Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Spectre fix breaks SGX attestation

Gordon__Arthur
Beginner
1,267 Views

In December (2017) I had SGX remote attestation working on a Thinkpad T470 (20HD) under Linux.

On the 27th December 2017 Lenovo released a BIOS update 1.44 which addressed CVE-2017-5715.

Since installing the BIOS update attestation now fails, with the following messages:

: Error, call sgx_get_extended_epid_group_id fail: 0x4001
: sgx_create_enclave() needs the AE service to get a launch token

I assume the Spectre fix CVE-2017-5715 has changed the time taken to perform an operation which has caused the AE service to be declared as not running.

Any ideas?

Regards,

-Arthur
 

0 Kudos
4 Replies
JohnMechalas
Employee
1,267 Views

The Intel SGX platform software is trying to reprovision because of the BIOS update (these fixes result in a TCB recovery). Error 0x4001 in this context means the request to the AE service timed out.

Make sure:

  1. aesm is running (it should be or you'd get a different error) 
  2. the proxy for aesm is properly configured in /etc/aesmd.conf

 

0 Kudos
Gordon__Arthur
Beginner
1,267 Views

Thanks for the response John looking at the aesmd service I get the following

$ service aesmd status

● aesmd.service - Intel(R) Architectural Enclave Service Manager
   Loaded: loaded (/lib/systemd/system/aesmd.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since Wed 2018-01-10 20:44:21 GMT; 5s ago
  Process: 2770 ExecStart=/opt/intel/sgxpsw/aesm/aesm_service (code=exited, status=0/SUCCESS)
  Process: 2767 ExecStartPre=/bin/chmod 0755 /var/run/aesmd/ (code=exited, status=0/SUCCESS)
  Process: 2763 ExecStartPre=/bin/chown -R aesmd:aesmd /var/run/aesmd/ (code=exited, status=0/SUCCESS)
  Process: 2759 ExecStartPre=/bin/mkdir -p /var/run/aesmd/ (code=exited, status=0/SUCCESS)
  Process: 2748 ExecStartPre=/opt/intel/sgxpsw/aesm/linksgx.sh (code=exited, status=0/SUCCESS)
 Main PID: 2772 (code=exited, status=1/FAILURE)

<b>Jan 10 20:44:21 arthur-ThinkPad-T470 systemd[1]: aesmd.service: Unit entered failed state.
Jan 10 20:44:21 arthur-ThinkPad-T470 systemd[1]: aesmd.service: Failed with result 'exit-code'.</b>

I am not using a proxy and changing following line in cat /etc/aesmd.conf has no effect

#proxy type    = direct #direct type means no proxy used

What could be causing the aesmd service to fail?

Regards,

-Arthur

 

0 Kudos
Gordon__Arthur
Beginner
1,267 Views

OK now fixed! The aesmd service was failing because the sgx driver was not running.

I had updated the kernel version, which then required the sgx driver to be reinstalled.

Thanks for the pointers.

Regards,

-Arthur

0 Kudos
Sebastian_S_Intel1
1,267 Views

John M; im trying to locate you to ask you a couple questions!

thanks!

seb

0 Kudos
Reply