- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In December (2017) I had SGX remote attestation working on a Thinkpad T470 (20HD) under Linux.
On the 27th December 2017 Lenovo released a BIOS update 1.44 which addressed CVE-2017-5715.
Since installing the BIOS update attestation now fails, with the following messages:
: Error, call sgx_get_extended_epid_group_id fail: 0x4001
: sgx_create_enclave() needs the AE service to get a launch token
I assume the Spectre fix CVE-2017-5715 has changed the time taken to perform an operation which has caused the AE service to be declared as not running.
Any ideas?
Regards,
-Arthur
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Intel SGX platform software is trying to reprovision because of the BIOS update (these fixes result in a TCB recovery). Error 0x4001 in this context means the request to the AE service timed out.
Make sure:
- aesm is running (it should be or you'd get a different error)
- the proxy for aesm is properly configured in /etc/aesmd.conf
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response John looking at the aesmd service I get the following
$ service aesmd status
● aesmd.service - Intel(R) Architectural Enclave Service Manager
Loaded: loaded (/lib/systemd/system/aesmd.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Wed 2018-01-10 20:44:21 GMT; 5s ago
Process: 2770 ExecStart=/opt/intel/sgxpsw/aesm/aesm_service (code=exited, status=0/SUCCESS)
Process: 2767 ExecStartPre=/bin/chmod 0755 /var/run/aesmd/ (code=exited, status=0/SUCCESS)
Process: 2763 ExecStartPre=/bin/chown -R aesmd:aesmd /var/run/aesmd/ (code=exited, status=0/SUCCESS)
Process: 2759 ExecStartPre=/bin/mkdir -p /var/run/aesmd/ (code=exited, status=0/SUCCESS)
Process: 2748 ExecStartPre=/opt/intel/sgxpsw/aesm/linksgx.sh (code=exited, status=0/SUCCESS)
Main PID: 2772 (code=exited, status=1/FAILURE)
<b>Jan 10 20:44:21 arthur-ThinkPad-T470 systemd[1]: aesmd.service: Unit entered failed state.
Jan 10 20:44:21 arthur-ThinkPad-T470 systemd[1]: aesmd.service: Failed with result 'exit-code'.</b>
I am not using a proxy and changing following line in cat /etc/aesmd.conf has no effect
#proxy type = direct #direct type means no proxy used
What could be causing the aesmd service to fail?
Regards,
-Arthur
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK now fixed! The aesmd service was failing because the sgx driver was not running.
I had updated the kernel version, which then required the sgx driver to be reinstalled.
Thanks for the pointers.
Regards,
-Arthur
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
John M; im trying to locate you to ask you a couple questions!
thanks!
seb
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page