incubator-teaclave
incubator-teaclave copied to clipboard
apache
Got error when invoking echo function by python!
Hi, I am new to Intel SGX and docker. I have successfully executed python code builtin_echo.py in simulation mode. But when I rebuilt project and executed it in hardware mode, I got the same openssl error message like [#305] as follows:
Traceback (most recent call last):
File "builtin_echo.py", line 68, in <module>
main()
File "builtin_echo.py", line 60, in main
rt = example.echo(message)
File "builtin_echo.py", line 20, in echo
ENCLAVE_INFO_PATH).connect().get_client()
File "/home/ethtest/incubator-teaclave/sdk/python/teaclave.py", line 145, in connect
"authentication")
File "/home/ethtest/incubator-teaclave/sdk/python/teaclave.py", line 464, in _verify_report
signing_cert = load_certificate(FILETYPE_ASN1, signing_cert)
File "/home/ethtest/.local/lib/python3.6/site-packages/OpenSSL/crypto.py", line 1794, in load_certificate
_raise_current_error()
File "/home/ethtest/.local/lib/python3.6/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.crypto.Error: [('asn1 encoding routines', 'ASN1_get_object', 'header too long')]
My operations are as follows:
- Install SGX driver, SDK and PSW at version 2.9, successfully run SampleEnclave
- Clone codes at master branch and build Teaclave in hardware mode
- Setup IAS to obtain my own SPID and Primary key, and configure
/etc/aesmd.conf - Lanuch Teaclave services with specified environment variables
- Open another terminal, and execute python code
builtin_echo.py, but it reports the above error
I have even compared keys/ias_root_ca_cert.pem and Intel_SGX_Attestation_RootCA.pem downloaded at Intel IAS. But I don't know how to solve it, thanks for your help!
Thanks for the report. Can you print the TLS extension here https://github.com/apache/incubator-teaclave/blob/47b8573df074ac1879aa082e5ea23d8d5baaee9d/sdk/python/teaclave.py#L459.
Seems that the sigining certification you got from the attestation report is invalid.
Thanks. I print it, but its variables are NULL as follows:
{'report': [], 'signature': [], 'signing_cert': []}
Traceback (most recent call last):
File "builtin_echo.py", line 68, in <module>
main()
File "builtin_echo.py", line 60, in main
rt = example.echo(message)
File "builtin_echo.py", line 20, in echo
ENCLAVE_INFO_PATH).connect().get_client()
File "/home/ethtest/incubator-teaclave/sdk/python/teaclave.py", line 145, in connect
"authentication")
File "/home/ethtest/incubator-teaclave/sdk/python/teaclave.py", line 465, in _verify_report
signing_cert = load_certificate(FILETYPE_ASN1, signing_cert)
File "/home/ethtest/.local/lib/python3.6/site-packages/OpenSSL/crypto.py", line 1794, in load_certificate
_raise_current_error()
File "/home/ethtest/.local/lib/python3.6/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.crypto.Error: [('asn1 encoding routines', 'ASN1_get_object', 'header too long')]
OS is Ubuntu 18.04.5, and my SPID and Primary key are as follows:
ethtest@ethtest:docker$ echo $AS_SPID
7118C31619F0003A3F5EDC7D32E9AED0
ethtest@ethtest:docker$ echo $AS_KEY
27***d36a1************************************
And I use teaclave_sgx_tool and obtain its report as follows:
ethtest@ethtest:incubator-teaclave$ find ./ -name teaclave_sgx_tool
./build/target/untrusted/debug/teaclave_sgx_tool
./release/tool/teaclave_sgx_tool
*****************************************************************************************************************************************
ethtest@ethtest:incubator-teaclave$ ./build/target/untrusted/debug/teaclave_sgx_tool status
Vendor: GenuineIntel
CPU Model: Intel(R) Core(TM) i7-9700 CPU @ 3.00GHz
SGX:
Has SGX: true
Has SGX1: true
