Can't start consensu node with SGX2

Question

Can't start consensu node with SGX2

quangtuyen88 opened this issue 6 months ago · comments

cpuid -1 | grep SGX
      SGX: Software Guard Extensions supported = true
      SGX_LC: SGX launch config supported      = true
   Software Guard Extensions (SGX) capability (0x12/0):
      SGX1 supported                           = true
      SGX2 supported                           = true
      SGX ENCLV E*VIRTCHILD, ESETCONTEXT       = true
      SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = true
   SGX attributes: ECREATE SECS.ATTRIBUTES (0x12/1):
   SGX Enclave Page Cache (EPC) enumeration (0x12/0x2):
   SGX Enclave Page Cache (EPC) enumeration (0x12/0x3):

log of ceseal container :

EBUG RS - deno_runtime::permissions:86 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:254 - FileFetcher::fetch_cached - specifier: https://deno.land/std@0.213.0/path/_common/glob_to_reg_exp.ts
DEBUG RS - deno::file_fetcher:550 - FileFetcher::fetch() - specifier: https://deno.land/std@0.213.0/path/posix/_util.ts
DEBUG RS - deno_runtime::permissions:86 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:344 - FileFetcher::fetch_remote() - specifier: https://deno.land/std@0.213.0/path/posix/_util.ts
DEBUG RS - deno_runtime::permissions:86 - ⚠️️  Granted net access to "deno.land"
DEBUG RS - deno::file_fetcher:254 - FileFetcher::fetch_cached - specifier: https://deno.land/std@0.213.0/path/posix/_util.ts
DEBUG RS - deno::npm::managed::resolution:313 - Snapshot already up to date. Skipping pending resolution.
DEBUG RS - deno::module_loader:218 - Prepared module load.
DEBUG RS - deno_runtime::permissions:86 - ⚠️️  Granted read access to "/opt/ceseal/releases/current"
Current /opt/ceseal/releases/24013112
DEBUG RS - deno_runtime::permissions:86 - ⚠️️  Granted read access to "/opt/ceseal/releases/24013112/data/protected_files/runtime-data.seal"
DEBUG RS - deno_runtime::permissions:86 - ⚠️️  Granted read access to "/opt/ceseal/backups"
No previous version, no need to handover!
DEBUG RS - deno_runtime::permissions:86 - ⚠️️  Granted read access to "/opt/ceseal/releases/24013112"
DEBUG RS - deno_runtime::permissions:86 - ⚠️️  Granted read access to "/opt/ceseal/backups/24013112"
'/opt/ceseal/backups/24013112' already exists.
Work dir '/opt/ceseal/releases/24013112'
Data dir '/opt/ceseal/releases/24013112/data'
Starting Ceseal with extra opts '--role=full '
Ceseal will running in hardware mode
Gramine is starting. Parsing TOML manifest file, this may take some time...
error: AESM service returned error 31; this may indicate that infrastructure for the EPID attestation requested by Gramine is missing on this machine
error: load_enclave() failed with error: Operation not permitted (EPERM)
ceseal exited with code 255

AstaFrode commented 5 months ago

@0xbillw

Demos Chiang · Answer 1 · Sun Feb 18 2024 11:51:18 GMT+0800 (China Standard Time)

ceseal uses EPID remote attestation , you know it does not support SGX2 yet.

Demos Chiang · Answer 2 · Sun Feb 18 2024 11:58:28 GMT+0800 (China Standard Time)

please move this issue with #240 into cess project. @quangtuyen88