-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gramine runtime does not build dcap on debian #213
Comments
I think this one: Is missing in BUILDING docker template. |
Yes, I agree, there is no reason to not enable DCAP on Debian. I don't think there is any explanation for Debian omission, just a historical bug.
Could you tell us the exact error and what exactly you ran? In Dockerfiles, we actually have the installation of the required SGX packages, you found it yourself:
@anjalirai-intel @jinengandhi-intel @jkr0103 Is there anything more you could add? |
The error I get:
The binary I try to launch in gramine links to these (ignore
On graminized container there is dcap lib (when I remove the
But I don't see any of Intel's sgx library:
|
@szymek156 Thanks for this exploration! Can you try adding these lines: gsc/templates/debian/Dockerfile.compile.template Lines 44 to 45 in fcf9654
To the Dockerfile.build file, somewhere after here: I think your original suspicion is correct, and we miss the installation of the SGX DCAP library in Dockerfile.build. But then I don't understand how our tests work for Ubuntu ones, if they fail for Debian as you found out... |
Hey @dimakuv I was busy with other stuff, but this one strike me again. Here you can see the changes I made in order to finally build and run verification: I had to add
This package provides Calling
That turns out is because
Is problematic, it needs to point to valid PCCS server address. What I found out is to mount the file while running container from the host machine: And in manifest file add these:
This works, verification goes as expected. However now gramine yells at me that allowed_files are insecure... I wonder if there is a better way of doing this? Another approach I tried:
So my image contains valid sgx_default_qcnl.conf file from the beginning.
In order to include that file into final graminized image. However this not works because, during building unsigned graminized image I get following error:
The file already exists (as expected) and dpkg expects user interaction, but will not get it, since it docker image build. What do you think, is it possible to have valid qcnl.conf, and not rely on host mount to that file? Or I did something completely wrong? Maybe installing I would like to avoid string substitution in that file during startup of my enclave. I prefer clean solution where file is somehow provided. |
No, this sounds correct.
I think the default choice (
The simplest thing you can do is to learn the hash of your config file (
Now you can run Docker container with |
@dimakuv trusted_files approach works like a charm! Thank you! Should I prepare pull request? |
Hm, isn't it enough to add
|
Btw, officially Intel SGX SDK/PSW/DCAP is not supported on Debian, at least I don't see the corresponding packages here: https://download.01.org/intel-sgx/sgx_repo So I'm not sure it would be correct for GSC to "support" DCAP libraries from Ubuntu that run in a Debian Docker container. I think that's the main reason why we have |
True, debian distro should not include ubuntu packages. I changed my base Docker image to use ubuntu:22.04, graminized one still returns error I am using gsc on commit 3168b08 (latest master) Seems like
Is not working I am using the config.yaml that looks like so
call the command:
the Dockerfile.compile looks like so
Note lack of |
@szymek156 Looks like you found a recently introduced regression bug in GSC. I created PR #216 to fix it. Can you try it? |
I tried, and it works, however I do not understand at which stage the libsgx libs (libsgx-dcap-default-qpl-dev) goes to the final image? |
@szymek156 I'm also not sure :) Could it be that this line that installs the DCAP QuoteVerification package also installs the QPL-dev package?
|
Nah mistake in my environment, build scripts were still using my forked repo, sorry for confusion, now building using yours #216 it breaks as expected:
adding
so adding to that: |
@dimakuv I think adding |
Any particular reason for enabling dcap only for Ubuntu?
https://github.com/gramineproject/gsc/blob/master/templates%2FDockerfile.common.compile.template#L33
I removed if statement locally and graminized debian image. Building worked, but during execution I get the error that some Intel sgx library is missing (don't remember exactly the name, I am on mobile now).
I assume in Dockerfile, the build step of installing Intel's sgx packages, misses attestation verification package.
From git blame, seems like the if statement I removed for my local experiment should be more like:
'if not centos then dcap=enable'??
The text was updated successfully, but these errors were encountered: