This is my unit file:
[Unit]
Description=Intel(R) Architectural Enclave Service Manager
After=syslog.target network.target auditd.service
After=remount-dev-exec.service
Wants=remount-dev-exec.service
[Service]
User=aesmd
Type=forking
Environment=NAME=aesm_service
Environment=AESM_PATH=/opt/intel/sgxpsw/aesm
Environment=LD_LIBRARY_PATH=/opt/intel/sgxpsw/aesm
WorkingDirectory=/opt/intel/sgxpsw/aesm
PermissionsStartOnly=true
ExecStartPre=/opt/intel/sgxpsw/aesm/linksgx.sh
ExecStartPre=/bin/mkdir -p /var/run/aesmd/
ExecStartPre=/bin/chown -R aesmd:aesmd /var/run/aesmd/
ExecStartPre=/bin/chmod 0755 /var/run/aesmd/
ExecStartPre=/bin/mkdir -p /var/opt/aesmd/
ExecStartPre=/bin/chown -R aesmd:aesmd /var/opt/aesmd/
ExecStartPre=/bin/chmod 0750 /var/opt/aesmd/
ExecStart=/opt/intel/sgxpsw/aesm/aesm_service
InaccessibleDirectories=/home
ExecReload=/bin/kill -SIGHUP $MAINPID
Restart=on-failure
RestartSec=15s
DevicePolicy=closed
DeviceAllow=/dev/isgx rw
DeviceAllow=/dev/sgx rw
DeviceAllow=/dev/sgx/enclave rw
DeviceAllow=/dev/sgx/provision rw
[Install]
WantedBy=multi-user.target
Any suggestions on what I could do?
]]>make[3]: *** Waiting for unfinished jobs....
g++ -c -Wnon-virtual-dtor -std=c++11 -fstack-protector -O0 -ggdb -DDEBUG -UNDEBUG -DSE_DEBUG_LEVEL=SE_TRACE_DEBUG -ffunction-sections -fdata-sections -Wall -Wextra -Winit-self -Wpointer-arith -Wreturn-type -Waddress -Wsequence-point -Wformat-security -Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow -Wcast-align -Wconversion -Wredundant-decls -DITT_ARCH_IA64 -ffreestanding -nostdinc -fvisibility=hidden -fpie -fno-strict-overflow -fno-delete-null-pointer-checks -mindirect-branch-register -mfunction-return=thunk-extern -fno-plt -Wa,-mlfence-after-load=yes -Wa,-mlfence-before-ret=not -nostdinc++ -Werror -fno-rtti -fno-exceptions -I/home/user/src/aur/linux-sgx-sdk/src/linux-sgx/common/inc/ -I/home/user/src/aur/linux-sgx-sdk/src/linux-sgx/common/inc/internal/ -I/home/user/src/aur/linux-sgx-sdk/src/linux-sgx/common/inc/tlibc -I/home/user/src/aur/linux-sgx-sdk/src/linux-sgx/sdk/trts/ sgx_rsrv_mem.cpp -o sgx_rsrv_mem.o
as: unrecognized option '-mlfence-after-load=yes'
make[3]: *** [Makefile:56: mm_vrd.o] Error 1
make[3]: *** Waiting for unfinished jobs....
as: unrecognized option '-mlfence-after-load=yes'
make[3]: *** [Makefile:55: sethread_cond.o] Error 1
From what I can tell, mlfence-after-load is a new as option (see: https://www.phoronix.com/scan.php?page= … tack-perf). I do not have these in my configuration.
-momit-lock-prefix=[no|yes] (default: no)
strip all lock prefixes
-mfence-as-lock-add=[no|yes] (default: no)
encode lfence, mfence and sfence as
lock addl $0x0, (%{re}sp)
-mrelax-relocations=[no|yes] (default: yes)
generate relax relocations
-malign-branch-boundary=NUM (default: 0)
align branches within NUM byte boundary
-malign-branch=TYPE[+TYPE...] (default: jcc+fused+jmp)
TYPE is combination of jcc, fused, jmp, call, ret,
indirect
specify types of branches to align
-malign-branch-prefix-size=NUM (default: 5)
align branches with NUM prefixes per instruction
-mbranches-within-32B-boundaries
align branches within 32 byte boundary
-mamd64 accept only AMD64 ISA [default]
-mintel64 accept only Intel64 ISA
Report bugs to <https://bugs.archlinux.org/>
➜ linux-sgx-sdk as --version
GNU assembler (GNU Binutils) 2.34.0
Copyright (C) 2020 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or later.
This program has absolutely no warranty.
