google / asylo Goto Github PK

Compiling a new Asylo version (0.5.1) and get the following error:

external/com_google_asylo/asylo/crypto/aes_gcm_siv.h:76:1: error: attribute 'deprecated' is ignored, place it after "class" to apply attribute to type declaration [-Werror,-Wignored-attributes]
ABSL_DEPRECATED("AesGcmSivCryptor will be removed in a future release")
^
external/com_google_absl/absl/base/macros.h:149:49: note: expanded from macro 'ABSL_DEPRECATED'
#define ABSL_DEPRECATED(message) __attribute__((deprecated(message)))

cc @tiziano88

The Bazel rule sgx.generate_sigstruct, that is defined here:

is not generating an actual SIGSTRUCT (generating some other structure), because the parameter gendata uses only header and body (without including key and buffer that are also presented in SIGSTRUCT) as shown here:
https://github.com/intel/linux-sgx/blob/d10cabebb5512878e84f5d21cdf27c39c428ffe2/sdk/sign_tool/SignTool/sign_tool.cpp#L528-L548

with the SIGSTRUCT definition here:
https://github.com/intel/linux-sgx/blob/d10cabebb5512878e84f5d21cdf27c39c428ffe2/common/inc/internal/arch.h#L240-L245

I'm trying to use local attestation for an SGX enclave.
But when a local client connects to the enclave through gRPC, I got the following error on the client side (server side doesn't show any errors):

2019-11-19 14:03:07  ERROR  client_ekep_handshaker.cc : 307 : Assertion could not be verified: ::asylo::error::GoogleErrorSpace::INTERNAL: MAC verification failed
2019-11-19 14:03:07  ERROR  client_ekep_handshaker.cc : 307 : Assertion could not be verified: ::asylo::error::GoogleErrorSpace::INTERNAL: MAC verification failed
2019-11-19 14:03:07  ERROR  client_ekep_handshaker.cc : 99 : ::asylo::error::EkepErrorSpace::Bad assertion: Assertion could not be verified
2019-11-19 14:03:07  ERROR  client_ekep_handshaker.cc : 99 : ::asylo::error::EkepErrorSpace::Bad assertion: Assertion could not be verified

I have tried to debug this in gdb and got these results:

(gdb) p/x actual_mac.data_
$8 = {0xe4, 0x66, 0x51, 0x28, 0x7e, 0x72, 0x45, 0x86, 0x4b, 0xeb, 0x1, 0x17, 0xa, 0x13, 0xc4, 0xc0}
(gdb) p/x report.mac.data_
$9 = {0x75, 0x8a, 0xfb, 0xaa, 0x6d, 0x1e, 0x8c, 0xa4, 0x4b, 0xa4, 0x24, 0x58, 0x15, 0x37, 0xf6, 0x7c}

in file:

So MACs are different, but I'm not sure why and how it could possibly be.

Here are main code snippets used in this example:

Enclave assertion initialization:
https://github.com/ipetr0v/oak/blob/2f2a7fec16529419c2c9f2b44b79cdf4c87fe638/oak/server/asylo/asylo_oak_manager.cc#L81-L91

Enclave channel creation:
https://github.com/ipetr0v/oak/blob/2f2a7fec16529419c2c9f2b44b79cdf4c87fe638/oak/server/oak_grpc_node.cc#L33-L43

Client assertion initialization:
https://github.com/ipetr0v/oak/blob/2f2a7fec16529419c2c9f2b44b79cdf4c87fe638/oak/client/application_client.h#L144-L160

Client channel creation:
https://github.com/ipetr0v/oak/blob/2f2a7fec16529419c2c9f2b44b79cdf4c87fe638/oak/client/application_client.h#L97-L99

On a fresh AWS VM without SGX capability, the simulation mode described in the hello world example doesn't work:

(base) ubuntu@ip-XX-XX:~$ sudo docker run -it --rm     -v bazel-cache:/root/.cache/bazel     -v "${MY_PROJECT}":/opt/my-project     -w /opt/my-project     gcr.io/asylo-framework/asylo     bazel run --config=enc-sim //hello_world -- --names="${NAMES}"
Starting local Bazel server and connecting to it...
INFO: Analysed target //hello_world:hello_world (64 packages loaded, 3883 targets configured).
INFO: Found 1 target...
Target //hello_world:hello_world up-to-date:
  bazel-bin/hello_world/hello_world
INFO: Elapsed time: 18.350s, Critical Path: 7.03s
INFO: 12 processes: 12 processwrapper-sandbox.
INFO: Build completed successfully, 20 total actions
INFO: Build completed successfully, 20 total actions
Loading hello_world/hello_enclave.so
2019-06-22 11:47:01  WARNING  untrusted_sgx.cc : 62 : Failed to create an enclave, attempt=0, status=1
2019-06-22 11:47:01  ERROR  enclave_manager.cc : 324 : LoadEnclave failed: ::asylo::error::SgxErrorSpace::Unexpected error: Failed to create an enclave
2019-06-22 11:47:01  ERROR  enclave_manager.cc : 324 : LoadEnclave failed: ::asylo::error::SgxErrorSpace::Unexpected error: Failed to create an enclave
2019-06-22 11:47:01  FATAL  hello_driver.cc : 55 : Load hello_world/hello_enclave.so failed: ::asylo::error::SgxErrorSpace::Unexpected error: Failed to create an enclave
2019-06-22 11:47:01  FATAL  hello_driver.cc : 55 : Load hello_world/hello_enclave.so failed: ::asylo::error::SgxErrorSpace::Unexpected error: Failed to create an enclave

The VM runs a stock Ubuntu 18.04, with no customisation, just Docker CE 18.09 installed.

The same example runs fine on my SGX-enabled laptop (Debian testing).

➜  /tmp docker run -it --rm     -v bazel-cache:/root/.cache/bazel     -v "${MY_PROJECT}":/opt/my-project     -w /opt/my-project     gcr.io/asylo-framework/asylo     bazel run --config=enc-sim //hello_world -- --names="${NAMES}"
Starting local Bazel server and connecting to it...
INFO: Analysed target //hello_world:hello_world (64 packages loaded, 3883 targets configured).
INFO: Found 1 target...
Target //hello_world:hello_world up-to-date:
  bazel-bin/hello_world/hello_world
INFO: Elapsed time: 24.240s, Critical Path: 5.69s
INFO: 12 processes: 12 processwrapper-sandbox.
INFO: Build completed successfully, 20 total actions
INFO: Build completed successfully, 20 total actions
Loading hello_world/hello_enclave.so
2019-06-22 11:55:43  INFO  hello_enclave.cc : 40 : Hello jopasserat
2019-06-22 11:55:43  INFO  hello_enclave.cc : 42 : Incrementing visitor count...
Message from enclave: Hello jopasserat! You are visitor #1 to this enclave.

Does the simulation mode need an SGX device/driver/SDK installed to work?

I'm trying to compile the newest version of Asylo (as a dependency in Oak) and get the following errors:

ERROR: /.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl:24:9: Traceback (most recent call last):                                                     
        File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/com_google_asylo/asylo/grpc/util/BUILD", line 91                                                           
                cc_library(<6 more arguments>)                                                                                                                                                     
        File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl", line 57, in cc_library                                                              
                native.cc_library(<1 more arguments>)                                                                                                                                              
        File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl", line 57, in native.cc_library                                                       
                _add_tags(attrs)                                                                                                                                                                   
        File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl", line 24, in _add_tags                                                               
                attrs["tags"] += [_MIGRATION_TAG]                                                                                                                                                  
trying to mutate a frozen object                                                                                                                                                                   
ERROR: /.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl:24:9: Traceback (most recent call last):                                                     
        File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/com_google_asylo/asylo/platform/system/BUILD", line 37                                                     
                cc_library(name = "system", <4 more arguments>)                                                                                                                                    
        File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl", line 57, in cc_library                                                              
                native.cc_library(<1 more arguments>)                                                                                                                                              
        File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl", line 57, in native.cc_library                                                       
                _add_tags(attrs)                                                                                                                                                                   
        File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl", line 24, in _add_tags                                                               
                attrs["tags"] += [_MIGRATION_TAG]                                                                                                                                                  
trying to mutate a frozen object
ERROR: /.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl:24:9: Traceback (most recent call last):
        File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/com_google_asylo/asylo/platform/posix/BUILD", line 52
                cc_library(<4 more arguments>)
        File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl", line 57, in cc_library
                native.cc_library(<1 more arguments>)
        File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl", line 57, in native.cc_library
                _add_tags(attrs)
        File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl", line 24, in _add_tags
                attrs["tags"] += [_MIGRATION_TAG]
trying to mutate a frozen object
ERROR: /.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl:24:9: Traceback (most recent call last):
        File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/com_google_asylo/asylo/BUILD", line 70
                cc_library(<8 more arguments>)
        File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl", line 57, in cc_library
                native.cc_library(<1 more arguments>)
        File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl", line 57, in native.cc_library
                _add_tags(attrs)
        File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/rules_cc/cc/defs.bzl", line 24, in _add_tags
                attrs["tags"] += [_MIGRATION_TAG]
trying to mutate a frozen object

ERROR: /.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/com_google_asylo/asylo/platform/system/BUILD:29:1: Target '@com_google_asylo//asylo:implementation' contains an error and its package is in error (this is usually caused by a missing package group in the package-level visibility declaration)
ERROR: /.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/com_google_asylo/asylo/platform/system/BUILD:29:1: Target '@com_google_asylo//asylo/platform/system:include/arpa/nameser.h' contains an error and its package is in error and referenced by '@com_google_asylo//asylo/platform/system:system_headers'
ERROR: /.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/com_google_asylo/asylo/platform/system/BUILD:29:1: Target '@com_google_asylo//asylo/platform/system:include/arpa/nameser_compat.h' contains an error and its package is in error and referenced by '@com_google_asylo//asylo/platform/system:system_headers'
ERROR: /.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/com_google_asylo/asylo/platform/system/BUILD:29:1: Target '@com_google_asylo//asylo/platform/system:include/sys/sysmacros.h' contains an error and its package is in error and referenced by '@com_google_asylo//asylo/platform/system:system_headers'
ERROR: /.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/com_google_asylo/asylo/platform/system/BUILD:29:1: Target '@com_google_asylo//asylo/platform/system:include/cmath' contains an error and its package is in error and referenced by '@com_google_asylo//asylo/platform/system:system_headers'
ERROR: /.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/com_google_asylo_toolchain/toolchain/BUILD:43:1: Target '@com_google_asylo//asylo/platform/posix:posix_headers' contains an error and its package is in error and referenced by '@com_google_asylo_toolchain//toolchain:everything'
ERROR: /.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/com_google_asylo_toolchain/toolchain/BUILD:43:1: Target '@com_google_asylo//asylo/platform/system:system_headers' contains an error and its package is in error and referenced by '@com_google_asylo_toolchain//toolchain:everything'

I tried to compile different commits, and it looks like the problem is caused by the ee9a7db.
If I use any preceding commit - everything works fine.

The error I get

/home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:62:5: note: previous definition of '_open' was here int _open(char *file, int flags, int mode) ^~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:167:5: error: redefinition of '_read' int _read(int file, char *ptr, int len) ^~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:67:5: note: previous definition of '_read' was here int _read(int file, char *ptr, int len) ^~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:172:7: error: redefinition of '_sbrk' void* _sbrk(int incr) ^~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:72:7: note: previous definition of '_sbrk' was here void* _sbrk(int incr) ^~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:177:5: error: redefinition of '_stat' int _stat(const char *file, struct stat *st) ^~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:77:5: note: previous definition of '_stat' was here int _stat(const char *file, struct stat *st) ^~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:182:5: error: redefinition of '_times' int _times(struct tms *buf) ^~~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:82:5: note: previous definition of '_times' was here int _times(struct tms *buf) ^~~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:187:5: error: redefinition of '_unlink' int _unlink(char* name) ^~~~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:87:5: note: previous definition of '_unlink' was here int _unlink(char* name) ^~~~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:192:5: error: redefinition of '_wait' int _wait(int *status) ^~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:92:5: note: previous definition of '_wait' was here int _wait(int *status) ^~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:197:5: error: redefinition of '_write' int _write(int file, char *ptr, int len) ^~~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:97:5: note: previous definition of '_write' was here int _write(int file, char *ptr, int len) ^~~~~~ /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c: In function '_exit': /home/hrishikesh/downloads/asylo/sdk/newlib-2.5.0.20170922/libgloss/enclave/enclave.c:10:1: warning: 'noreturn' function does return } ^ Makefile:258: recipe for target 'enclave.o' failed make[3]: *** [enclave.o] Error 1 make[3]: Leaving directory '/tmp/build-d9TN/build-newlib/x86_64-enclave/libgloss/enclave' Makefile:132: recipe for target 'stmp-bsp' failed make[2]: *** [stmp-bsp] Error 2 make[2]: Leaving directory '/tmp/build-d9TN/build-newlib/x86_64-enclave/libgloss' Makefile:9527: recipe for target 'all-target-libgloss' failed make[1]: *** [all-target-libgloss] Error 2 make[1]: Leaving directory '/tmp/build-d9TN/build-newlib' Makefile:878: recipe for target 'all' failed make: *** [all] Error 2

