. This step encrypts the enclave.dll then needs to sign the encrypted version, which is called enclave.enc.dll.

"$(SGXSDKInstallPath)bin\x64\release\sgx_enc_ip.exe" -k key.bin -i "$(OutDir)Enclave.dll" -o "$(OutDir)Enclave.enc.dll" && "$(SGXSDKInstallPath)bin\x64\release\sgx_sign.exe" sign -key "Enclave_private.pem" -enclave "$(OutDir)Enclave.enc.dll" -out "$(OutDir)Enclave.signed.enc.dll" -config "Enclave.config.xml"

I found this in the document Intel Software Guard Extensions Developer Reference for Windows OS, page 101. There is a list there called, "Modifications to IP Enclave" for modifications needed to compile this enclave.

Regards,

Jesus

Intel Customer Support

Criston__Anna · ‎05-21-2020

Garcia, Jesus L (Intel) wrote:
Hi Anna,
In Visual Studio
1. Right click the project Enclave->Properties->Build Events->Post-Build Event->Change Command line to read as below. I bolded the only change. This step encrypts the enclave.dll then needs to sign the encrypted version, which is called enclave.enc.dll.
"$(SGXSDKInstallPath)bin\x64\release\sgx_enc_ip.exe" -k key.bin -i "$(OutDir)Enclave.dll" -o "$(OutDir)Enclave.enc.dll" && "$(SGXSDKInstallPath)bin\x64\release\sgx_sign.exe" sign -key "Enclave_private.pem" -enclave "$(OutDir)Enclave.enc.dll" -out "$(OutDir)Enclave.signed.enc.dll" -config "Enclave.config.xml"
I found this in the document Intel Software Guard Extensions Developer Reference for Windows OS, page 101. There is a list there called, "Modifications to IP Enclave" for modifications needed to compile this enclave.
Regards,
Jesus
Intel Customer Support

Thank you for your reply. I made the modification, however the problem still remains. I had a look in the Developer Reference, cannot really figure out what else I could change.

JesusG_Intel · ‎05-22-2020

Hi Anna, please post the full command line in your post-build event here.

Criston__Anna · ‎05-22-2020

Garcia, Jesus L (Intel) wrote:
Hi Anna, please post the full command line in your post-build event here.

Sure.

"$(SGXSDKInstallPath)bin\x64\release\sgx_enc_ip.exe" -k key.bin -i "$(OutDir)Enclave.dll" -o "$(OutDir)Enclave.enc.dll" && "$(SGXSDKInstallPath)bin\x64\release\sgx_sign.exe" sign -key "Enclave_private.pem" -enclave "$(OutDir)Enclave.enc.dll" -out "$(OutDir)Enclave.signed.enc.dll" -config "Enclave.config.xml"

JesusG_Intel · ‎05-22-2020

Hi Anna, your command is correct. I was able to reproduce your error when I compiled as Win32. Change your compile target platform to x64 and it should work. I don't know why Win32 does not work.

Criston__Anna · ‎05-22-2020

Garcia, Jesus L (Intel) wrote:
Hi Anna, your command is correct. I was able to reproduce your error when I compiled as Win32. Change your compile target platform to x64 and it should work. I don't know why Win32 does not work.

Thank you for your reply, Jesus. I did change my target platform, however I still have the problem:

JesusG_Intel · ‎05-22-2020

Hello Anna, we're going to have to dive deeper. I have the same config as you based on your screenshots and the post-build step works without a problem.

Let's try a fresh installation of the SDK. Save your work to another folder, then uninstall the SGX SDK.

Go to "Control Panel\Programs\Programs and Features".
Right click and uninstall Intel Software Guard Extensions SDK for Windows*
Be sure to remove this directory if not completely removed after the uninstall: C:\Program Files (x86)\Intel\IntelSGXSDK
Reinstall the SGX SDK.
Open the SampleEnclavePCL sample with VS as administrator.
Go to the Enclave project properties and change the post-build event as you did before and try to compile for x64.

Criston__Anna · ‎05-22-2020

Garcia, Jesus L (Intel) wrote:
Hello Anna, we're going to have to dive deeper. I have the same config as you based on your screenshots and the post-build step works without a problem.
Let's try a fresh installation of the SDK. Save your work to another folder, then uninstall the SGX SDK.
Go to "Control Panel\Programs\Programs and Features".
Right click and uninstall Intel Software Guard Extensions SDK for Windows*
Be sure to remove this directory if not completely removed after the uninstall: C:\Program Files (x86)\Intel\IntelSGXSDK
Reinstall the SGX SDK.
Open the SampleEnclavePCL sample with VS as administrator.
Go to the Enclave project properties and change the post-build event as you did before and try to compile for x64.

Thank you for your reply, Jesus. I did as you said, but no success. One thing I noticed is that the release folder was installed with capital R, I changed that, but still not working. I attach screenshots of the two folders accessed. It seems as Enclave.enc.dll does not make it to the Debug folder.

JesusG_Intel · ‎05-22-2020

Hi Anna,

Let's try to run the post build step manually. The post build step is actually two commands executed sequentially. The first step is to open a command line prompt as Administrator.

Ensure these files exist before running the first command:

C:\Program Files (x86)\Intel\IntelSGXSDK\bin\x64\Release\sgx_enc_ip.exe

C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\Enclave\key.bin

C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\x64\Debug\Enclave.dll

C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\Enclave\Enclave_private.pem

After you verified the above files exist, run this command:

C:\Program Files (x86)\Intel\IntelSGXSDK\bin\x64\Release\sgx_enc_ip.exe -k "C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\Enclave\key.bin" -i "C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\x64\Debug\Enclave.dll" -o "C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\x64\Debug\Enclave.enc.dll"

Ensure this file gets generated after the first command:

C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\x64\Debug\Enclave.enc.dll

Now you can run the second command command to sign Enclave.enc.dll and generate Enclave.signed.enc.dll.

C:\Program Files (x86)\Intel\IntelSGXSDK\bin\x64\Release\sgx_sign.exe sign -key "C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\Enclave\Enclave_private.pem" -enclave "C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\x64\Debug\Enclave.enc.dll" -o "C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\x64\Debug\Enclave.signed.enc.dll"

This file is the final one you end up with:

C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\x64\Debug\Enclave.signed.enc.dll

Criston__Anna · ‎05-23-2020

Garcia, Jesus L (Intel) wrote:
Hi Anna,
Let's try to run the post build step manually. The post build step is actually two commands executed sequentially. The first step is to open a command line prompt as Administrator.
Ensure these files exist before running the first command:
C:\Program Files (x86)\Intel\IntelSGXSDK\bin\x64\Release\sgx_enc_ip.exe

C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\Enclave\key.bin

C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\x64\Debug\Enclave.dll

C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\Enclave\Enclave_private.pem
After you verified the above files exist, run this command:
C:\Program Files (x86)\Intel\IntelSGXSDK\bin\x64\Release\sgx_enc_ip.exe -k "C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\Enclave\key.bin" -i "C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\x64\Debug\Enclave.dll" -o "C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\x64\Debug\Enclave.enc.dll"
Ensure this file gets generated after the first command:
C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\x64\Debug\Enclave.enc.dll
Now you can run the second command command to sign Enclave.enc.dll and generate Enclave.signed.enc.dll.
C:\Program Files (x86)\Intel\IntelSGXSDK\bin\x64\Release\sgx_sign.exe sign -key "C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\Enclave\Enclave_private.pem" -enclave "C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\x64\Debug\Enclave.enc.dll" -o "C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\x64\Debug\Enclave.signed.enc.dll"
This file is the final one you end up with:
C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\x64\Debug\Enclave.signed.enc.dll

Alright. When I run the first command I get the following error:

Criston__Anna · ‎05-23-2020

Criston, Anna wrote:
Quote:
Garcia, Jesus L (Intel) wrote:

Hi Anna,
Let's try to run the post build step manually. The post build step is actually two commands executed sequentially. The first step is to open a command line prompt as Administrator.
Ensure these files exist before running the first command:
C:\Program Files (x86)\Intel\IntelSGXSDK\bin\x64\Release\sgx_enc_ip.exe

C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\Enclave\key.bin

C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\x64\Debug\Enclave.dll

C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\Enclave\Enclave_private.pem
After you verified the above files exist, run this command:
C:\Program Files (x86)\Intel\IntelSGXSDK\bin\x64\Release\sgx_enc_ip.exe -k "C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\Enclave\key.bin" -i "C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\x64\Debug\Enclave.dll" -o "C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\x64\Debug\Enclave.enc.dll"
Ensure this file gets generated after the first command:
C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\x64\Debug\Enclave.enc.dll
Now you can run the second command command to sign Enclave.enc.dll and generate Enclave.signed.enc.dll.
C:\Program Files (x86)\Intel\IntelSGXSDK\bin\x64\Release\sgx_sign.exe sign -key "C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\Enclave\Enclave_private.pem" -enclave "C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\x64\Debug\Enclave.enc.dll" -o "C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\x64\Debug\Enclave.signed.enc.dll"
This file is the final one you end up with:
C:\Program Files (x86)\Intel\IntelSGXSDK\src\SampleEnclavePCL\x64\Debug\Enclave.signed.enc.dll
Alright. When I run the first command I get the following error:

Update: Downloaded libcrypto-1_1-x64.dll version 1.1.1.4, placed it in C:\Program Files (x86)\Intel\IntelSGXSDK\bin\x64\Release, and the enclave is building just fine. However, running the program gives me the following the error:

And the line and status where it prints "Failed to read sealed_key.bin":

JesusG_Intel · ‎05-26-2020

Hi Anna,

You found a bug! Here is the fix. Add this line before ReadFile.

sealed_key_blob = new uint8_t[sealed_key_blob_file_size];

Your code should look like this:

else
        {
            sealed_key_blob = new uint8_t[sealed_key_blob_file_size];
            ReadFile(sealed_key_handler, sealed_key_blob, sealed_key_blob_file_size, &read_num, NULL);
            if (read_num != sealed_key_blob_file_size) {
                printf("Failed to read %s\n", sealed_key_blob_path);
                ErrorExit(TEXT("ReadFile"));
            }

Criston__Anna · ‎06-03-2020

Garcia, Jesus L (Intel) wrote:
Hi Anna,
You found a bug! Here is the fix. Add this line before ReadFile.
sealed_key_blob = new uint8_t[sealed_key_blob_file_size];
Your code should look like this:
else
        {
            sealed_key_blob = new uint8_t[sealed_key_blob_file_size];
            ReadFile(sealed_key_handler, sealed_key_blob, sealed_key_blob_file_size, &read_num, NULL);
            if (read_num != sealed_key_blob_file_size) {
                printf("Failed to read %s\n", sealed_key_blob_path);
                ErrorExit(TEXT("ReadFile"));
            }

this solved it. Thank you!