This assembler was configured for a target of `x86_64-pc-linux-gnu'.
I can see that binutils is outdated (despite having the latest from pacman). Here is the version on the sgx-approved Ubuntu 18.04.
root@609418c96f9a:~# as --version
GNU assembler (GNU Binutils) 2.34.50.20200320
Copyright (C) 2020 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or later.
This program has absolutely no warranty.
This assembler was configured for a target of `x86_64-pc-linux-gnu'.
The PKGBUILD:
# Maintainer: promach
pkgname=linux-sgx-sdk
pkgver=r335.3ea0560d
pkgrel=1
pkgdesc="Intel(R) Software Guard Extensions (Intel(R) SGX) is an Intel technology for application developers seeking to protect select code and data from disclosure or modification"
arch=('i686' 'x86_64')
url="https://01.org/intel-softwareguard-extensions"
license=('GPL')
groups=()
depends=()
makedepends=('cmake' 'protobuf' 'libunwind' 'ocaml' 'ocamlbuild' 'automake' 'autoconf' 'libtool' 'wget' 'python' 'openssl' 'git')
optdepends=()
provides=()
conflicts=()
replaces=()
backup=()
options=('!buildflags')
install=
changelog=
source=('git+https://github.com/intel/linux-sgx.git')
noextract=()
md5sums=('SKIP') #generate with 'makepkg -g'
build() {
cd "$srcdir/linux-sgx"
./download_prebuilt.sh
make clean
make sdk DEBUG=1
make sdk_install_pkg DEBUG=1
}
pkgver() {
cd "$srcdir/linux-sgx"
printf "r%s.%s" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)"
}
package() {
cd "$srcdir/linux-sgx"
#echo "no\n/opt/intel/sgxsdk\n" > ./sgx_linux_x64_sdk_*.bin
#make DESTDIR="$pkgdir/opt/intel/sgxsdk" install
install -dm 755 "$pkgdir/opt/intel/sgxsdk"
bsdtar -xf linux/installer/common/sdk/output/sgxsdk_1.0.orig.tar.gz -C "$pkgdir/opt/intel/sgxsdk" --strip-components 1 --no-same-owner package
}
==> Starting package()...
/home/phung/Downloads/intel_sgx/intel_sgx_psw/PKGBUILD: line 48: /home/phung/Downloads/intel_sgx/intel_sgx_psw/pkg/linux-sgx-psw/opt/intel/sgxpsw/lib64/libsgx_enclave_common.so.1: No such file or directory
==> ERROR: A failure occurred in package().
If I use cp "$pkgdir/opt/intel/sgxpsw/lib64/libsgx_enclave_common.so" "$pkgdir/opt/intel/sgxpsw/lib64/libsgx_enclave_common.so.1" instead of ln command, then I have the above error.
[phung@archlinux intel_sgx_psw]$ ls -al /home/phung/Downloads/intel_sgx/intel_sgx_psw/pkg/linux-sgx-psw/opt/intel/sgxpsw/lib64/
total 14940
drwxr-xr-x 2 phung phung 4096 Mar 11 15:17 .
drwxr-xr-x 5 phung phung 4096 Mar 11 15:17 ..
-rwxr-xr-x 1 phung phung 439160 Mar 11 15:17 libsgx_enclave_common.so
-rwxr-xr-x 1 phung phung 4450952 Mar 11 15:17 libsgx_epid.so
-rwxr-xr-x 1 phung phung 4439728 Mar 11 15:17 libsgx_launch.so
-rwxr-xr-x 1 phung phung 4449240 Mar 11 15:17 libsgx_quote_ex.so
-rwxr-xr-x 1 phung phung 68336 Mar 11 15:17 libsgx_uae_service.so
-rwxr-xr-x 1 phung phung 1432344 Mar 11 15:17 libsgx_urts.so
[phung@archlinux intel_sgx_psw]$
[phung@archlinux intel_sgx_psw]$ ldd /home/phung/Downloads/intel_sgx/intel_sgx_psw/pkg/linux-sgx-psw/opt/intel/sgxpsw/lib64/libsgx_enclave_common.so
linux-vdso.so.1 (0x00007ffc279f5000)
libdl.so.2 => /usr/lib/libdl.so.2 (0x00007f6b2a130000)
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007f6b29f47000)
libm.so.6 => /usr/lib/libm.so.6 (0x00007f6b29e01000)
libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x00007f6b29de7000)
libc.so.6 => /usr/lib/libc.so.6 (0x00007f6b29c21000)
/usr/lib64/ld-linux-x86-64.so.2 (0x00007f6b2a1b4000)
[phung@archlinux intel_sgx_psw]$