The asylo_package helper function currently just checks if asylo is in the path and so breaks when external repository uses asylo in its name:

For example compiling in an external repository: bazel build //oak/server/asylo:xxxx fails with no such package 'asylo/bazel/application_wrapper'.

ERROR: no such package '@com_google_asylo_toolchain//toolchain': Traceback (most recent call last):
File "/root/.cache/bazel/_bazel_root/6f5dfd08c182635f43c28327b7ed358d/external/com_google_asylo/asylo/bazel/asylo_deps.bzl", line 94
installation_path(repository_ctx, "default_toolchain...", <3 more arguments>)
File "/root/.cache/bazel/_bazel_root/6f5dfd08c182635f43c28327b7ed358d/external/com_google_asylo/asylo/bazel/installation_path.bzl", line 71, in installation_path
_fail_if_directory_does_not_exist(repository_ctx, result, what)
File "/root/.cache/bazel/_bazel_root/6f5dfd08c182635f43c28327b7ed358d/external/com_google_asylo/asylo/bazel/installation_path.bzl", line 23, in _fail_if_directory_does_not_exist
fail(((("Install path to " + what) + ...))
Install path to Asylo toolchain [default] [INTERNAL TRANSITION] does not exist: /opt/asylo/toolchains/sgx_x86_64

Dears,

I mean to use asylo to migrate existing C++ codes to enclave. Previously I cannot use thread local unless I set the TCSPolicy=0 (bound to untrusted thread).
The existing codes have lots of thread creation/destroy operations. I this case, I am worrying setting tcspolicy=0 will run out of TCSs.

So am I suggested to set tcspolicy=0 and config enough TCSNums in this case ?

Should these functions:

be visible in visibility:public (currently they are in asylo:implementation):

Since they may be used by asylo users during initialization?

std::vector<asylo::EnclaveAssertionAuthorityConfig> configs = {
    asylo::CreateNullAssertionAuthorityConfig(),
    asylo::CreateSgxLocalAssertionAuthorityConfig(),
};

asylo::Status status =
    asylo::InitializeEnclaveAssertionAuthorities(configs.begin(), configs.end());

Or enclave assertion authorities are already initialized by asylo?

Does Asylo enclave model map transparently to Keystone (Open-source Secure Hardware Enclave)?

If yes, are there code samples?

Nathan Aw (Singapore)

Hello Asylo Team,
I am trying to run the hello-world example manually without Docker and the build keeps failing with the following error:

$ bazel run --config=enc-sim //hello_world -- --names="${NAMES}"
INFO: Analysed target //hello_world:hello_world (59 packages loaded).
INFO: Found 1 target...
INFO: From ProtoCompile external/com_google_protobuf/python/google/protobuf/any_pb2.py [for host]:
external/com_google_protobuf/python: warning: directory does not exist.
ERROR: /home/philip/asylo/sdk/asylo/examples/hello_world/BUILD:40:1: Linking of rule '//hello_world:hello_enclave_unsigned.so' failed (Exit 1)
external/com_google_asylo_sgx_backend/toolchain/bin/../lib/gcc/x86_64-elf/7.3.0/../../../../x86_64-elf/bin/ld: bazel-out/k8-fastbuild/bin/external/linux_sgx/libcrypto_px.a(pcpaesauthgcmca.pic.o): relocation R_X86_64_PC32 against symbol `ippsAES_GCMReset' can not be used when making a shared object; recompile with -fPIC
external/com_google_asylo_sgx_backend/toolchain/bin/../lib/gcc/x86_64-elf/7.3.0/../../../../x86_64-elf/bin/ld: final link failed: Bad value
collect2: error: ld returned 1 exit status
Target //hello_world:hello_world failed to build
Use --verbose_failures to see the command lines of failed build steps.
INFO: Elapsed time: 348.496s, Critical Path: 14.00s
INFO: 752 processes: 752 linux-sandbox.
FAILED: Build did NOT complete successfully
FAILED: Build did NOT complete successfully

I've tried running with the '--copt="-fpic"' and '--force_pic' arguments but have had no luck.
Any tips? Thank you!