Has SGX2: false
Supports ENCLV instruction leaves EINCVIRTCHILD, EDECVIRTCHILD, and ESETCONTEXT: false
Supports ENCLS instruction leaves ETRACKC, ERDINFO, ELDBC, and ELDUC: false
Bit vector of supported extended SGX features: 0x00000000
Maximum supported enclave size in non-64-bit mode: 2^31
Maximum supported enclave size in 64-bit mode: 2^36
Bits of SECS.ATTRIBUTES[127:0] set with ECREATE: 0x0000000000000036 (lower) 0x000000000000001F (upper)
EPC physical base: 0x0000000080200000
EPC size: 0x0000000005D80000 (93M)
Supports flexible launch control: true
SGX device: /dev/sgx false, /dev/isgx true
AESM service: true
Kernel module (isgx):
filename: /lib/modules/5.4.0-42-generic/kernel/drivers/intel/sgx/isgx.ko
license: Dual BSD/GPL
version: 2.6.0
author: Jarkko Sakkinen <[email protected]>
description: Intel SGX Driver
srcversion: F725A4ECA4194E2D2470F56
alias: acpi*:INT0E0C:*
depends:
retpoline: Y
name: isgx
vermagic: 5.4.0-42-generic SMP mod_unload
Kernel module (sgx):
modinfo: ERROR: Module sgx not found.
Kernel module (intel_sgx):
modinfo: ERROR: Module intel_sgx not found.
But, when I test attestation, it reports errors as follows:
ethtest@ethtest:incubator-teaclave$ ./build/target/untrusted/debug/teaclave_sgx_tool attestation --key XXX --spid XXX
Error: found SGX error: SGX_ERROR_ENCLAVE_FILE_ACCESS
****************************************************************************************************************************************
ethtest@ethtest:incubator-teaclave$ ./release/tool/teaclave_sgx_tool attestation --key XXX --spid XXX --url https://api.trustedservices.intel.com:443 --algorithm sgx_epid
Error: found SGX error: SGX_ERROR_ENCLAVE_FILE_ACCESS
@Agzs can you change to the teaclave_sgx_tool directory (cd release/tool) and execute the attestation subcommand again? Thanks.
@mssun , thanks, I do that as #379 but get nothing
ethtest@ethtest:tool$ ./teaclave_sgx_tool attestation --key XXX --spid 7118C31619F0003A3F5EDC7D32E9AED0
**********************************************************************************************************************************
ethtest@ethtest:tool$ ./teaclave_sgx_tool attestation --key XXX --spid 7118C31619F0003A3F5EDC7D32E9AED0 --url https://api.trustedservices.intel.com:443 --algorithm sgx_epid
***********************************************************************************************************************************
ethtest@ethtest:tool$ pwd
/home/ethtest/incubator-teaclave/release/tool
************************************************************************************************************************************
ethtest@ethtest:tool$ ll
total 77956
drwxr-xr-x 2 root root 4096 8月 27 16:56 ./
drwxr-xr-x 10 root root 4096 8月 27 16:49 ../
-rwxr-xr-x 1 root root 37968152 8月 31 16:52 teaclave_sgx_tool*
-rw-r--r-- 1 root root 41843008 8月 31 16:52 teaclave_sgx_tool_enclave.signed.so
****************************************************************************************
Hi, in this PR #416, I have fixed the issue about error message printing. Can you pull the latest master and compile the teaclave sgx tool again? Then, you will get the error message in the standard output. Thanks.
@mssun Thanks, I do that, and get the error as follows:
ethtest@ethtest:tool$ pwd
/home/ethtest/incubator-teaclave/release/tool
***********************************************************************************************************************************
ethtest@ethtest:tool$ ./teaclave_sgx_tool attestation --key XXX --spid XXX
Error: ServiceError
How to solve it? I am new to Intel SGX and Rust
Can you set the env var export TEACLAVE_LOG=debug before running the tool as well?