[phung@archlinux intel_sgx_psw]$ readelf -d /home/phung/Downloads/intel_sgx/intel_sgx_psw/pkg/linux-sgx-psw/opt/intel/sgxpsw/lib64/libsgx_enclave_common.so
Dynamic section at offset 0x12c88 contains 31 entries:
Tag Type Name/Value
0x0000000000000001 (NEEDED) Shared library: [libdl.so.2]
0x0000000000000001 (NEEDED) Shared library: [libstdc++.so.6]
0x0000000000000001 (NEEDED) Shared library: [libm.so.6]
0x0000000000000001 (NEEDED) Shared library: [libgcc_s.so.1]
0x0000000000000001 (NEEDED) Shared library: [libc.so.6]
0x000000000000000e (SONAME) Library soname: [libsgx_enclave_common.so.1]
0x000000000000000c (INIT) 0x2000
0x000000000000000d (FINI) 0xce20
0x0000000000000019 (INIT_ARRAY) 0x13c60
0x000000000000001b (INIT_ARRAYSZ) 24 (bytes)
0x000000000000001a (FINI_ARRAY) 0x13c78
0x000000000000001c (FINI_ARRAYSZ) 16 (bytes)
0x000000006ffffef5 (GNU_HASH) 0x260
0x0000000000000005 (STRTAB) 0x6f0
0x0000000000000006 (SYMTAB) 0x2a0
0x000000000000000a (STRSZ) 969 (bytes)
0x000000000000000b (SYMENT) 24 (bytes)
0x0000000000000003 (PLTGOT) 0x13eb8
0x0000000000000002 (PLTRELSZ) 768 (bytes)
0x0000000000000014 (PLTREL) RELA
0x0000000000000017 (JMPREL) 0xd10
0x0000000000000007 (RELA) 0xbd8
0x0000000000000008 (RELASZ) 312 (bytes)
0x0000000000000009 (RELAENT) 24 (bytes)
0x0000000000000018 (BIND_NOW)
0x000000006ffffffb (FLAGS_1) Flags: NOW
0x000000006ffffffe (VERNEED) 0xb18
0x000000006fffffff (VERNEEDNUM) 4
0x000000006ffffff0 (VERSYM) 0xaba
0x000000006ffffff9 (RELACOUNT) 6
0x0000000000000000 (NULL) 0x0
[phung@archlinux intel_sgx_psw]$
Generated psw installer: ./linux/installer/bin/sgx_linux_x64_psw_2.8.100.3.bin
==> Entering fakeroot environment...
==> Starting package()...
/home/phung/Downloads/intel_sgx/intel_sgx_psw/PKGBUILD: line 40: 17908 Segmentation fault (core dumped) "$pkgdir/opt/intel/sgxpsw/lib64/libsgx_enclave_common.so"
==> ERROR: A failure occurred in package().
Aborting...
[promach@archlinux intel_sgx_psw]$
I have the above error when I try to use the following PKGBUILD. Why ?
# Maintainer: promach
pkgname=linux-sgx-psw
pkgver=r300.9ddec08f
pkgrel=1
pkgdesc="Intel(R) Software Guard Extensions (Intel(R) SGX) is an Intel technology for application developers seeking to protect select code and data from disclosure or modification"
arch=('i686' 'x86_64')
url="https://01.org/intel-softwareguard-extensions"
license=('GPL')
groups=()
depends=()
makedepends=('cmake' 'protobuf' 'libunwind' 'ocaml' 'ocamlbuild' 'automake' 'autoconf' 'libtool' 'wget' 'python' 'openssl' 'git')
optdepends=()
provides=()
conflicts=()
replaces=()
backup=()
options=('!buildflags')
install=
changelog=
source=('git+https://github.com/intel/linux-sgx.git')
noextract=()
md5sums=('SKIP') #generate with 'makepkg -g'
build() {
cd "$srcdir/linux-sgx"
./download_prebuilt.sh
make clean
make psw DEBUG=1
make psw_install_pkg DEBUG=1
}
pkgver() {
cd "$srcdir/linux-sgx"
printf "r%s.%s" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)"
}
package() {
cd "$srcdir/linux-sgx"
install -dm 755 "$pkgdir/opt/intel/sgxpsw"
bsdtar -xf linux/installer/common/psw/output/sgxpsw_1.0.orig.tar.gz -C "$pkgdir/opt/intel/sgxpsw" \
--strip-components 1 --no-same-owner package
ln -s "$pkgdir/opt/intel/sgxpsw/lib64/libsgx_enclave_common.so.1" \
"$pkgdir/opt/intel/sgxpsw/lib64/libsgx_enclave_common.so"
}
Moving the .so files is how this should be installed, but moving around the loader order essentially gives the same effect without modifying /usr/lib.
