mystikos icon indicating copy to clipboard operation
mystikos copied to clipboard

Published 20 hours ago verified publisher icon deislabs

Hello world sample errors in the Mystikos base container

Open jxyang opened this issue 3 years ago • 2 comments

To repro:

  1. Build the base container with .jenkins/docker/base/build.sh
  2. docker run -it --device /dev/sgx/enclave:/dev/sgx/enclave --device /dev/sgx/provision:/dev/sgx/provision docker.io/library/mystikos-bionic:latest
  3. Inside the container: 
    apt update && apt install -y docker.io git build-essential make cryptsetup-bin
git clone https://github.com/deislabs/mystikos.git
cd mystikos/samples/helloworld/cpiorootfs
make && make run


Here is the output:

>> root@168c40899d1e:/mystikos/samples/helloworld/cpiorootfs# make run
echo "Generating a signed package"
Generating a signed package
Created myst/bin/hello

echo "Running Mystikos packaged application. No myst exec-sgx necessary"
Running Mystikos packaged application. No myst exec-sgx necessary
./myst/bin/hello red green blue
[init ../../../psw/ae/aesm_service/source/core/ipc/UnixCommunicationSocket.cpp:225] Failed to connect to socket /var/run/aesmd/aesm.socket
2022-02-16T21:13:22+0000.372126Z [(H)ERROR] tid(0x7f70dba65b80) | SGX AESM service unavailable (oe_result_t=OE_SERVICE_UNAVAILABLE) [/source/mystikos/third_party/openenclave/openenclave/host/sgx/sgxquote.c:_load_quote_ex_library_once:479]
Hello world!
I received: argv[0]={/bin/hello}, argv[1]={red}, argv[2]={green}, argv[3]={blue}
=== passed test (/bin/hello)

jxyang avatar Feb 16 '22 21:02 jxyang

For in-proc attestation for the specific Mystikos sample here, the libsgx-dcap-ql-dev library seems to be required and is not on the base container by default. Installing the library resolves the issue. However, Open Enclave does not require this library for their samples.

It would be good to know why Mystikos requires the extra dev library here, as I'd like to avoid adding dev packages into the base container.

CyanDevs avatar Feb 16 '22 22:02 CyanDevs

@salsal97 has update the docker sample to use the Mystikos base image in PR https://github.com/deislabs/mystikos/pull/1281.

The task that remains is understanding why SGX_AESM_ADDR is not needed for out of proc attestation in Mystikos. This is assigned to @radhikaj

radhikaj avatar Apr 01 '22 18:04 radhikaj