@mssun OK, there is the new report:
ethtest@ethtest:tool$ export TEACLAVE_LOG=debug
*************************************************************************************************************************************
ethtest@ethtest:tool$ ./teaclave_sgx_tool attestation --key XXX --spid XXX
[2020-09-09T05:41:05Z DEBUG teaclave_binder::binder] EnclaveID: 30683246362626
[2020-09-09T05:41:05Z DEBUG teaclave_binder::ipc::app] ecall_ipc_app_to_tee: 1001, 4 bytes
[2020-09-09T05:41:05Z DEBUG teaclave_service_enclave_utils] Enclave initializing
[2020-09-09T05:41:05Z DEBUG teaclave_binder::ipc::app] ecall_ipc_entry_point OK. App Received Buf: [123, 34, 79, 107, 34, 58, 110, 117, 108, 108, 125]
[2020-09-09T05:41:05Z DEBUG teaclave_binder::ipc::app] ecall_ipc_app_to_tee: 1004, b8 bytes
[2020-09-09T05:41:05Z DEBUG teaclave_sgx_tool_enclave] handle_invoke
[2020-09-09T05:41:05Z ERROR teaclave_sgx_tool_enclave] Failed to start the service: EOF while parsing a value at line 1 column 0
[2020-09-09T05:41:05Z DEBUG teaclave_binder::ipc::app] ecall_ipc_entry_point OK. App Received Buf: [123, 34, 69, 114, 114, 34, 58, 34, 83, 101, 114, 118, 105, 99, 101, 69, 114, 114, 111, 114, 34, 125]
[2020-09-09T05:41:05Z DEBUG teaclave_binder::binder] Dropping TeeBinder, start finalize().
[2020-09-09T05:41:05Z DEBUG teaclave_binder::ipc::app] ecall_ipc_app_to_tee: 1002, 4 bytes
[2020-09-09T05:41:05Z DEBUG teaclave_sgx_tool_enclave] handle_invoke
[2020-09-09T05:41:05Z DEBUG teaclave_service_enclave_utils] Enclave finalizing
[2020-09-09T05:41:05Z DEBUG teaclave_binder::ipc::app] ecall_ipc_entry_point OK. App Received Buf: [123, 34, 79, 107, 34, 58, 110, 117, 108, 108, 125]
Error: ServiceError
Thanks
This is wired. Can you add some print in the following enclave file so that I can know which function failed?
https://github.com/apache/incubator-teaclave/blob/500e624e25b7ab9f4580c7b9b7a72a7e367983e0/tool/enclave/src/lib.rs#L38-L67
Seems that L39 failed, but I don't know what causes this issue. If yes, please also help me to print the raw_json_input.json value. This should be a valid json string.
@mssun Thanks. I solve it and get another error.
Ok. I remove the files (codes, images, sgx driver, PSW and SDK) related to this projects, and reboot local machine, then clone the latest teaclave codes (commit:500e624) and configure it as My First Function. And now, I execute attestation subcommand with teaclave_sgx_tool and obtain the same information as the example in #379. I think that some environment variables work after rebooting system and we should execute cd incubator-teaclave && sudo rm -rf build/ release/ before changing different modes!
However, I get another error running sample code as follows, its services exited with code 0.
ethtest@ethtest:docker$ docker-compose -f docker-compose-ubuntu-1804.yml up --build
...
