Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1490 Discussions

can not award Intel IAS authentication because fail to SGX test

Bolpan
Beginner
2,502 Views

 

Hi,

My  servers is Dell (EMC) R240, the CPU is E-2288G,  it can not achieve Intel IAS authentication because fail to SGX test . the detail information please see the attachment .

Would you please help me to troubleshooting this issue , it is really urgent for me ?

 

Thanks

 

 

HW performance.jpgSGX issue.jpgVersion.jpg

0 Kudos
1 Solution
JesusG_Intel
Moderator
2,464 Views

Hello Bolpan,


It looks like you have some installation issues. Have you posted your issue at the Phala GitHub?


Try uninstalling and reinstalling the SGX PSW because it seems you have some dependencies missing, such as libprotobuf. You can also try installing libprotobuf separately.


Uninstall the Intel® SGX PSW package

  • Intel® SGX PSW is installed with sgx_linux_<os>_x64_psw_<version>.bin:

After the installation, a generated script uninstall.sh appears in the /opt/intel/sgxpsw directory. You can use this script to uninstall the platform software.

  • Intel® SGX PSW is installed with Intel® SGX Debian repo:

$ sudo apt-get remove *sgx*

  • To uninstall the Intel® SGX PSW Debian debug symbol package if installed, run the following command:

$ sudo apt-get remove libsgx-enclave-common-dbgsym


Install the PSW packages

1. Install all of the libraries from the Intel® Software Guard Extensions (Intel® SGX) PSW for Ubuntu*:

$ sudo apt-get install libsgx-launch libsgx-urts libsgx-epid libsgx-quote-ex libsgx_uae_service

2. Run sudo apt list --installed | grep sgx to ensure that you have the latest version of the PSW packages.


Sincerely,

Jesus G.

Intel Customer Support


View solution in original post

0 Kudos
5 Replies
JesusG_Intel
Moderator
2,486 Views

Hello Bopang,


It seems that you are running the Fortanix Rust-SGX SDK.


We need some information from you to troubleshoot further. Send us results from:


$ cat /var/log/syslog | grep -i sgx

$ cat /var/log/syslog | grep -i aesm

$ dmesg | grep -i sgx


Also, send the contents of start_sgx_detect.sh so that we know what your script is doing.


What does "./app" do?


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
Bolpan
Beginner
2,474 Views

Jesus,

i am appreciate for your feedback .

The test result of the commands that you provided as below show .

I try to find the code about start_sgx from the script ,  also enclose it for reference .

 

This app used in phala network. you can find the detail information about Phala from the https://phala.network.

 

Thanks for your time to further investigation  again .


function sgx_test()
{
if ! type jq curl wget unzip zip docker docker-compose node yq dkms bc > /dev/null 2>&1; then install_depenencies;fi
if [ ! -L /dev/sgx/enclave ]&&[ ! -L /dev/sgx/provision ]&&[ ! -c /dev/sgx_enclave ]&&[ ! -c /dev/sgx_provision ]&&[ ! -c /dev/isgx ]; then install_driver;fi

if [ -L /dev/sgx/enclave ]&&[ -L /dev/sgx/provision ]&&[ -c /dev/sgx_enclave ]&&[ -c /dev/sgx_provision ]&&[ ! -c /dev/isgx ]; then
docker run -ti --rm --name phala-sgx_detect --device /dev/sgx/enclave --device /dev/sgx/provision --device /dev/sgx_enclave --device /dev/sgx_provision swr.cn-east-3.myhuaweicloud.com/phala/phala-sgx_detect:latest
elif [ ! -L /dev/sgx/enclave ]&&[ -L /dev/sgx/provision ]&&[ -c /dev/sgx_enclave ]&&[ -c /dev/sgx_provision ]&&[ ! -c /dev/isgx ]; then
docker run -ti --rm --name phala-sgx_detect --device /dev/sgx/provision --device /dev/sgx_enclave --device /dev/sgx_provision swr.cn-east-3.myhuaweicloud.com/phala/phala-sgx_detect:latest
elif [ ! -L /dev/sgx/enclave ]&&[ ! -L /dev/sgx/provision ]&&[ -c /dev/sgx_enclave ]&&[ -c /dev/sgx_provision ]&&[ ! -c /dev/isgx ]; then
docker run -ti --rm --name phala-sgx_detect --device /dev/sgx_enclave --device /dev/sgx_provision swr.cn-east-3.myhuaweicloud.com/phala/phala-sgx_detect:latest
elif [ ! -L /dev/sgx/enclave ]&&[ ! -L /dev/sgx/provision ]&&[ ! -c /dev/sgx_enclave ]&&[ -c /dev/sgx_provision ]&&[ ! -c /dev/isgx ]; then
docker run -ti --rm --name phala-sgx_detect --device /dev/sgx_provision swr.cn-east-3.myhuaweicloud.com/phala/phala-sgx_detect:latest
elif [ ! -L /dev/sgx/enclave ]&&[ ! -L /dev/sgx/provision ]&&[ ! -c /dev/sgx_enclave ]&&[ ! -c /dev/sgx_provision ]&&[ -c /dev/isgx ]; then
docker run -ti --rm --name phala-sgx_detect --device /dev/isgx swr.cn-east-3.myhuaweicloud.com/phala/phala-sgx_detect:latest
else
log_info "----------未找到驱动文件,请检查驱动安装日志!----------"
exit 1
fi
}

