Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

sgx_create_pse_session gives me SGX_ERROR_SERVICE_UNAVAILABLE

Meysam_t_
Beginner
970 Views

Dear All,

I want to measure the time taken to run a particular instruction in the enclave. To this end, I use sgx_get_trusted_time() as below

ret0 = sgx_get_trusted_time(&timestamp_base0, &nonce0);

before calling this function, I called sgx_create_pse_session (honestly I don't know why but I saw it in some other codes) as follows

do{
        ret = sgx_create_pse_session();
        printf ("ret pse = %llx\n",ret);     
  }while (ret == SGX_ERROR_BUSY && busy_retry_times--);

sgx_create_pse_session gives me error message 0x4001 (SGX_ERROR_SERVICE_UNAVAILABLE). Would you please help me figure out how to use these two functions back to back to measure the time in the enclave. 

there is another post discussing this problem, but it seems to be closed unresolved. It is worth mentioning that I am running on a Linux machine. 

https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/684991

I appreciate your help.

Thanks,

-M

0 Kudos
5 Replies
Junli_S_Intel
Employee
970 Views

To use "trusted time" feature, the precondition need meet:

1.  Hardware requirement: your machine need have CSME (Converged Security and Manageability Engine) chip.  Basically, almost all of platform should have this chip.

2. your have installed icls Client package. 

So I guess you didn't install the icls Client package. 

By the way, in the latest release(2.8), all of platform services has been dropped. 

0 Kudos
Meysam_t_
Beginner
970 Views

Junli,

Thank you for your quick answer. 

Unfortunately, I couldn't find iclsClient to download. 

As another post mentioned, the link which is mentioned in the installation guide (https://download.01.org/intel-sgx/linux-1.9/docs/Intel_SGX_Installation_Guide_Linux_1.9_Open_Source.pdf) is wrong; as mentioned in this document, I followed these steps 

sudo apt-get install alien
sudo alien --scripts iclsClient-1.45.449.12-1.x86_64.rpm

 but it gives me 

File "iclsClient-1.45.449.12-1.x86_64.rpm" not found.

Do you know where I can find it for linix min 18?

thanks for your help

-Meysam

 

0 Kudos
Rodolfo_S_
New Contributor III
970 Views

Hi Meysam,

Unfortunately, Intel no longer provides the icls Client package like that. This has already been mentioned in this thread.
This is why they dropped support to Trusted Platform Services in the current release.

Regards,
Rodolfo

0 Kudos
Meysam_t_
Beginner
970 Views

Hi Rodolfo,

Thanks for your reply. So based on what you said, I can't use sgx_get_trusted_time any more to measure time. Is there any way to use this command without installing iclsClient?

Is there any other way to measure the time which is taken to run a particular instruction in the enclave? 

I appreciate your help.

-Meysam

 

0 Kudos
Dr__Greg
Super User
970 Views

Good evening, I hope the day has gone well for everyone.

I composed a rather lengthy post discussing time issues inside of an enclave, you should be able to find the post here.

From a security perspective the only game in town is to leverage ECALL's to a hardware Trusted Platform Module (TPM).  Monotonic time and by extension counting is available through the millisecond timestamp counter in the TPM.  Doing this securely requires that the enclave hold a TPM key that can be used to to attest a Platform Configuration Register (PCR) quote in order to verify that the PCR quote is coming from the TPM.  This is all assuming a TPM2 chip which embeds clock/timing information in an attestation quote.

This is all useful for monotonic counting and time but isn't ideal for instruction sequence timing.  The best solution for instruction timing is to use SGX2 hardware since Intel allows enclave mode to access this instruction.  Currently the only candidate for SGX2 hardware from a developer perspective is the Gemini Lake SOC's found in the NUC7 platforms.  Currently the roadmap is not clear as to what type of developer class hardware will have SGX2 support moving forward.

Depending on your requirements it may be useful to review at least one academic papers that has been done on speculative execution attacks conducted from inside of an enclave.  I don't have the reference immediately at hand but the authors were able to obtain fairly impressive timing measurements by using hardware tuned loops.

If expediency of outcome with minimal input is the desired objective the recommendation would be to run down a NUC7CJYH or NUC7CPYH NUC and slap a pair of RDTSC instructions around the instruction sequence to be timed.

Hopefully this is helpful, good luck with your project.

Dr. Greg

0 Kudos
Reply