google / asylo Goto Github PK
View Code? Open in Web Editor NEWAn open and flexible framework for developing enclave applications
Home Page: https://asylo.dev
License: Apache License 2.0
An open and flexible framework for developing enclave applications
Home Page: https://asylo.dev
License: Apache License 2.0
Compiling a new Asylo version (0.5.1) and get the following error:
external/com_google_asylo/asylo/crypto/aes_gcm_siv.h:76:1: error: attribute 'deprecated' is ignored, place it after "class" to apply attribute to type declaration [-Werror,-Wignored-attributes]
ABSL_DEPRECATED("AesGcmSivCryptor will be removed in a future release")
^
external/com_google_absl/absl/base/macros.h:149:49: note: expanded from macro 'ABSL_DEPRECATED'
#define ABSL_DEPRECATED(message) __attribute__((deprecated(message)))
cc @tiziano88
The Bazel rule sgx.generate_sigstruct
, that is defined here:
asylo/asylo/distrib/sgx_x86_64/linux_sgx_2_6.patch
Lines 5136 to 5170 in 361737d
is not generating an actual SIGSTRUCT
(generating some other structure), because the parameter gendata
uses only header
and body
(without including key
and buffer
that are also presented in SIGSTRUCT
) as shown here:
https://github.com/intel/linux-sgx/blob/d10cabebb5512878e84f5d21cdf27c39c428ffe2/sdk/sign_tool/SignTool/sign_tool.cpp#L528-L548
with the SIGSTRUCT definition here:
https://github.com/intel/linux-sgx/blob/d10cabebb5512878e84f5d21cdf27c39c428ffe2/common/inc/internal/arch.h#L240-L245
I'm trying to use local attestation for an SGX enclave.
But when a local client connects to the enclave through gRPC, I got the following error on the client side (server side doesn't show any errors):
2019-11-19 14:03:07 ERROR client_ekep_handshaker.cc : 307 : Assertion could not be verified: ::asylo::error::GoogleErrorSpace::INTERNAL: MAC verification failed
2019-11-19 14:03:07 ERROR client_ekep_handshaker.cc : 307 : Assertion could not be verified: ::asylo::error::GoogleErrorSpace::INTERNAL: MAC verification failed
2019-11-19 14:03:07 ERROR client_ekep_handshaker.cc : 99 : ::asylo::error::EkepErrorSpace::Bad assertion: Assertion could not be verified
2019-11-19 14:03:07 ERROR client_ekep_handshaker.cc : 99 : ::asylo::error::EkepErrorSpace::Bad assertion: Assertion could not be verified
I have tried to debug this in gdb
and got these results:
(gdb) p/x actual_mac.data_
$8 = {0xe4, 0x66, 0x51, 0x28, 0x7e, 0x72, 0x45, 0x86, 0x4b, 0xeb, 0x1, 0x17, 0xa, 0x13, 0xc4, 0xc0}
(gdb) p/x report.mac.data_
$9 = {0x75, 0x8a, 0xfb, 0xaa, 0x6d, 0x1e, 0x8c, 0xa4, 0x4b, 0xa4, 0x24, 0x58, 0x15, 0x37, 0xf6, 0x7c}
in file:
asylo/asylo/identity/sgx/sgx_identity_util_internal.cc
Lines 731 to 733 in befb2ef
So MACs are different, but I'm not sure why and how it could possibly be.
Here are main code snippets used in this example:
Enclave assertion initialization:
https://github.com/ipetr0v/oak/blob/2f2a7fec16529419c2c9f2b44b79cdf4c87fe638/oak/server/asylo/asylo_oak_manager.cc#L81-L91
Enclave channel creation:
https://github.com/ipetr0v/oak/blob/2f2a7fec16529419c2c9f2b44b79cdf4c87fe638/oak/server/oak_grpc_node.cc#L33-L43
Client assertion initialization:
https://github.com/ipetr0v/oak/blob/2f2a7fec16529419c2c9f2b44b79cdf4c87fe638/oak/client/application_client.h#L144-L160
Client channel creation:
https://github.com/ipetr0v/oak/blob/2f2a7fec16529419c2c9f2b44b79cdf4c87fe638/oak/client/application_client.h#L97-L99
On a fresh AWS VM without SGX capability, the simulation mode described in the hello world example doesn't work:
(base) ubuntu@ip-XX-XX:~$ sudo docker run -it --rm -v bazel-cache:/root/.cache/bazel -v "${MY_PROJECT}":/opt/my-project -w /opt/my-project gcr.io/asylo-framework/asylo bazel run --config=enc-sim //hello_world -- --names="${NAMES}"
Starting local Bazel server and connecting to it...
INFO: Analysed target //hello_world:hello_world (64 packages loaded, 3883 targets configured).
INFO: Found 1 target...
Target //hello_world:hello_world up-to-date:
bazel-bin/hello_world/hello_world
INFO: Elapsed time: 18.350s, Critical Path: 7.03s
INFO: 12 processes: 12 processwrapper-sandbox.
INFO: Build completed successfully, 20 total actions
INFO: Build completed successfully, 20 total actions
Loading hello_world/hello_enclave.so
2019-06-22 11:47:01 WARNING untrusted_sgx.cc : 62 : Failed to create an enclave, attempt=0, status=1
2019-06-22 11:47:01 ERROR enclave_manager.cc : 324 : LoadEnclave failed: ::asylo::error::SgxErrorSpace::Unexpected error: Failed to create an enclave
2019-06-22 11:47:01 ERROR enclave_manager.cc : 324 : LoadEnclave failed: ::asylo::error::SgxErrorSpace::Unexpected error: Failed to create an enclave
2019-06-22 11:47:01 FATAL hello_driver.cc : 55 : Load hello_world/hello_enclave.so failed: ::asylo::error::SgxErrorSpace::Unexpected error: Failed to create an enclave
2019-06-22 11:47:01 FATAL hello_driver.cc : 55 : Load hello_world/hello_enclave.so failed: ::asylo::error::SgxErrorSpace::Unexpected error: Failed to create an enclave
The VM runs a stock Ubuntu 18.04, with no customisation, just Docker CE 18.09 installed.
The same example runs fine on my SGX-enabled laptop (Debian testing).
➜ /tmp docker run -it --rm -v bazel-cache:/root/.cache/bazel -v "${MY_PROJECT}":/opt/my-project -w /opt/my-project gcr.io/asylo-framework/asylo bazel run --config=enc-sim //hello_world -- --names="${NAMES}"
Starting local Bazel server and connecting to it...
INFO: Analysed target //hello_world:hello_world (64 packages loaded, 3883 targets configured).
INFO: Found 1 target...
Target //hello_world:hello_world up-to-date:
bazel-bin/hello_world/hello_world
INFO: Elapsed time: 24.240s, Critical Path: 5.69s
INFO: 12 processes: 12 processwrapper-sandbox.
INFO: Build completed successfully, 20 total actions
INFO: Build completed successfully, 20 total actions
Loading hello_world/hello_enclave.so
2019-06-22 11:55:43 INFO hello_enclave.cc : 40 : Hello jopasserat
2019-06-22 11:55:43 INFO hello_enclave.cc : 42 : Incrementing visitor count...
Message from enclave: Hello jopasserat! You are visitor #1 to this enclave.
Does the simulation mode need an SGX device/driver/SDK installed to work?
I'm trying to compile the newest version of Asylo (as a dependency in Oak) and get the following errors:
ERROR: /.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl:24:9: Traceback (most recent call last):
File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/com_google_asylo/asylo/grpc/util/BUILD", line 91
cc_library(<6 more arguments>)
File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl", line 57, in cc_library
native.cc_library(<1 more arguments>)
File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl", line 57, in native.cc_library
_add_tags(attrs)
File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl", line 24, in _add_tags
attrs["tags"] += [_MIGRATION_TAG]
trying to mutate a frozen object
ERROR: /.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl:24:9: Traceback (most recent call last):
File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/com_google_asylo/asylo/platform/system/BUILD", line 37
cc_library(name = "system", <4 more arguments>)
File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl", line 57, in cc_library
native.cc_library(<1 more arguments>)
File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl", line 57, in native.cc_library
_add_tags(attrs)
File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl", line 24, in _add_tags
attrs["tags"] += [_MIGRATION_TAG]
trying to mutate a frozen object
ERROR: /.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl:24:9: Traceback (most recent call last):
File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/com_google_asylo/asylo/platform/posix/BUILD", line 52
cc_library(<4 more arguments>)
File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl", line 57, in cc_library
native.cc_library(<1 more arguments>)
File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl", line 57, in native.cc_library
_add_tags(attrs)
File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl", line 24, in _add_tags
attrs["tags"] += [_MIGRATION_TAG]
trying to mutate a frozen object
ERROR: /.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl:24:9: Traceback (most recent call last):
File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/com_google_asylo/asylo/BUILD", line 70
cc_library(<8 more arguments>)
File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl", line 57, in cc_library
native.cc_library(<1 more arguments>)
File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl", line 57, in native.cc_library
_add_tags(attrs)
File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl", line 24, in _add_tags
attrs["tags"] += [_MIGRATION_TAG]
trying to mutate a frozen object
ERROR: /.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/com_google_asylo/asylo/platform/system/BUILD:29:1: Target '@com_google_asylo//asylo:implementation' contains an error and its package is in error (this is usually caused by a missing package group in the package-level visibility declaration)
ERROR: /.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/com_google_asylo/asylo/platform/system/BUILD:29:1: Target '@com_google_asylo//asylo/platform/system:include/arpa/nameser.h' contains an error and its package is in error and referenced by '@com_google_asylo//asylo/platform/system:system_headers'
ERROR: /.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/com_google_asylo/asylo/platform/system/BUILD:29:1: Target '@com_google_asylo//asylo/platform/system:include/arpa/nameser_compat.h' contains an error and its package is in error and referenced by '@com_google_asylo//asylo/platform/system:system_headers'
ERROR: /.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/com_google_asylo/asylo/platform/system/BUILD:29:1: Target '@com_google_asylo//asylo/platform/system:include/sys/sysmacros.h' contains an error and its package is in error and referenced by '@com_google_asylo//asylo/platform/system:system_headers'
ERROR: /.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/com_google_asylo/asylo/platform/system/BUILD:29:1: Target '@com_google_asylo//asylo/platform/system:include/cmath' contains an error and its package is in error and referenced by '@com_google_asylo//asylo/platform/system:system_headers'
ERROR: /.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/com_google_asylo_toolchain/toolchain/BUILD:43:1: Target '@com_google_asylo//asylo/platform/posix:posix_headers' contains an error and its package is in error and referenced by '@com_google_asylo_toolchain//toolchain:everything'
ERROR: /.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/com_google_asylo_toolchain/toolchain/BUILD:43:1: Target '@com_google_asylo//asylo/platform/system:system_headers' contains an error and its package is in error and referenced by '@com_google_asylo_toolchain//toolchain:everything'
I tried to compile different commits, and it looks like the problem is caused by the ee9a7db.
If I use any preceding commit - everything works fine.
The error I get
/home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:62:5: note: previous definition of '_open' was here int _open(char *file, int flags, int mode) ^~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:167:5: error: redefinition of '_read' int _read(int file, char *ptr, int len) ^~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:67:5: note: previous definition of '_read' was here int _read(int file, char *ptr, int len) ^~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:172:7: error: redefinition of '_sbrk' void* _sbrk(int incr) ^~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:72:7: note: previous definition of '_sbrk' was here void* _sbrk(int incr) ^~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:177:5: error: redefinition of '_stat' int _stat(const char *file, struct stat *st) ^~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:77:5: note: previous definition of '_stat' was here int _stat(const char *file, struct stat *st) ^~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:182:5: error: redefinition of '_times' int _times(struct tms *buf) ^~~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:82:5: note: previous definition of '_times' was here int _times(struct tms *buf) ^~~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:187:5: error: redefinition of '_unlink' int _unlink(char* name) ^~~~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:87:5: note: previous definition of '_unlink' was here int _unlink(char* name) ^~~~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:192:5: error: redefinition of '_wait' int _wait(int *status) ^~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:92:5: note: previous definition of '_wait' was here int _wait(int *status) ^~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:197:5: error: redefinition of '_write' int _write(int file, char *ptr, int len) ^~~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:97:5: note: previous definition of '_write' was here int _write(int file, char *ptr, int len) ^~~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c: In function '_exit': /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:10:1: warning: 'noreturn' function does return } ^ Makefile:258: recipe for target 'enclave.o' failed make[3]: *** [enclave.o] Error 1 make[3]: Leaving directory '/tmp/build-d9TN/build-newlib/x86_64-enclave/libgloss/enclave' Makefile:132: recipe for target 'stmp-bsp' failed make[2]: *** [stmp-bsp] Error 2 make[2]: Leaving directory '/tmp/build-d9TN/build-newlib/x86_64-enclave/libgloss' Makefile:9527: recipe for target 'all-target-libgloss' failed make[1]: *** [all-target-libgloss] Error 2 make[1]: Leaving directory '/tmp/build-d9TN/build-newlib' Makefile:878: recipe for target 'all' failed make: *** [all] Error 2
The asylo_package
helper function currently just checks if asylo is in the path and so breaks when external repository uses asylo
in its name:
asylo/asylo/bazel/asylo_internal.bzl
Lines 24 to 27 in 088ea34
For example compiling in an external repository: bazel build //oak/server/asylo:xxxx
fails with no such package 'asylo/bazel/application_wrapper'
.
ERROR: no such package '@com_google_asylo_toolchain//toolchain': Traceback (most recent call last):
File "/root/.cache/bazel/_bazel_root/6f5dfd08c182635f43c28327b7ed358d/external/com_google_asylo/asylo/bazel/asylo_deps.bzl", line 94
installation_path(repository_ctx, "default_toolchain...", <3 more arguments>)
File "/root/.cache/bazel/_bazel_root/6f5dfd08c182635f43c28327b7ed358d/external/com_google_asylo/asylo/bazel/installation_path.bzl", line 71, in installation_path
_fail_if_directory_does_not_exist(repository_ctx, result, what)
File "/root/.cache/bazel/_bazel_root/6f5dfd08c182635f43c28327b7ed358d/external/com_google_asylo/asylo/bazel/installation_path.bzl", line 23, in _fail_if_directory_does_not_exist
fail(((("Install path to " + what) + ...))
Install path to Asylo toolchain [default] [INTERNAL TRANSITION] does not exist: /opt/asylo/toolchains/sgx_x86_64
Dears,
I mean to use asylo to migrate existing C++ codes to enclave. Previously I cannot use thread local unless I set the TCSPolicy=0 (bound to untrusted thread).
The existing codes have lots of thread creation/destroy operations. I this case, I am worrying setting tcspolicy=0 will run out of TCSs.
So am I suggested to set tcspolicy=0 and config enough TCSNums in this case ?
Should these functions:
asylo/asylo/identity/enclave_assertion_authority_configs.h
Lines 63 to 79 in befb2ef
be visible in visibility:public
(currently they are in asylo:implementation
):
Lines 122 to 127 in befb2ef
Since they may be used by asylo users during initialization?
std::vector<asylo::EnclaveAssertionAuthorityConfig> configs = {
asylo::CreateNullAssertionAuthorityConfig(),
asylo::CreateSgxLocalAssertionAuthorityConfig(),
};
asylo::Status status =
asylo::InitializeEnclaveAssertionAuthorities(configs.begin(), configs.end());
Or enclave assertion authorities are already initialized by asylo
?
Does Asylo enclave model map transparently to Keystone (Open-source Secure Hardware Enclave)?
If yes, are there code samples?
Nathan Aw (Singapore)
Hello Asylo Team,
I am trying to run the hello-world example manually without Docker and the build keeps failing with the following error:
$ bazel run --config=enc-sim //hello_world -- --names="${NAMES}"
INFO: Analysed target //hello_world:hello_world (59 packages loaded).
INFO: Found 1 target...
INFO: From ProtoCompile external/com_google_protobuf/python/google/protobuf/any_pb2.py [for host]:
external/com_google_protobuf/python: warning: directory does not exist.
ERROR: /home/philip/asylo/sdk/asylo/examples/hello_world/BUILD:40:1: Linking of rule '//hello_world:hello_enclave_unsigned.so' failed (Exit 1)
external/com_google_asylo_sgx_backend/toolchain/bin/../lib/gcc/x86_64-elf/7.3.0/../../../../x86_64-elf/bin/ld: bazel-out/k8-fastbuild/bin/external/linux_sgx/libcrypto_px.a(pcpaesauthgcmca.pic.o): relocation R_X86_64_PC32 against symbol `ippsAES_GCMReset' can not be used when making a shared object; recompile with -fPIC
external/com_google_asylo_sgx_backend/toolchain/bin/../lib/gcc/x86_64-elf/7.3.0/../../../../x86_64-elf/bin/ld: final link failed: Bad value
collect2: error: ld returned 1 exit status
Target //hello_world:hello_world failed to build
Use --verbose_failures to see the command lines of failed build steps.
INFO: Elapsed time: 348.496s, Critical Path: 14.00s
INFO: 752 processes: 752 linux-sandbox.
FAILED: Build did NOT complete successfully
FAILED: Build did NOT complete successfully
I've tried running with the '--copt="-fpic"' and '--force_pic' arguments but have had no luck.
Any tips? Thank you!
Ubuntu 16.04
Using asylo 0.3.2
ERROR enclave_manager.cc : 302 : LoadEnclave failed: ::asylo::error::SgxErrorSpace::Cannot open SGX device: Failed to create an enclave
Aborted (core dumped)
The same enclave was running without any changes (AFAIK). Please help explain what could cause this issue.
am trying to get this gRPC server example to work with Google Asylo (https://github.com/google/asylo/tree/master/asylo/examples/grpc_server).. To initialize the server I need to a specify a server_address in this config file (https://github.com/google/asylo/blob/master/asylo/examples/grpc_server/grpc_server_config.proto)
The server address in the example is written like this:
/ The address that the gRPC server inside the enclave will be hosted on.
// Required.
optional string server_address = 205739939;
I am not sure what is the format of this address (i.e., is it IPv4 or Ipv6). When I try the address in the example it gives me the following error:
E0415 20:26:28.102505429 139772652978128 server_chttp2.cc:40] {"created":"@1555359988.102435497","description":"No address added out of total 1 resolved","file":"external/com_github_grpc_grpc/src/core/ext/transport/chttp2/server/chttp2_server.cc","file_line":348,"referenced_errors":[{"created":"@1555359988.102435497","description":"Address family not supported by protocol family","errno":106,"file":"external/com_github_grpc_grpc/src/core/lib/iomgr/socket_utils_common_posix.cc","file_line":379,"os_error":"Address family not supported by protocol family","syscall":"socket","target_address":"[::1]:0"}]} 2019-04-15 20:26:28 FATAL grpc_server_driver.cc : 62 : Load grpc_server/grpc_server_enclave.so failed: ::asylo::error::GoogleErrorSpace::INTERNAL: Failed to start server
I would like to write Ipv4 address for example: 127.0.0.1:5000 but I fail to do that. Any pointers are appreciated ?
Hey,
I am not sure it is a real issue, but the examples provided in /examples/ can not be built.
Bazel rises errors about the "enclave_loader" symbole which is not defined anywhere.
It works well if I use the BUILD file provided in "https://asylo.dev/asylo-examples.tar.gz", where "enclave_loader" is replaced by "debug_enclave_driver".
The BUILD file presented in "/examples/quickstart/README.md", also use "enclave_loader" instead of "debug_enclave_driver".
Is this "debug_enclave_driver" just a temporary symbole, which will be replaced by "enclave_loader" in the futur ?
Regards,
Titouan
any idea when asylo will be available to use in google kubernetes engine? would love that ...
right now i am trying to use the GKE binary authorization, but that is quite limited - as remote attestation is what our use case needs
thx
In the quickstart example's description of an enclave it says:
Enclaves are an emerging technology paradigm that changes this equation. An enclave is a special execution context where code can run protected from even the OS kernel, with the guarantee that even a user running with root privileges cannot extract the enclave's secrets or compromise its integrity. Such protections are enabled through hardware isolation technologies such as Intel SGX or ARM TrustZone, or even through additional software layers such as a hypervisor. These technologies enable new forms of isolation beyond the usual kernel/user-space separation.
Am I reading this correctly; that what you've effectively done is re-implemented a microkernel, except without the microkernel (i.e. it doesn't matter if it's a microkernel or a monolithic kernel under the hood)?
I am only familia with jave EE project。is it diffcult to use asylo for buliding a enclave env?
actually, we want run a python server with ML mode in enclave。 is asylo canbe a solution for this?
reading english is still diffcult for me . I dont know weather i should spend time on docs or not?
asylo
definition of bazel_version
:
asylo/asylo/bazel/asylo_deps.bzl
Lines 237 to 243 in 676b9f3
rules_rust
definition of bazel_version
:
https://github.com/bazelbuild/rules_rust/blob/fe9a91e8b42f731aeb3b596246f6bf4bb9a88dc3/workspace.bzl
This fails compilation with an error similar to:
ERROR: error loading package 'rust/oak_runtime': in /usr/local/google/home/tzn/.cache/bazel/_bazel_tzn/0afd379f1411abdcf552c905c7b0282a/external/io_bazel_rules_rust/rust/rust.bzl: in /usr/local/google/home/tzn/.cache/bazel/_bazel_tzn/0afd379f1411abdcf552c905c7b0282a/external/io_bazel_rules_rust/rust/private/rust.bzl: in /usr/local/google/home/tzn/.cache/bazel/_bazel_tzn/0afd379f1411abdcf552c905c7b0282a/external/io_bazel_rules_rust/rust/private/rustc.bzl: Unable to load file '@bazel_version//:def.bzl': file doesn't exist
since both projects define @bazel_version
but with a different internal layout.
Is there a way to disambiguate this in the local WORKSPACE file, or do the two repositories need to agree on a naming convention to avoid the clash?
Hi, I am trying out building asylo examples and found that asylo_redis
documentation didn't work for me.
After trial and error and thanks to #28, I was able to make it work.
I am not sure whether I was wrong or the documentation itself was misleading, since I am totally new to Bazel build system ;)
I will file a PR. Could you please take a look?
FYI, I am building asylo_redis
without Docker
I'm trying to compile hello_world on an Ubuntu 18.04 with the manual installation instructions provided in INSTALL.md. Is the config option still supported? I keep getting an error while compiling sgx_sdk. The only option to compile hello_world that works for me is if I remove --config=sgx-sim and use //asylo/examples/hello_world:hello_world_sgx_sim.
Question is whether --config=sgx-sim or --config=enc-sim still supported?
external/sgx_dcap/QuoteGeneration/common/src/se_thread.c: In function 'se_mutex_init':
external/sgx_dcap/QuoteGeneration/common/src/se_thread.c:67:2: error: #error no pre-defined RECURSIVE_MUTEX found.
#error no pre-defined RECURSIVE_MUTEX found.
^~~~~
external/sgx_dcap/QuoteGeneration/common/src/se_thread.c:71:20: error: 'tmp' undeclared (first use in this function); did you mean 'tm'?
memcpy(mutex, &tmp, sizeof(tmp));
^~~
tm
external/sgx_dcap/QuoteGeneration/common/src/se_thread.c:71:20: note: each undeclared identifier is reported only once for each function it appears in
external/sgx_dcap/QuoteGeneration/common/src/se_thread.c: In function 'se_get_threadid':
external/sgx_dcap/QuoteGeneration/common/src/se_thread.c:89:63: error: '__NR_gettid' undeclared (first use in this function); did you mean 'SYS_gettid'?
unsigned int se_get_threadid(void) { return (unsigned)syscall(__NR_gettid);}
^~~~~~~~~~~
SYS_gettid
Target //asylo/examples/hello_world:hello_world_sgx_sim failed to build
or another run:
Execution platform: @local_config_platform//:host
Use --sandbox_debug to see verbose messages from the sandbox
external/linux_sgx/common/src/se_event.c:35:10: fatal error: linux/futex.h: No such file or directory
#include <linux/futex.h>
^~~~~~~~~~~~~~~
The difference between --config=sgx-sim and _sgx_sim seems to be in the compiler/toolchain used:
--config=sgx-sim (fails)
bazel build --verbose_failures --config=sgx-sim //asylo/examples/hello_world:hello_world
exec env - \
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin \
PWD=/proc/self/cwd \
external/com_google_asylo_toolchain/toolchain/bin/x86_64-elf-g++ -isystemasylo/platform/posix/include -isystemasylo/platform/system/include -isystemexternal/com_google_asylo/asylo/platform/posix/include -isystemexternal/com_google_asylo/asylo/platform/system/include -D__ASYLO__ -DCOMPILER_GCC3 -D__LINUX_ERRNO_EXTENSIONS__ '-std=gnu++17' -MD -MF bazel-out/k8-fastbuild-ST-b8b7b2b153c11a75e8c76309e6086217c874508e819ba2fc3c7ed5dc5a7e7e83/bin/external/sgx_dcap/_objs/quote_wrapper/qe_logic.pic.d
_sgx_sim (without --config options, succeeds)
bazel build -s --verbose_failures //asylo/examples/hello_world:hello_world_sgx_sim
exec env - \
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin \
PWD=/proc/self/cwd \
/usr/bin/gcc -U_FORTIFY_SOURCE -fstack-protector -Wall -Wunused-but-set-parameter -Wno-free-nonheap-object -fno-omit-frame-pointer '-std=c++0x' -MD -MF bazel-out/k8-fastbuild-ST-b8b7b2b153c11a75e8c76309e6086217c874508e819ba2fc3c7ed5dc5a7e7e83/bin/external/sgx_dcap/_objs/quote_wrapper/qe_logic.pic.d
I am following the instructions in
Lines 160 to 181 in 5ab253e
but getting the following errors:
Starting local Bazel server and connecting to it...
ERROR: error loading package 'asylo/examples/bazel-my-project/external/com_google_asylo/asylo/platform/posix/sockets': Unable to load file '//asylo/bazel:proto.bzl': file doesn't exist
Loading: 6 packages loaded
currently loading: asylo/examples/bazel-my-project/external/com_google_asylo/asylo/test/util ... (19 packages)
ERROR: error loading package 'asylo/examples/bazel-my-project/external/bazel_tools/tools/build_defs/pkg': Every .bzl file must have a corresponding package, but '//tools/build_defs/pkg:pkg.bzl' does not have one. Please create a BUILD file in the same or any parent directory. Note that this BUILD file does not need to do anything except exist.
Loading: 11 packages loaded
currently loading: asylo/bazel ... (24 packages)
Fetching @linux_sgx; Restarting.
ERROR: error loading package 'asylo/examples/bazel-my-project/external/com_google_asylo/asylo/examples/quickstart': Unable to load file '//asylo/bazel:proto.bzl': file doesn't exist
Loading: 46 packages loaded
currently loading: asylo/crypto ... (95 packages)
Fetching @com_google_asylo_backend_provider; Restarting.
Fetching @linux_sgx; Restarting.
ERROR: error loading package 'asylo/examples/bazel-my-project/external/bazel_tools/src/main/protobuf': Every .bzl file must have a corresponding package, but '//tools/build_rules:genproto.bzl' does not have one. Please create a BUILD file in the same or any parent directory. Note that this BUILD file does not need to do anything except exist.
Loading: 4 packages loaded
currently loading: asylo/bazel/application_wrapper ... (20 packages)
Fetching @linux_sgx; Restarting.
Fetching @com_google_asylo_backend_provider; Restarting.
INFO: Analyzed 0 targets (0 packages loaded, 0 targets configured).
INFO: Found 0 test targets...
INFO: Deleting stale sandbox base /root/.cache/bazel/_bazel_root/e99e07f24ebd301f8e219cdfec3646b6/sandbox
INFO: Elapsed time: 0.513s, Critical Path: 0.02s
INFO: 0 processes.
INFO: Build completed successfully, 1 total action
INFO: Build completed successfully, 1 total action
INFO: Build options --crosstool_top, --custom_malloc, --define, and 2 more have changed, discarding analysis cache.
INFO: Analyzed 0 targets (0 packages loaded, 0 targets configured).
INFO: Found 0 test targets...
INFO: Elapsed time: 0.336s, Critical Path: 0.00s
INFO: 0 processes.
INFO: Build completed successfully, 1 total action
INFO: Build completed successfully, 1 total action
INFO: Build option --compilation_mode has changed, discarding analysis cache.
INFO: Analyzed 0 targets (0 packages loaded, 0 targets configured).
INFO: Found 0 test targets...
INFO: Elapsed time: 0.251s, Critical Path: 0.00s
INFO: 0 processes.
INFO: Build completed successfully, 1 total action
INFO: Build completed successfully, 1 total action
INFO: Build options --compilation_mode and --define have changed, discarding analysis cache.
INFO: Analyzed 0 targets (0 packages loaded, 0 targets configured).
INFO: Found 0 test targets...
INFO: Elapsed time: 0.240s, Critical Path: 0.00s
INFO: 0 processes.
INFO: Build completed successfully, 1 total action
INFO: Build completed successfully, 1 total action
ONE OR MORE TESTS FAILED
Hi,
I am building asylo using hardware mode with the following command:
docker run -it --rm
--device=/dev/isgx
-v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket
-v bazel-cache:/root/.cache/bazel
-v "${MY_PROJECT}":/opt/my-project
-w /opt/my-project
gcr.io/asylo-framework/asylo
bazel run --config=sgx //hello_world -- --names="${NAMES}"
However, it says several http archive package cannot be found. Can someone help?
I have attached the full error log when i use the interactive mode to build as following.
rd@rd-desktop:~/Desktop/asylo-docker$ sudo docker run -it --rm -v bazel-cache:/root/.cache/bazel -v "${MY_PROJECT}":/opt/my-project -w /opt/my-project --device=/dev/isgx -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket gcr.io/asylo-framework/asylo
root@73f53a8ff77f:/opt/my-project# bazel run --config=sgx //hello_world -- --names="${NAMES}"
Starting local Bazel server and connecting to it...
ERROR: /root/.cache/bazel/_bazel_root/b6bc0828d5b43c7085b650e0698bf388/external/com_google_asylo/asylo/platform/arch/BUILD:273:1: error loading package '@com_google_asylo//asylo/grpc/auth/core': Unable to load package for '@io_bazel_rules_go//go:def.bzl': The repository '@io_bazel_rules_go' could not be resolved and referenced by '@com_google_asylo//asylo/platform/arch:trusted_fork'
ERROR: /root/.cache/bazel/_bazel_root/b6bc0828d5b43c7085b650e0698bf388/external/com_google_asylo/asylo/platform/arch/BUILD:273:1: error loading package '@com_google_asylo//asylo/grpc/auth/core': Unable to load package for '@io_bazel_rules_go//go:def.bzl': The repository '@io_bazel_rules_go' could not be resolved and referenced by '@com_google_asylo//asylo/platform/arch:trusted_fork'
ERROR: Analysis of target '//hello_world:hello_world' failed; build aborted: error loading package '@com_google_asylo//asylo/grpc/auth/core': Unable to load package for '@io_bazel_rules_go//go:def.bzl': The repository '@io_bazel_rules_go' could not be resolved
INFO: Elapsed time: 5.368s
INFO: 0 processes.
FAILED: Build did NOT complete successfully (54 packages loaded, 2785 targets
FAILED: Build did NOT complete successfully (54 packages loaded, 2785 targets
configured)
currently loading: @com_google_asylo//asylo/grpc/auth/core
Thank you!
oh, i see the quick fix in user group by adding the following to workspace.
load("@com_google_asylo//asylo/bazel:asylo_deps.bzl", "asylo_go_deps")
asylo_go_deps()
Hi,
Is it possible to use Asylo in hardware mode? In particular, would anything in asylo break if the signed enclave shared object is linked against the hardware trts_library, and hardware service_library. Have there been complications in linking Asylo against the hardware libraries/running in hardware?
Btw, this project is really cool, thank you!
I'm trying to run bazel sync
to download Asylo's dependencies in docker, but get the following error:
INFO: Repository 'six_archive' used the following cache hits instead of downloading the corresponding file.
* Hash '105f8d68616f8248e24bf0e9372ef04d3cc10104f1980f54d57b2ce73a5ad56a' for https://pypi.python.org/packages/source/s/six/six-1.10.0.tar.gz
If the definition of 'six_archive' was updated, verify that the hashes were also updated.
ERROR: An error occurred during the fetch of repository 'six_archive':
Traceback (most recent call last):
File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/bazel_tools/tools/build_defs/repo/http.bzl", line 57
workspace_and_buildfile(ctx)
File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/bazel_tools/tools/build_defs/repo/utils.bzl", line 61, in workspace_and_buildfile
ctx.symlink(ctx.attr.build_file, "BUILD.bazel")
Not a regular file: /.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/com_google_protobuf/six.BUILD
My WORKSPACE
looks like this:
workspace(name = "asylo_test")
load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
http_archive(
name = "com_google_asylo",
sha256 = "7f53d61d91a8d6963a5665088b02129d643a4cfbcab883f1076b71bcbe07184d",
strip_prefix = "asylo-088ea3490dd4579655bd5b65b0e31fe18de7f6dd",
urls = [
# Head commit on 2019-11-21.
"https://github.com/google/asylo/archive/088ea3490dd4579655bd5b65b0e31fe18de7f6dd.tar.gz",
],
)
load("@com_google_asylo//asylo/bazel:asylo_deps.bzl", "asylo_deps", "asylo_go_deps")
asylo_deps()
asylo_go_deps()
load("@com_google_asylo//asylo/bazel:sgx_deps.bzl", "sgx_deps")
sgx_deps()
And my Dockerfile
looks like this:
FROM gcr.io/asylo-framework/asylo:buildenv-v0.5.0
I have been experimenting compiling Rust to a static library and linking it against our existing enclave code (will provide detailed steps if anyone is interested), but while I can link the resulting artifacts against standard C++ code, asylo seems picky about it, and I get the following errors in bazel:
bazel-out/k8-fastbuild/bin/rust/oak_runtime/liboak_runtime--866734307.a(divxc3.o): In function `__divxc3':
/rustc/1423bec54cf2db283b614e527cfd602b481485d1/src/llvm-project/compiler-rt/lib/builtins/divxc3.c:23: undefined reference to `fmaxl'
/rustc/1423bec54cf2db283b614e527cfd602b481485d1/src/llvm-project/compiler-rt/lib/builtins/divxc3.c:23: undefined reference to `logbl'
/rustc/1423bec54cf2db283b614e527cfd602b481485d1/src/llvm-project/compiler-rt/lib/builtins/divxc3.c:26: undefined reference to `scalbnl'
/rustc/1423bec54cf2db283b614e527cfd602b481485d1/src/llvm-project/compiler-rt/lib/builtins/divxc3.c:27: undefined reference to `scalbnl'
/rustc/1423bec54cf2db283b614e527cfd602b481485d1/src/llvm-project/compiler-rt/lib/builtins/divxc3.c:31: undefined reference to `scalbnl'
/rustc/1423bec54cf2db283b614e527cfd602b481485d1/src/llvm-project/compiler-rt/lib/builtins/divxc3.c:33: undefined reference to `scalbnl'
For reference, I also came across this https://dev.to/luzero/building-crates-so-they-look-like-c-abi-libraries-1ibn#static-libraries , but it did not help.
I cannot seem to reproducibly build the enclave code on my machine. I am using the following steps:
docker run -it --rm -v bazel-cache:/root/.cache/bazel -v "${PWD}":/opt/my-project -w /opt/my-project gcr.io/asylo-framework/asylo
bazel build --config=sgx-sim //asylo/examples/hello_world
cp bazel-bin/asylo/examples/hello_world/hello_enclave_unsigned.so enclave_$(date --iso-8601=seconds).so
bazel clean
bazel build --config=sgx-sim //asylo/examples/hello_world
cp bazel-bin/asylo/examples/hello_world/hello_enclave_unsigned.so enclave_$(date --iso-8601=seconds).so
sha1sum enclave_*
Note that the resulting hashes differ, e.g. on my machine I get the following:
b88b0156ebc354ef15cf706fdf4428e998b68356 enclave_2019-10-01T18:51:50+00:00.so
e48909687b68f586e1c3b4facf66cad2b4e51f1a enclave_2019-10-01T18:55:54+00:00.so
ref project-oak/oak#241
cc @anghelcovici @deeglaze @KeithMoyer @annasapek
Dear Asylo developers,
I have searched (on your websites, blogs, etc) for a list of concrete threats that Asylo will protect against once it's ready for production and how it protects the enclave from those threats.
I know it's hard to say since there are so many possible threats, I found the following on https://asylo.dev/about/overview.html#security-backends
Asylo is designed to integrate applications with enclaves that provide confidentiality and integrity guarantees against the following threats:
- Malicious or compromised administrator
- Malicious or compromised tenant of a hypervisor
- Malicious or compromised network
- Compromised operating system
- Compromised BIOS
I just wonder if there is a more precise answer and a list of techniques that you use to secure the enclave (e.g. ram encryption etc.)
Lastly, I wonder what the best practise is to get sensitive data + code into the enclave running in an untrusted environment. Building the enclave locally, uploading it to the untrusted vm and execute it and afterwards downloading the enclave again including the results? Is there a mechanism in the enclave to protect the user from man-in-the-middle attacks when communicating with the docker container over a port?
I apologize if there is an obvious answer to those questions that I have not found or understood.
Thank you so much and best regards,
Jan
Hi,
I find some descriptions might need update as following.
"${ASYLO}"/sdk/asylo/distrib/sgx_x86_64/install-toolchain
--user
--prefix "${ASYLO}"/toolchains/sgx_x86_64
may need to be updated to
"${ASYLO}"/sdk/asylo/distrib/toolchain/install-toolchain
--user
--prefix "${ASYLO}"/toolchains/sgx_x86_64
or else. Since the install-toolchain script is relocated.
The link address for distrib/README.md
https://github.com/google/asylo/blob/master/asylo/distrib/README.md
may want to change to
https://github.com/google/asylo/blob/master/asylo/distrib/toolchain/README.md
Thanks!
Hello Asylo team,
I've been trying step through the hello_world example (manual installation not Docker container) with GDB but am unable to properly read symbols. More specifically, I'm trying GDB on the hello_world_host_loader but getting "no debugging symbols found".
I have tried building the example with the Bazel options --strip=never and --compilation_mode=dbg but have had no luck.
Do you have any tips?
Thanks!
I wonder if the current BoringSSL
wrapper is actually benefiting from the trusted hardware (see https://github.com/google/channel-id-enclave/tree/master/boringssl). Simply put, are the secrets (private key, session key, etc.) allocated inside enclaves?
Asylo has definitions for several types of assertions:
SetNullAssertionDescription
SetSgxLocalAssertionDescription
SetSgxRemoteAssertionDescription
But it looks like only the first two are implemented in a form of gRPC credentials:
Does it mean that SGX remote attestation for gRPC is not yet implemented, or it is implemented but in different place/form?
Will you support ARM trustzone?
Hi Dears,
I saw there is posix io interface for secure storage under "asylo/platform/storage/secure", where I need to manually set the encryption key with ioctl and mode with O_SECURE.
Can I use this feature via c++ fstream, i.e. how can I set the key and how can I refer this is an encrypted file ?
It'd be important to get some more practical information on how to sign production enclaves. I think one needs to request an enclave signing certificate from Intel.
Asylo manual instruction guide has broken links and version mismatch.
The master
branch now uses SGX SDK version 2.4, but the page says it is using SGX SDK 2.3 and the corresponding link is broken.
I did a manual installation inside a centos/7 VM (via vagrant) as follows:
Vagrant.configure("2") do |config|
config.vm.box = "centos/7"
config.vm.synced_folder ".", "/sgx-poc"
config.vm.provision "shell", inline: <<-SHELL
# SGX prerequisites
yum clean all
sudo yum -y groupinstall 'Development Tools'
sudo yum -y install ocaml ocaml-ocamlbuild wget python openssl-devel libcurl-devel protobuf-devel
# SGX driver, PSW & SDK (see https://download.01.org/intel-sgx/linux-2.3/centos7.5-server/)
wget https://download.01.org/intel-sgx/linux-2.3/centos7.5-server/sgx_linux_x64_driver_4d69b9c.bin
wget https://download.01.org/intel-sgx/linux-2.3/centos7.5-server/sgx_linux_x64_sdk_2.3.100.46354.bin
wget https://download.01.org/intel-sgx/linux-2.3/centos7.5-server/sgx_linux_x64_psw_2.3.100.46354.bin
sudo chmod +x *.bin
sudo ./sgx_linux_x64_driver_4d69b9c.bin
sudo ./sgx_linux_x64_sdk_2.3.100.46354.bin --p /sgx
sudo ./sgx_linux_x64_psw_2.3.100.46354.bin
echo "source /sgx/sgxsdk/environment" >> /home/vagrant/.bash_profile
# install docker
sudo yum install -y docker
sudo groupadd docker
sudo usermod -aG docker $USER
sudo systemctl enable docker
sudo systemctl start docker
# bazel dependencies
sudo yum install -y bison build-essential flex libisl-0.18-dev libmpc-dev libmpfr-dev rsync texinfo wget zlib1g-dev
# clone asylo tool chain
ASYLO="${HOME}"/asylo
git clone https://github.com/google/asylo.git "${ASYLO}"/sdk
# build asylo tool chain
"${ASYLO}"/sdk/asylo/distrib/sgx_x86_64/install-toolchain \
--user \
--prefix "${ASYLO}"/toolchains/sgx_x86_64
# bazel dependencies
sudo yum install -y ocaml-nox ocamlbuild python-jinja2
# bazel installation
sudo yum install -y curl gnupg
sudo wget -P /etc/yum.repos.d/ https://copr.fedorainfracloud.org/coprs/vbatts/bazel/repo/epel-7/vbatts-bazel-epel-7.repo
sudo yum install -y update
sudo yum install -y install bazel openjdk-8-jdk-headless
SHELL
end
However I got the following error when I run the build of the grpc_server
example
$ bazel build //grpc_server --incompatible_package_name_is_a_function=false
INFO: Invocation ID: 9b54bf94-9ead-40da-a394-0e5e0a539f9f
ERROR: /home/vagrant/.cache/bazel/_bazel_vagrant/b9d0be009bfac4e144aee182fff6b184/external/com_google_asylo/asylo/platform/posix/BUILD:51:12: Configurable attribute "deps" doesn't match this configuration (would a default condition help?).
Conditions checked:
@com_google_asylo//asylo/platform/arch:sgx
WARNING: /home/vagrant/.cache/bazel/_bazel_vagrant/b9d0be009bfac4e144aee182fff6b184/external/com_github_grpc_grpc/BUILD:1992:1: in srcs attribute of cc_library rule @com_github_grpc_grpc//:grpc_nanopb: please do not import '@com_github_grpc_grpc//third_party/nanopb:pb_common.c' directly. You should either move the file to this package or depend on an appropriate rule there. Since this rule was created by the macro 'grpc_generate_one_off_targets', the error might have been caused by the macro implementation in /home/vagrant/.cache/bazel/_bazel_vagrant/b9d0be009bfac4e144aee182fff6b184/external/com_github_grpc_grpc/bazel/grpc_build_system.bzl:180:12
WARNING: /home/vagrant/.cache/bazel/_bazel_vagrant/b9d0be009bfac4e144aee182fff6b184/external/com_github_grpc_grpc/BUILD:1992:1: in srcs attribute of cc_library rule @com_github_grpc_grpc//:grpc_nanopb: please do not import '@com_github_grpc_grpc//third_party/nanopb:pb_decode.c' directly. You should either move the file to this package or depend on an appropriate rule there. Since this rule was created by the macro 'grpc_generate_one_off_targets', the error might have been caused by the macro implementation in /home/vagrant/.cache/bazel/_bazel_vagrant/b9d0be009bfac4e144aee182fff6b184/external/com_github_grpc_grpc/bazel/grpc_build_system.bzl:180:12
WARNING: /home/vagrant/.cache/bazel/_bazel_vagrant/b9d0be009bfac4e144aee182fff6b184/external/com_github_grpc_grpc/BUILD:1992:1: in srcs attribute of cc_library rule @com_github_grpc_grpc//:grpc_nanopb: please do not import '@com_github_grpc_grpc//third_party/nanopb:pb_encode.c' directly. You should either move the file to this package or depend on an appropriate rule there. Since this rule was created by the macro 'grpc_generate_one_off_targets', the error might have been caused by the macro implementation in /home/vagrant/.cache/bazel/_bazel_vagrant/b9d0be009bfac4e144aee182fff6b184/external/com_github_grpc_grpc/bazel/grpc_build_system.bzl:180:12
ERROR: Analysis of target '//grpc_server:grpc_server' failed; build aborted:
/home/vagrant/.cache/bazel/_bazel_vagrant/b9d0be009bfac4e144aee182fff6b184/external/com_google_asylo/asylo/platform/posix/BUILD:51:12: Configurable attribute "deps" doesn't match this configuration (would a default condition help?).
Conditions checked:
@com_google_asylo//asylo/platform/arch:sgx
INFO: Elapsed time: 0.289s
INFO: 0 processes.
FAILED: Build did NOT complete successfully (0 packages loaded, 0 targets configured)
This appeared to be fixed when I modified the following section of the platform posix build /asylo/platform/posix/BUILD
file.
From:
cc_library(
name = "trusted_posix",
copts = ASYLO_DEFAULT_COPTS,
deps = select({
"//asylo/platform/arch:sgx": [":posix"],
}),
)
To:
cc_library(
name = "trusted_posix",
copts = ASYLO_DEFAULT_COPTS,
deps = select({
"//asylo/platform/arch:sgx": [":posix"],
"//conditions:default": [":posix"],
}),
)
This can easily be reproduced by running the vagrant file and trying to build the grpc_server
example from https://asylo.dev/asylo-examples.tar.gz
.
I am doing something so that my configuration is not correctly being detected?
Is the lack of a default configuration a bug?
Hi,
I have problems with running grpc server inside SGX enclave with asylo.
Everything works but processor usage is strange.
Even when grpc server is running in idle 4 processor cores are used 100%
This can easily be reproduced by running grpc_server example from https://asylo.dev/asylo-examples.tar.gz
Could you please take a look?
br,
Mario
Hello,
I'm going through the manual installation of the newest version of Asylo and I'm running into a couple of errors. I've updated all the dependencies and Bazel and I'm trying to do the bazel run of hello_world in simulation mode.
.../external/com_google_asylo_sgx_backend/toolchain/BUILD:60:1: in cc_toolchain rule @com_google_asylo_sgx_backend//toolchain:cc-compiler-sgx_x86_64-gcc: Error while selecting cc_toolchain: Toolchain identifier 'asylo_sgx_x86_64' was not found, valid identifiers are [sgx_x86_64, asylo_k8]
I changed the line in BUILD from
toolchain_identifier = "asylo_sgx_x86_64",
to
toolchain_identifier = "sgx_x86_64",
and that seemed to solve it.
... /external/com_google_asylo/asylo/platform/arch/BUILD:114:1: C++ compilation of rule '@com_google_asylo//asylo/platform/arch:untrusted_sgx' failed (Exit 1) gcc failed: error executing command /usr/bin/gcc -U_FORTIFY_SOURCE -fstack-protector -Wall -B/usr/bin -B/usr/bin -Wunused-but-set-parameter -Wno-free-nonheap-object -fno-omit-frame-pointer -g0 -O2 '-D_FORTIFY_SOURCE=1' -DNDEBUG ... (remaining 83 argument(s) skipped)
Use --sandbox_debug to see verbose messages from the sandbox
external/com_google_asylo/asylo/platform/arch/sgx/untrusted/sgx_client.cc: In member function 'virtual asylo::StatusOr<std::unique_ptrasylo::EnclaveClient > asylo::SgxLoader::LoadEnclave(const string&, void*) const':
external/com_google_asylo/asylo/platform/arch/sgx/untrusted/sgx_client.cc:180:10: error: could not convert 'client' from 'std::unique_ptrasylo::SgxClient' to 'asylo::StatusOr<std::unique_ptrasylo::EnclaveClient >'
return client;
^~~~~~
external/com_google_asylo/asylo/platform/arch/sgx/untrusted/sgx_client.cc: In member function 'virtual asylo::StatusOr<std::unique_ptrasylo::EnclaveClient > asylo::SgxEmbeddedLoader::LoadEnclave(const string&, void*) const':
external/com_google_asylo/asylo/platform/arch/sgx/untrusted/sgx_client.cc:217:10: error: could not convert 'client' from 'std::unique_ptrasylo::SgxClient' to 'asylo::StatusOr<std::unique_ptrasylo::EnclaveClient >'
return client;
^~~~~~
Target //hello_world:hello_world failed to build
Any help would be appreciated, thanks.
I‘m trying to introduce opencv to my enclave application. I started from modifying the hello_world example as following:
#include <opencv2/opencv.hpp>
#include <opencv2/core.hpp>
...
cv::Mat image;
image = cv::imread( "image.jpg", 1 );
LOG(INFO) << "Hello " << visitor;
cc_unsigned_enclave(
name = "hello_enclave_unsigned.so",
srcs = ["hello_enclave.cc"],
deps = [
":hello_cc_proto",
"@com_google_absl//absl/strings",
"@com_google_asylo//asylo:enclave_runtime",
"@com_google_asylo//asylo/util:logging",
"@com_google_asylo//asylo/util:status",
"@opencv//:opencv"
],
)
new_local_repository(
name = "opencv",
path = "/opt/my-project/opencv_bazel/opencv/opencv-install",
build_file = "opencv.BUILD",
)
cc_library(
name = "opencv",
srcs = glob(["lib/*.so*"]),
hdrs = glob(["include/**/*.hpp", "include/**/*.h"]),
includes = ["include"],
visibility = ["//visibility:public"],
linkstatic = 1,
)
When I execute bazel run, following error encountered:
bazel run --config=sgx-sim //hello_world:hello_world --verbose_failures
INFO: Analyzed target //hello_world:hello_world (0 packages loaded, 0 targets configured).
INFO: Found 1 target...
INFO: From Signing for debug: //hello_world:hello_enclave_unsigned_sgx_sim.so:
Symbol table incorrect The input enclave file is not correct. Error happened while signing the enclave. 0 0 0x40000 0x2000000 12 0 0 0 0 0 0xffffffff
ERROR: /opt/my-project/hello_world/BUILD:56:1: output 'hello_world/hello_enclave_sgx_sim.so' was not created
ERROR: /opt/my-project/hello_world/BUILD:56:1: not all outputs were created or valid
Target //hello_world:hello_world failed to build
INFO: Elapsed time: 0.859s, Critical Path: 0.08s
INFO: 1 process: 1 processwrapper-sandbox.
FAILED: Build did NOT complete successfully
FAILED: Build did NOT complete successfully
Will try to build opencv as static library later, might that helps?
I build the project with docker. I test it on both MacOS and Ubuntu.
I run sqlite3 example with gcr.io/asylo-framework/asylo:latest image.
I go to the following directory:
/opt/my-project/bazel-cache/_bazel_root/b6bc0828d5b43c7085b650e0698bf388/execroot/asylo_examples/bazel-out/k8-fastbuild/bin/sqlite3#
I run the following command:
./asylo_sqlite_sgx_sim ex1.db
I run the following sqlite shell command:
create table tbl1(one varchar(10), two smallint);
I get this error from sqlite shell:
Error: disk I/O error
I am currently testing non-docker mode of Asylo installation.
I simply ran bazel run --coinfig=sgx //hello-world
and got the following error
ERROR: The enclave image should have '.note.sgxmeta' section Regular sections incorrect The input enclave file is not correct. Error happened while signing the enclave. <EnclaveConfiguration> <ProdID>0</ProdID> <ISVSVN>0</ISVSVN> <StackMaxSize>0x40000</StackMaxSize> <HeapMaxSize>0x47000000</HeapMaxSize> <TCSNum>200</TCSNum> <TCSPolicy>0</TCSPolicy> <DisableDebug>0</DisableDebug> <ProvisionKey>0</ProvisionKey> <EnableKSS>0</EnableKSS> <MiscSelect>0</MiscSelect> <MiscMask>0xffffffff</MiscMask> </EnclaveConfiguration>
Actually the .note.sgxmeta
section header is missing in libhello_enclave_unsigned.so
$ objdump -h bazel-bin/hello-world/libhello_enclave_unsigned.so
libhello_enclave_unsigned.so: file format elf64-x86-64
Sections:
Idx Name Size VMA LMA File off Algn
0 .interp 0000000f 0000000000000200 0000000000000200 00000200 2**0
CONTENTS, ALLOC, LOAD, READONLY, DATA
1 .note.gnu.property 00000040 0000000000000210 0000000000000210 00000210 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
2 .hash 00000054 0000000000000250 0000000000000250 00000250 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
3 .dynsym 00000180 00000000000002a8 00000000000002a8 000002a8 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
4 .dynstr 000000ea 0000000000000428 0000000000000428 00000428 2**0
CONTENTS, ALLOC, LOAD, READONLY, DATA
5 .gnu.version 00000020 0000000000000512 0000000000000512 00000512 2**1
CONTENTS, ALLOC, LOAD, READONLY, DATA
6 .gnu.version_d 00000038 0000000000000538 0000000000000538 00000538 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
7 .rela.dyn 00034728 0000000000000570 0000000000000570 00000570 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
8 .rela.plt 000000c0 0000000000034c98 0000000000034c98 00034c98 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
9 .plt 00000090 0000000000034d60 0000000000034d60 00034d60 2**4
CONTENTS, ALLOC, LOAD, READONLY, CODE
10 .text 004569d9 0000000000034e00 0000000000034e00 00034e00 2**6
CONTENTS, ALLOC, LOAD, READONLY, CODE
11 .nipx 00000b36 000000000048b7d9 000000000048b7d9 0048b7d9 2**0
CONTENTS, ALLOC, LOAD, READONLY, CODE
12 malloc_hook 00000212 000000000048c310 000000000048c310 0048c310 2**1
CONTENTS, ALLOC, LOAD, READONLY, CODE
13 .rodata 0008d6c0 000000000048d000 000000000048d000 0048d000 2**12
CONTENTS, ALLOC, LOAD, READONLY, DATA
14 .eh_frame 00118144 000000000051a6c0 000000000051a6c0 0051a6c0 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
15 .gcc_except_table 0001c001 0000000000632804 0000000000632804 00632804 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
16 .tdata 00000010 000000000084e808 000000000084e808 0064e808 2**3
CONTENTS, ALLOC, LOAD, DATA, THREAD_LOCAL
17 .tbss 00000250 000000000084e818 000000000084e818 0064e818 2**3
ALLOC, THREAD_LOCAL
18 .init_array 000004c8 000000000084e818 000000000084e818 0064e818 2**3
CONTENTS, ALLOC, LOAD, DATA
19 .fini_array 00000018 000000000084ece0 000000000084ece0 0064ece0 2**3
CONTENTS, ALLOC, LOAD, DATA
20 .data.rel.ro 00015538 000000000084ed00 000000000084ed00 0064ed00 2**5
CONTENTS, ALLOC, LOAD, DATA
21 .dynamic 000001b0 0000000000864238 0000000000864238 00664238 2**3
CONTENTS, ALLOC, LOAD, DATA
22 .got 00000050 00000000008643e8 00000000008643e8 006643e8 2**3
CONTENTS, ALLOC, LOAD, DATA
23 .got.plt 00000058 0000000000864438 0000000000864438 00664438 2**3
CONTENTS, ALLOC, LOAD, DATA
24 .data 000037ac 00000000008644a0 00000000008644a0 006644a0 2**5
CONTENTS, ALLOC, LOAD, DATA
25 .niprod 000008c0 0000000000867c80 0000000000867c80 00667c80 2**6
CONTENTS, ALLOC, LOAD, DATA
26 .nipd 00000008 0000000000868540 0000000000868540 00668540 2**2
CONTENTS, ALLOC, LOAD, DATA
27 .reserved_data 00100000 0000000000868560 0000000000868560 00668560 2**5
CONTENTS, ALLOC, LOAD, DATA
28 .reserved_bss 00100000 0000000000968560 0000000000968560 00768560 2**5
CONTENTS, ALLOC, LOAD, DATA
29 .reserved_heap 00100000 0000000000a68560 0000000000a68560 00868560 2**5
CONTENTS, ALLOC, LOAD, DATA
30 .bss 0001a468 0000000000b68580 0000000000b68580 00968560 2**6
ALLOC
31 .comment 00000011 0000000000000000 0000000000000000 00968560 2**0
CONTENTS, READONLY
To my understanding, the .note.sgxmeta
section is derived from libsgx_trts.a
library.
AS the header is not found, there may be some problem with linking TRTS library?
Since I am not a bazel expert, it is hard for me to pinpoint the root cause
Hi devs,
It appears that enclaves created with Asylo can produce assertions of their identity (known as an enclave report in SGX lingo) which can be verified by some remote authority. However, I cannot find any examples of an authority performing remote attestation using the Intel Attestation Service (IAS). Is this a feature that is currently supported, and if not, do you expect remote attestation via IAS to be supported in the future?
As a follow-up question (if relevant): without IAS, I believe we cannot fully verify that the hardware running an enclave is authentic. Do the identity assertions provided by Asylo still offer some degree of confidence that an enclave is authentic? In other words, is remote attestation still relatively useful even without support for hardware verification via IAS?
Hi, I've noticed that Ayslo already support using Intel SGX hardware backend.
I wonder if Aylso will support using AMD SEV hardware backend in the future?
Thanks a lot!
Some part of it should be handled by the patched LLVM: https://reviews.llvm.org/D75938
but that may not cover e.g. BoringSSL assembly code
Hi.
I’m having problems when trying to build the example in platform/primitives/examples
I’ve built the docker image from Dockerfile and for building the example I’m following the steps in README.
First, when building hello_enclave with
bazel build :hello_enclave.so --config=asylo --define=ASYLO_SIM=1
I get an error saying that config value asylo is not defined.
Second, when building the hello_driver with
bazel build :hello_driver --define=ASYLO_SIM=1
I get following compile error
Any chance you could help to figure out what is wrong here?
Thanks!
I'm trying to compile an Asylo gRPC client for android using the Android Native Development Kit (NDK), but get the following error:
ERROR: /usr/local/google/home/ivanpetrov/.cache/bazel/_bazel_ivanpetrov/8772cf28264fce63c397d94b96d607b4/external/com_google_asylo/asylo/identity/null_identity/BUILD:58:1: C++ compilation of rule '@com_google_asylo//asylo/identity/null_identity:null_assertion_verifier' failed (Exit 1) clang failed: error executing command external/androidndk/ndk/toolchains/llvm/prebuilt/linux-x86_64/bin/clang '-D__ANDROID_API__=28' -isystemexternal/androidndk/ndk/sysroot/usr/include/arm-linux-androideabi -target ... (remaining 74 argument(s) skipped)
Use --sandbox_debug to see verbose messages from the sandbox
In file included from external/com_google_asylo/asylo/identity/null_identity/null_assertion_verifier.cc:19:
In file included from external/com_google_asylo/asylo/identity/null_identity/null_assertion_verifier.h:25:
In file included from external/com_google_asylo/asylo/identity/enclave_assertion_verifier.h:24:
In file included from external/com_google_asylo/asylo/identity/enclave_assertion_authority.h:24:
In file included from external/com_google_asylo/asylo/crypto/util/byte_container_util.h:24:
external/com_google_asylo/asylo/crypto/util/byte_container_util_internal.h:45:2: error: "Only supported on x86_64 architecture"
#error "Only supported on x86_64 architecture"
^
1 error generated.
More information in project-oak/oak#353
I was following the quick start guide to asylo applications and replicating the steps. I noticed that although in dockerfile the wget application is among the applications installed during the construction of the docker image, while running the image, the wget application is not installed. Is the docker image of this link updated?
Asylo Image : gcr.io/asylo-framework/asylo
Hi, Asylo uses protobuf for trustapplication enclave input and output, but as far as I know Protobuf can not be used inside an enclave due to some io problem, like iosfwd.. Then how can asylo work with SGX ? Thanks!
Regards
you.w.l
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.