Creating teaclave-storage-service ... done
Creating teaclave-authentication-service ... done
Creating teaclave-access-control-service ... done
Creating teaclave-scheduler-service ... done
Creating teaclave-management-service ... done
Creating teaclave-execution-service ... done
Creating teaclave-frontend-service ... done
Attaching to teaclave-storage-service, teaclave-authentication-service, teaclave-access-control-service, teaclave-scheduler-service, teaclave-management-service, teaclave-execution-service, teaclave-frontend-service
teaclave-management-service exited with code 0
teaclave-frontend-service exited with code 0
^CGracefully stopping... (press Ctrl+C again to force)
Stopping teaclave-execution-service ... done
Stopping teaclave-scheduler-service ... done
Stopping teaclave-access-control-service ... done
Stopping teaclave-storage-service ... done
Stopping teaclave-authentication-service ... done
I start these containers again, and it reports as follows:
ethtest@ethtest:docker$ docker-compose -f docker-compose-ubuntu-1804.yml start
Starting teaclave-authentication-service ... done
Starting teaclave-storage-service ... done
Starting teaclave-access-control-service ... done
Starting teaclave-management-service ... done
Starting teaclave-frontend-service ... done
Starting teaclave-scheduler-service ... done
Starting teaclave-execution-service ... done
***************************************************************************************************************************************************ethtest@ethtest:docker$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
53a17668ea1c docker_teaclave-frontend-service "./teaclave_frontend…" 35 minutes ago Up 5 seconds 0.0.0.0:7777->7777/tcp teaclave-frontend-service
2063a9b4e8c3 docker_teaclave-execution-service "./teaclave_executio…" 35 minutes ago Up 5 seconds 17770/tcp teaclave-execution-service
8604fea14482 docker_teaclave-management-service "./teaclave_manageme…" 35 minutes ago Exited (0) Less than a second ago teaclave-management-service
9ab6aefa993f docker_teaclave-scheduler-service "./teaclave_schedule…" 35 minutes ago Up 6 seconds 17780/tcp teaclave-scheduler-service
826f5b39b51a docker_teaclave-access-control-service "./teaclave_access_c…" 35 minutes ago Up 7 seconds 17779/tcp teaclave-access-control-service
38525e9ba87a docker_teaclave-storage-service "./teaclave_storage_…" 35 minutes ago Up 6 seconds 17778/tcp teaclave-storage-service
85199bcec12b docker_teaclave-authentication-service "./teaclave_authenti…" 35 minutes ago Up 7 seconds 0.0.0.0:7776->7776/tcp, 17776/tcp teaclave-authentication-service
And, I run it again and again, all services are starting as follows, note the status of docker_teaclave-management-service
ethtest@ethtest:docker$ docker-compose -f docker-compose-ubuntu-1804.yml start
Starting teaclave-authentication-service ... done
...
Starting teaclave-execution-service ... done
*************************************************************************************************************
ethtest@ethtest:docker$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
53a17668ea1c docker_teaclave-frontend-service "./teaclave_frontend…" 36 minutes ago Up 27 seconds 0.0.0.0:7777->7777/tcp teaclave-frontend-service
2063a9b4e8c3 docker_teaclave-execution-service "./teaclave_executio…" 36 minutes ago Up 27 seconds 17770/tcp teaclave-execution-service
8604fea14482 docker_teaclave-management-service "./teaclave_manageme…" 36 minutes ago Up 3 seconds 17777/tcp teaclave-management-service
9ab6aefa993f docker_teaclave-scheduler-service "./teaclave_schedule…" 36 minutes ago Up 27 seconds 17780/tcp teaclave-scheduler-service
826f5b39b51a docker_teaclave-access-control-service "./teaclave_access_c…" 36 minutes ago Up 29 seconds 17779/tcp teaclave-access-control-service
38525e9ba87a docker_teaclave-storage-service "./teaclave_storage_…" 36 minutes ago Up 28 seconds 17778/tcp teaclave-storage-service
85199bcec12b docker_teaclave-authentication-service "./teaclave_authenti…" 36 minutes ago Up 29 seconds 0.0.0.0:7776->7776/tcp, 17776/tcp teaclave-authentication-service
Then I run the sample code, but cannot get the result after waiting some time as follows:
ethtest@ethtest:python$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
53a17668ea1c docker_teaclave-frontend-service "./teaclave_frontend…" 45 minutes ago Up 9 minutes 0.0.0.0:7777->7777/tcp teaclave-frontend-service
2063a9b4e8c3 docker_teaclave-execution-service "./teaclave_executio…" 45 minutes ago Up 9 minutes 17770/tcp teaclave-execution-service
8604fea14482 docker_teaclave-management-service "./teaclave_manageme…" 45 minutes ago Up 8 minutes 17777/tcp teaclave-management-service
9ab6aefa993f docker_teaclave-scheduler-service "./teaclave_schedule…" 45 minutes ago Up 9 minutes 17780/tcp teaclave-scheduler-service
826f5b39b51a docker_teaclave-access-control-service "./teaclave_access_c…" 45 minutes ago Up 9 minutes 17779/tcp teaclave-access-control-service
38525e9ba87a docker_teaclave-storage-service "./teaclave_storage_…" 45 minutes ago Up 9 minutes 17778/tcp teaclave-storage-service
85199bcec12b docker_teaclave-authentication-service "./teaclave_authenti…" 45 minutes ago Up 9 minutes 0.0.0.0:7776->7776/tcp, 17776/tcp teaclave-authentication-service
******************************************************************************************************************** 15:23:42
ethtest@ethtest:python$ pwd
/home/ethtest/incubator-teaclave/examples/python
******************************************************************************************************************** 15:23:44
ethtest@ethtest:python$ PYTHONPATH=../../sdk/python python3 builtin_echo.py 'Hello, Teaclave!'
