Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1457 Discussions

Failed to connect secret provisioning with Intel SGX and Gramine

mkd_
Novice
‎10-17-2023 07:26 AM
997 Views

Hello,

I was doing privacy-preserving machine learning applications with Intel SGX and Gramine, as described in Gramine’s GitHub – 

https://github.com/gramineproject/gramine/blob/master/Documentation/tutorials/pytorch/index.rst

I was able to execute the deep learning model inside the enclave without remote attestation.

However, I am facing problems to establish the remote attestation. Here is the error I am receiving when I am trying to connect to the DCAP server - 

 

 

~/Gramine_project/examples/pytorch-confidential$ gramine-sgx ./pytorch pytorchexample.py
Gramine is starting. Parsing TOML manifest file, this may take some time...
-----------------------------------------------------------------------------------------------------------------------
Gramine detected the following insecure configurations:

  - loader.insecure__use_cmdline_argv = true   (forwarding command-line args from untrusted host to the app)

Gramine will continue application execution, but this configuration must not be used in production!
-----------------------------------------------------------------------------------------------------------------------

secret_provision_start: Secret Provisioning could not connect to any of the servers specified in SECRET_PROVISION_SERVERS; last mbedTLS error was -68
secret_provision_common_close: Secret Provisioning failed during connection close with mbedTLS error -28928
WARNING: Closing the secret-prov context failed with error -1.
secret_provision_constructor: Secret provisioning failed, terminating the whole process

 

 

Here is my server side - 

dcap_server.png

Here is my user side - 

client_side.png

 

I have changed the manifest file as instructed by Gramine. Here is the changes that I made to established the connect and DCAP - 

 

 

sgx.trusted_files = [
  "file:{{ entrypoint }}",
  "file:{{ gramine.libos }}",
  "file:{{ gramine.runtimedir() }}/",
  "file:/usr/lib/",
  "file:{{ arch_libdir }}/",
  "file:/usr/{{ arch_libdir }}/",
{% for path in python.get_sys_path(entrypoint) %}
  "file:{{ path }}{{ '/' if path.is_dir() else '' }}",
{% endfor %}

  "file:pytorchexample.py",
  "file:ssl/ca.crt",
]

sys.enable_extra_runtime_domain_names_conf = true
sgx.remote_attestation = "dcap"
loader.env.LD_PRELOAD = "libsecret_prov_attest.so"
loader.env.SECRET_PROVISION_CONSTRUCTOR = "1"
loader.env.SECRET_PROVISION_SET_KEY = "default"
loader.env.SECRET_PROVISION_CA_CHAIN_PATH = "ssl/ca.crt"
loader.env.SECRET_PROVISION_SERVERS = "localhost:4433"

 

 

Please note that I have also tried with setting the RA_TLS_ALLOW_OUTDATED_TCB_INSECURE to 1.

Could you please suggest how to resolve the issue?

Labels (3)
0 Kudos

Link Copied

4 Replies
Iffa_Intel
Moderator
‎10-18-2023 05:36 PM
956 Views

Hi,


Could you send us:

  1. the logs (manifest.template) with loader.log_level = "all" for the complete Gramine log for us to further investigate.
  2. Your Gramine version


We highly recommend that you open an issue in the official Gramine GitHub repo as this is related to Gramine , here is the link for the repo https://github.com/gramineproject/gramine/

They would be the correct experts to refer to for Gramine.



Cordially,

Iffa





0 Kudos
Copy link
mkd_
Novice
‎10-18-2023 06:27 PM
945 Views
In response to Iffa_Intel

Hi Iffa,

Thank you for your reply.

I am using Gramine 1.5. Here is the version details - 

Package: gramine
Version: 1.5
Priority: optional
Section: misc
Maintainer: Wojtek Porczyk <woju@invisiblethingslab.com>
Installed-Size: 21.9 MB
Depends: libcurl4 (>= 7.58), libprotobuf-c1, python3, python3-click, python3-cryptography, python3-jinja2, python3-pyelftools, python3-tomli (>= 1.1.0), python3-tomli-w (>= 0.4.0)
Recommends: gramine-ratls-dcap, gramine-ratls-epid
Conflicts: gramine-oot
Breaks: gramine-dcap (<< 1.4~)
Replaces: gramine-dcap (<< 1.4~)
Homepage: https://gramine.readthedocs.io/
Download-Size: 3,351 kB
APT-Manual-Installed: yes
APT-Sources: https://packages.gramineproject.io jammy/main amd64 Packages
Description: A lightweight usermode guest OS designed to run a single Linux application

As the complete Gramine log is quite long, I am attaching a text file that contains the entire log for loader.log_level = "all".

Please let me know if you need further information. 

In response to Iffa_Intel
Preview file
45 KB
0 Kudos
Copy link
Sahira_Intel
Moderator
‎10-25-2023 03:21 PM
859 Views

Hi,

The developers in the Gramine Github can better answer you question. I recommend posting it in:

https://github.com/gramineproject/gramine/issues


Sincerely,

Sahira


0 Kudos
Copy link
mkd_
Novice
‎10-25-2023 06:36 PM
843 Views
In response to Sahira_Intel

Okay. Thank you. 

In response to Sahira_Intel
0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.