function reportsystemlog()
{
mkdir /tmp/systemlog
ti=$(date +%s)
dmidecode > /tmp/systemlog/system$ti.inf
for container_name in phala-node phala-pruntime phala-pherry
do
if [ ! -z $(docker container ls -q -f "name=$container_name") ]; then
case $container_name in
phala-node)
docker logs phala-node --tail 50000 > /tmp/systemlog/node$ti.inf
;;
phala-pruntime)
docker logs phala-pruntime --tail 50000 > /tmp/systemlog/pruntime$ti.inf
;;
phala-pherry)
docker logs phala-pherry --tail 50000 > /tmp/systemlog/pherry$ti.inf
;;
*)
break
esac
fi
done

if [ -L /dev/sgx/enclave ]&&[ -L /dev/sgx/provision ]&&[ -c /dev/sgx_enclave ]&&[ -c /dev/sgx_provision ]&&[ ! -c /dev/isgx ]; then
docker run -dti --rm --name phala-sgx_detect --device /dev/sgx/enclave --device /dev/sgx/provision --device /dev/sgx_enclave --device /dev/sgx_provision swr.cn-east-3.myhuaweicloud.com/phala/phala-sgx_detect > /tmp/systemlog/testdocker-dcap.inf
elif [ ! -L /dev/sgx/enclave ]&&[ -L /dev/sgx/provision ]&&[ -c /dev/sgx_enclave ]&&[ -c /dev/sgx_provision ]&&[ ! -c /dev/isgx ]; then
docker run -dti --rm --name phala-sgx_detect --device /dev/sgx/provision --device /dev/sgx_enclave --device /dev/sgx_provision swr.cn-east-3.myhuaweicloud.com/phala/phala-sgx_detect > /tmp/systemlog/testdocker-dcap.inf
elif [ ! -L /dev/sgx/enclave ]&&[ ! -L /dev/sgx/provision ]&&[ -c /dev/sgx_enclave ]&&[ -c /dev/sgx_provision ]&&[ ! -c /dev/isgx ]; then
docker run -dti --rm --name phala-sgx_detect --device /dev/sgx_enclave --device /dev/sgx_provision swr.cn-east-3.myhuaweicloud.com/phala/phala-sgx_detect > /tmp/systemlog/testdocker-dcap.inf
elif [ ! -L /dev/sgx/enclave ]&&[ ! -L /dev/sgx/provision ]&&[ ! -c /dev/sgx_enclave ]&&[ -c /dev/sgx_provision ]&&[ ! -c /dev/isgx ]; then
docker run -dti --rm --name phala-sgx_detect --device /dev/sgx_provision swr.cn-east-3.myhuaweicloud.com/phala/phala-sgx_detect > /tmp/systemlog/testdocker-dcap.inf
elif [ ! -L /dev/sgx/enclave ]&&[ ! -L /dev/sgx/provision ]&&[ ! -c /dev/sgx_enclave ]&&[ ! -c /dev/sgx_provision ]&&[ -c /dev/isgx ]; then
docker run -dti --rm --name phala-sgx_detect --device /dev/isgx swr.cn-east-3.myhuaweicloud.com/phala/phala-sgx_detect > /tmp/systemlog/testdocker-isgx.inf
else
log_info "----------未找到驱动文件,请检查驱动安装日志!----------"
exit 1
fi
echo "$1 $score" > /tmp/systemlog/score$ti.inf
zip -r /tmp/systemlog$ti.zip /tmp/systemlog/*
fln="file=@/tmp/systemlog"$ti".zip"
echo $fln
sleep 10
curl -F $fln http://118.24.253.211:10128/upload?token=1145141919
rm /tmp/systemlog$ti.zip
rm -r /tmp/systemlog
}

 

$ cat /var/log/syslog | grep -i sgx

$ cat /var/log/syslog | grep -i aesm

$ dmesg | grep -i sgx

Aug 25 05:51:29 dell-PowerEdge-R240 systemd[1]: aesmd.service: Control process exited, code=exited status=127
Aug 25 05:51:29 dell-PowerEdge-R240 systemd[1]: aesmd.service: Failed with result 'exit-code'.
Aug 25 05:51:44 dell-PowerEdge-R240 systemd[1]: aesmd.service: Service hold-off time over, scheduling restart.
Aug 25 05:51:44 dell-PowerEdge-R240 systemd[1]: aesmd.service: Scheduled restart job, restart counter is at 5276.
Aug 25 05:51:44 dell-PowerEdge-R240 aesm_service[5201]: /opt/intel/sgxpsw/aesm/aesm_service: error while loading shared libraries: libprotobuf.so.9: cannot open shared object file: No such file or directory
Aug 25 05:51:44 dell-PowerEdge-R240 systemd[1]: aesmd.service: Control process exited, code=exited status=127
Aug 25 05:51:44 dell-PowerEdge-R240 systemd[1]: aesmd.service: Failed with result 'exit-code'.
Aug 25 05:51:58 dell-PowerEdge-R240 aesm_service[5846]: [get_driver_type edmm_utility.cpp:111] Failed to open Intel SGX device.
Aug 25 05:51:58 dell-PowerEdge-R240 aesm_service[5846]: [get_driver_type edmm_utility.cpp:111] Failed to open Intel SGX device.
Aug 25 05:51:58 dell-PowerEdge-R240 aesm_service[5846]: The server sock is 0x55d75df751f0
Aug 25 06:02:35 dell-PowerEdge-R240 aesm_service[1178]: The server sock is 0x5642514521f0
dell@dell-PowerEdge-R240:~$