]]>It seems like the sdk is properly installed, but the psw needs to move the .so files to the /usr/lib directory. The makefiles have a lot of symlinking and moving of .so files.
The two commands you posted above did not move the .so files to the /usr/lib directory though.
Did you miss anything ?
Did you miss any other commands ?
# Maintainer: promach
pkgname=linux-sgx-sdk
pkgver=r300.9ddec08f
pkgrel=1
pkgdesc="Intel(R) Software Guard Extensions (Intel(R) SGX) is an Intel technology for application developers seeking to protect select code and data from disclosure or modification"
arch=('i686' 'x86_64')
url="https://01.org/intel-softwareguard-extensions"
license=('GPL')
groups=()
depends=()
makedepends=('cmake' 'protobuf' 'libunwind' 'ocaml' 'ocamlbuild' 'automake' 'autoconf' 'libtool' 'wget' 'python' 'openssl' 'git')
optdepends=()
provides=()
conflicts=()
replaces=()
backup=()
options=('!buildflags')
install=
changelog=
source=('git+https://github.com/intel/linux-sgx.git')
noextract=()
md5sums=('SKIP') #generate with 'makepkg -g'
build() {
cd "$srcdir/linux-sgx"
./download_prebuilt.sh
make clean
make sdk DEBUG=1
make sdk_install_pkg DEBUG=1
}
pkgver() {
cd "$srcdir/linux-sgx"
printf "r%s.%s" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)"
}
package() {
cd "$srcdir/linux-sgx"
#echo "no\n/opt/intel/sgxsdk\n" > ./sgx_linux_x64_sdk_*.bin
#make DESTDIR="$pkgdir/opt/intel/sgxsdk" install
install -dm 755 "$pkgdir/opt/intel/sgxsdk"
bsdtar -xf linux/installer/common/sdk/output/sgxsdk_1.0.orig.tar.gz -C "$pkgdir/opt/intel/sgxsdk" --strip-components 1 --no-same-owner package
}
# Maintainer: promach
pkgname=linux-sgx-psw
pkgver=r300.9ddec08f
pkgrel=1
pkgdesc="Intel(R) Software Guard Extensions (Intel(R) SGX) is an Intel technology for application developers seeking to protect select code and data from disclosure or modification"
arch=('i686' 'x86_64')
url="https://01.org/intel-softwareguard-extensions"
license=('GPL')
groups=()
depends=()
makedepends=('cmake' 'protobuf' 'libunwind' 'ocaml' 'ocamlbuild' 'automake' 'autoconf' 'libtool' 'wget' 'python' 'openssl' 'git')
optdepends=()
provides=()
conflicts=()
replaces=()
backup=()
options=('!buildflags')
install=
changelog=
source=('git+https://github.com/intel/linux-sgx.git')
noextract=()
md5sums=('SKIP') #generate with 'makepkg -g'
build() {
cd "$srcdir/linux-sgx"
./download_prebuilt.sh
make clean
make psw DEBUG=1
make psw_install_pkg DEBUG=1
}
pkgver() {
cd "$srcdir/linux-sgx"
printf "r%s.%s" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)"
}
package() {
cd "$srcdir/linux-sgx"
install -dm 755 "$pkgdir/opt/intel/sgxpsw"
bsdtar -xf linux/installer/common/psw/output/sgxpsw_1.0.orig.tar.gz -C "$pkgdir/opt/intel/sgxpsw" --strip-components 1 --no-same-owner package
}
Here are the commands I ran afterwards:
sudo ln /opt/intel/sgxpsw/lib64/libsgx_enclave_common.so /opt/intel/sgxpsw/lib64/libsgx_enclave_common.so.1
export LD_LIBRARY_PATH=/opt/intel/sgxpsw/lib64:/opt/intel/sgxsdk/lib64:/usr/lib/x86_64-linux-gnu
It seems like the sdk is properly installed, but the psw needs to move the .so files to the /usr/lib directory. The makefiles have a lot of symlinking and moving of .so files.
To anyone who just found this thread: the commands posted here are NOT a recommended installation method.
I used the same ones that you posted, but after installing them I created some symlinks and load against the psw libraries first.
I posted a few PKGBUILD in multiple posts scattered in this thread, which PKGBUILD to be exact ?
]]>I'm not very familiar with arch PKGBUILD.
It seems like there are a lot of symlinks that are made when make install is run, but it is not clear to me how to incorporate these into the PKGBUILD.
The exact commands I used to get stuff working were
sudo ln /opt/intel/sgxpsw/lib64/libsgx_enclave_common.so /opt/intel/sgxpsw/lib64/libsgx_enclave_common.so.1
export LD_LIBRARY_PATH=/opt/intel/sgxpsw/lib64:/opt/intel/sgxsdk/lib64:/usr/lib/x86_64-linux-gnu
Could you please paste your PKGBUILDs here in plain text ?
That will help a lot of people in the future.
]]>/usr/lib/libsgx_urts.so is located at both /opt/intel/sgxpsw/lib64/libsgx_urts.so and /opt/intel/sgxsdk/lib64/libsgx_urts.so.
If you are running a simulated build you should use the sgxsdk version. A simulated build can be made with make SGX_MODE=SIM.
If you are running a regular build you are expected to use the sgxpsw version.
Also note that some of the sample code from the software demos you are running are out of date and will fail to link.
HelloWorld should work fine though.
#Intel SGX SDK /opt/intel/sgxpsw/lib64/
export SGX_SDK=/opt/intel/sgxsdk
export PATH=$PATH:$SGX_SDK/bin:$SGX_SDK/bin/x64
export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:$SGX_SDK/pkgconfig
if [ -z "$LD_LIBRARY_PATH" ]; then
export LD_LIBRARY_PATH=$SGX_SDK/lib64:/usr/lib/x86_64-linux-gnu
else
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$SGX_SDK/lib64:/usr/lib/x86_64-linux-gnu
fi
I used the above environment script together with the two PKGBUILD in the previous post
However, I have problem running the sgx software demo which gave the following error:
[phung@archlinux HelloEnclave]$ ./app
Please use the correct uRTS library from PSW package.
Error: Unexpected error occurred.
Enter a character before exit ...[phung@archlinux HelloEnclave]$
When I searched for relevant solution, I found that I do not have this file /usr/lib/libsgx_urts.so installed
]]>In this case, how shall I modify the PKGBUILD for SDK ?
When I try to use the following PKGBUILD, I just have the following error:
sed: can't read /home/phung/Downloads/intel_sgx/intel_sgx_sdk/pkg/linux-sgx-sdk/opt/intel/sgxsdk/sgxsdk/pkgconfig/libsgx_uae_service_sim.pc: No such file or directory
make: *** [Makefile:89: update_pkgconfig] Error 2
I found the actual location of the above file at src/opt/intel/sgxsdk/sgxsdk/pkgconfig/libsgx_uae_service_sim.pc:Name: libsgx_uae_service_sim
# Maintainer: promach
pkgname=linux-sgx-sdk
pkgver=r300.9ddec08f
pkgrel=1
pkgdesc="Intel(R) Software Guard Extensions (Intel(R) SGX) is an Intel technology for application developers seeking to protect select code and data from disclosure or modification"
arch=('i686' 'x86_64')
url="https://01.org/intel-softwareguard-extensions"
license=('GPL')
groups=()
depends=()
makedepends=('cmake' 'protobuf' 'libunwind' 'ocaml' 'ocamlbuild' 'automake' 'autoconf' 'libtool' 'wget' 'python' 'openssl' 'git')
optdepends=()
provides=()
conflicts=()
replaces=()
backup=()
options=('!buildflags')
install=
changelog=
source=('git+https://github.com/intel/linux-sgx.git')
noextract=()
md5sums=('SKIP') #generate with 'makepkg -g'
build() {
cd "$srcdir/linux-sgx"
./download_prebuilt.sh
make clean
make sdk DEBUG=1
make sdk_install_pkg DEBUG=1
}
pkgver() {
cd "$srcdir/linux-sgx"
printf "r%s.%s" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)"
}
package() {
cd "$srcdir/linux-sgx/linux/installer/bin"
install -dm 755 "$pkgdir/opt/intel/sgxsdk"
#echo -e "no\n$pkgdir/opt/intel/sgxsdk\n" | ./sgx_linux_x64_sdk_*.bin
printf '%s\n' no "$pkgdir/opt/intel/sgxsdk" | ./sgx_linux_x64_sdk_*.bin
#make DESTDIR="$pkgdir/opt/intel/sgxsdk" install
#bsdtar -xf linux/installer/common/sdk/output/sgxsdk_1.0.orig.tar.gz -C "$pkgdir/opt/intel/sgxsdk" --strip-components 1 --no-same-owner package
}