Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remote Attestation Issue for DCAP in Gramine with Intel SGX #1059

Open
n7koirala opened this issue Oct 3, 2024 · 1 comment
Open

Remote Attestation Issue for DCAP in Gramine with Intel SGX #1059

n7koirala opened this issue Oct 3, 2024 · 1 comment

Comments

@n7koirala
Copy link

n7koirala commented Oct 3, 2024
edited
Loading

Hello,

I'm experiencing an issue with remote attestation using DCAP in Gramine on my Intel SGX-equipped computer. When running SGX applications with Gramine without attestation, everything works fine. The AESM service appears to be running correctly, as shown by the following output of sudo service aesmd status:


 aesmd.service - Intel(R) Architectural Enclave Service Manager
     Loaded: loaded (/lib/systemd/system/aesmd.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2024-10-03 13:09:15 EDT; 29s ago
    Process: 2975769 ExecStartPre=/opt/intel/sgx-aesm-service/aesm/linksgx.sh (code=exited, status=0/SUCCESS)
    Process: 2975782 ExecStartPre=/bin/mkdir -p /var/run/aesmd/ (code=exited, status=0/SUCCESS)
    Process: 2975784 ExecStartPre=/bin/chown -R aesmd:aesmd /var/run/aesmd/ (code=exited, status=0/SUCCESS)
    Process: 2975785 ExecStartPre=/bin/chmod 0755 /var/run/aesmd/ (code=exited, status=0/SUCCESS)
    Process: 2975786 ExecStartPre=/bin/chown -R aesmd:aesmd /var/opt/aesmd/ (code=exited, status=0/SUCCESS)
    Process: 2975787 ExecStartPre=/bin/chmod 0750 /var/opt/aesmd/ (code=exited, status=0/SUCCESS)
    Process: 2975788 ExecStart=/opt/intel/sgx-aesm-service/aesm/aesm_service (code=exited, status=0/SUCCESS)
   Main PID: 2975789 (aesm_service)
      Tasks: 4 (limit: 153983)
     Memory: 3.3M
        CPU: 74ms
     CGroup: /system.slice/aesmd.service
             └─2975789 /opt/intel/sgx-aesm-service/aesm/aesm_service

systemd[1]: Starting Intel(R) Architectural Enclave Service Manager...
aesm_service[2975788]: aesm_service: warning: Turn to daemon. Use "--no-daemon" option to execute in foreground.
systemd[1]: Started Intel(R) Architectural Enclave Service Manager.
aesm_service[2975789]: The server sock is 0x55ad3bd672f0

However, when attempting to perform remote attestation, I encounter the following errors in the AESM service logs (sudo service aesmd status):

aesm_service[2975789]: [QCNL] Encountered CURL error: (7) Couldn't connect to server
aesm_service[2975789]: [QPL] Failed to get quote config. Error code is 0xb006
aesm_service[2975789]: [get_platform_quote_cert_data ../qe_logic.cpp:388] Error returned from the p_sgx_get_quote_config API. 0xe019

The issue only occurs during remote attestation; local attestation works fine. How can I resolve this remote attestation issue for DCAP in Gramine? Are there additional configurations required for the AESM service to enable network communication for attestation? Any guidance or suggestions would be greatly appreciated, thank you!
@ScottR-Intel
Copy link

Hello.

Error 0xb006 == SGX_QCNL_NETWORK_COULDNT_CONNECT

This usually means you have a network or proxy issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@n7koirala @ScottR-Intel