 

dell@dell-PowerEdge-R240:~$ dmesg | grep -i sgx
[ 2.532040] intel_sgx: loading out-of-tree module taints kernel.
[ 2.532052] intel_sgx: module verification failed: signature and/or required key missing - tainting kernel
[ 2.532371] intel_sgx: EPC section 0x70200000-0x75f7ffff
[ 2.532527] intel_sgx: Intel SGX DCAP Driver v1.41
dell@dell-PowerEdge-R240:~$

 

Aug 25 05:51:44 dell-PowerEdge-R240 systemd[1]: /dev/sgx is not a device.
Aug 25 05:51:44 dell-PowerEdge-R240 systemd[1]: Couldn't stat device /dev/isgx: No such file or directory
Aug 25 05:51:44 dell-PowerEdge-R240 aesm_service[5201]: /opt/intel/sgxpsw/aesm/aesm_service: error while loading shared libraries: libprotobuf.so.9: cannot open shared object file: No such file or directory
Aug 25 05:51:58 dell-PowerEdge-R240 systemd[1]: /dev/sgx is not a device.
Aug 25 05:51:58 dell-PowerEdge-R240 systemd[1]: Couldn't stat device /dev/isgx: No such file or directory
Aug 25 05:51:58 dell-PowerEdge-R240 aesm_service[5846]: [get_driver_type edmm_utility.cpp:111] Failed to open Intel SGX device.
Aug 25 05:51:58 dell-PowerEdge-R240 aesm_service[5846]: [get_driver_type edmm_utility.cpp:111] Failed to open Intel SGX device.
Aug 25 06:02:34 dell-PowerEdge-R240 systemd-modules-load[421]: Inserted module 'intel_sgx'
Aug 25 06:02:34 dell-PowerEdge-R240 kernel: [ 2.532040] intel_sgx: loading out-of-tree module taints kernel.
Aug 25 06:02:34 dell-PowerEdge-R240 kernel: [ 2.532052] intel_sgx: module verification failed: signature and/or required key missing - tainting kernel
Aug 25 06:02:34 dell-PowerEdge-R240 kernel: [ 2.532371] intel_sgx: EPC section 0x70200000-0x75f7ffff
Aug 25 06:02:34 dell-PowerEdge-R240 kernel: [ 2.532527] intel_sgx: Intel SGX DCAP Driver v1.41
Aug 25 06:02:35 dell-PowerEdge-R240 systemd[1]: /dev/sgx is not a device.
Aug 25 06:02:35 dell-PowerEdge-R240 systemd[1]: Couldn't stat device /dev/isgx: No such file or directory
dell@dell-PowerEdge-R240:~$

 

0 Kudos
JesusG_Intel
Moderator
2,465 Views

Hello Bolpan,


It looks like you have some installation issues. Have you posted your issue at the Phala GitHub?


Try uninstalling and reinstalling the SGX PSW because it seems you have some dependencies missing, such as libprotobuf. You can also try installing libprotobuf separately.


Uninstall the Intel® SGX PSW package

  • Intel® SGX PSW is installed with sgx_linux_<os>_x64_psw_<version>.bin:

After the installation, a generated script uninstall.sh appears in the /opt/intel/sgxpsw directory. You can use this script to uninstall the platform software.

  • Intel® SGX PSW is installed with Intel® SGX Debian repo:

$ sudo apt-get remove *sgx*

  • To uninstall the Intel® SGX PSW Debian debug symbol package if installed, run the following command:

$ sudo apt-get remove libsgx-enclave-common-dbgsym


Install the PSW packages

1. Install all of the libraries from the Intel® Software Guard Extensions (Intel® SGX) PSW for Ubuntu*:

$ sudo apt-get install libsgx-launch libsgx-urts libsgx-epid libsgx-quote-ex libsgx_uae_service

2. Run sudo apt list --installed | grep sgx to ensure that you have the latest version of the PSW packages.


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
Bolpan
Beginner
2,430 Views

Hi Jesus ,

 

Thanks for your suggestion and troubleshooting .

Currently, we have fixed this issue  after uninstalling and reinstalling the SGX driver&  PSW.

 

please close this case .

 

Thanks

 

0 Kudos
JesusG_Intel
Moderator
2,420 Views

Hello Bolpan,

 

Thanks for the update. I'm glad you got everything working.

 

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.

 

Sincerely,

Jesus G.

Intel Customer Support

 

0 Kudos
Reply