[+] registering user
[+] login
[+] registering function
[+] creating task
[+] invoking task
[+] getting result
^CTraceback (most recent call last):
File "builtin_echo.py", line 85, in <module>
main()
File "builtin_echo.py", line 77, in main
rt = example.echo(message)
File "builtin_echo.py", line 67, in echo
result = client.get_task_result(task_id)
File "/home/ethtest/incubator-teaclave/sdk/python/teaclave.py", line 431, in get_task_result
time.sleep(1)
KeyboardInterrupt
******************************************************************************************************************** 15:27:54
ethtest@ethtest:python$ SGX_MODE=SW PYTHONPATH=../../sdk/python python3 builtin_echo.py 'Hello, Teaclave!'
[+] registering user
[+] login
[+] registering function
[+] creating task
[+] invoking task
[+] getting result
^CTraceback (most recent call last):
File "builtin_echo.py", line 85, in <module>
main()
File "builtin_echo.py", line 77, in main
rt = example.echo(message)
File "builtin_echo.py", line 67, in echo
result = client.get_task_result(task_id)
File "/home/ethtest/incubator-teaclave/sdk/python/teaclave.py", line 431, in get_task_result
time.sleep(1)
KeyboardInterrupt
******************************************************************************************************************** 15:30:38
Overall, I test teaclave and find that:
Firstly, compile teaclave in Hardware mode, it reports the error (named as ERROR-1) as mentioned above and cannot get the final result
...
[+] function return: b'Hello, Teaclave!'
Secondly, compile teaclave in Simulation mode, and can run sample codes successfully.
Thirdly, compile teaclave in Hardware mode, but run its sample code and it reports the error (named as ERROR-2) described as the first comment of this issue (#411).
However, I execute cd incubator-teaclave && sudo rm -rf build/ release/ and compile teaclave in Hardware mode, then run its sample code and it reports errors (named as ERROR-3) as follows:
ethtest@ethtest:python$ PYTHONPATH=../../sdk/python python3 builtin_echo.py 'Hello, Teaclave!'
[+] registering user
[+] login
[+] registering function
Traceback (most recent call last):
File "builtin_echo.py", line 85, in <module>
main()
File "builtin_echo.py", line 77, in main
rt = example.echo(message)
File "builtin_echo.py", line 56, in echo
arguments=["message"])
File "/home/ethtest/incubator-teaclave/sdk/python/teaclave.py", line 374, in register_function
return response["content"]["function_id"]
KeyError: 'content'
Finally, I remove teaclave project, clone and compile it again in Hardware mode, it recurs ERROR-1.
I just want to try to compile and run teaclave for testing SGX, and I don't know how to solve them.
Hi @Agzs, sorry for the late reply. I am still trying to figure out your issues. Since I cannot reproduce the problem you have, can you provide some logs of the services when executing the function by set the env var to TEACLAVE_LOG=debug?