Ubuntu 16.04
Using asylo 0.3.2

ERROR enclave_manager.cc : 302 : LoadEnclave failed: ::asylo::error::SgxErrorSpace::Cannot open SGX device: Failed to create an enclave
Aborted (core dumped)

The same enclave was running without any changes (AFAIK). Please help explain what could cause this issue.

am trying to get this gRPC server example to work with Google Asylo (https://github.com/google/asylo/tree/master/asylo/examples/grpc_server).. To initialize the server I need to a specify a server_address in this config file (https://github.com/google/asylo/blob/master/asylo/examples/grpc_server/grpc_server_config.proto)

The server address in the example is written like this:

/ The address that the gRPC server inside the enclave will be hosted on.
 // Required.
optional string server_address = 205739939;

I am not sure what is the format of this address (i.e., is it IPv4 or Ipv6). When I try the address in the example it gives me the following error:

E0415 20:26:28.102505429 139772652978128 server_chttp2.cc:40] {"created":"@1555359988.102435497","description":"No address added out of total 1 resolved","file":"external/com_github_grpc_grpc/src/core/ext/transport/chttp2/server/chttp2_server.cc","file_line":348,"referenced_errors":[{"created":"@1555359988.102435497","description":"Address family not supported by protocol family","errno":106,"file":"external/com_github_grpc_grpc/src/core/lib/iomgr/socket_utils_common_posix.cc","file_line":379,"os_error":"Address family not supported by protocol family","syscall":"socket","target_address":"[::1]:0"}]} 2019-04-15 20:26:28 FATAL grpc_server_driver.cc : 62 : Load grpc_server/grpc_server_enclave.so failed: ::asylo::error::GoogleErrorSpace::INTERNAL: Failed to start server

I would like to write Ipv4 address for example: 127.0.0.1:5000 but I fail to do that. Any pointers are appreciated ?

Hey,
I am not sure it is a real issue, but the examples provided in /examples/ can not be built.
Bazel rises errors about the "enclave_loader" symbole which is not defined anywhere.

It works well if I use the BUILD file provided in "https://asylo.dev/asylo-examples.tar.gz", where "enclave_loader" is replaced by "debug_enclave_driver".
The BUILD file presented in "/examples/quickstart/README.md", also use "enclave_loader" instead of "debug_enclave_driver".

Is this "debug_enclave_driver" just a temporary symbole, which will be replaced by "enclave_loader" in the futur ?

Regards,
Titouan

any idea when asylo will be available to use in google kubernetes engine? would love that ...

right now i am trying to use the GKE binary authorization, but that is quite limited - as remote attestation is what our use case needs

thx

In the quickstart example's description of an enclave it says:

Enclaves are an emerging technology paradigm that changes this equation. An enclave is a special execution context where code can run protected from even the OS kernel, with the guarantee that even a user running with root privileges cannot extract the enclave's secrets or compromise its integrity. Such protections are enabled through hardware isolation technologies such as Intel SGX or ARM TrustZone, or even through additional software layers such as a hypervisor. These technologies enable new forms of isolation beyond the usual kernel/user-space separation.

Am I reading this correctly; that what you've effectively done is re-implemented a microkernel, except without the microkernel (i.e. it doesn't matter if it's a microkernel or a monolithic kernel under the hood)?

I am only familia with jave EE project。is it diffcult to use asylo for buliding a enclave env?

actually, we want run a python server with ML mode in enclave。 is asylo canbe a solution for this?

reading english is still diffcult for me . I dont know weather i should spend time on docs or not?

asylo definition of bazel_version:

rules_rust definition of bazel_version:
https://github.com/bazelbuild/rules_rust/blob/fe9a91e8b42f731aeb3b596246f6bf4bb9a88dc3/workspace.bzl

This fails compilation with an error similar to:

ERROR: error loading package 'rust/oak_runtime': in /usr/local/google/home/tzn/.cache/bazel/_bazel_tzn/0afd379f1411abdcf552c905c7b0282a/external/io_bazel_rules_rust/rust/rust.bzl: in /usr/local/google/home/tzn/.cache/bazel/_bazel_tzn/0afd379f1411abdcf552c905c7b0282a/external/io_bazel_rules_rust/rust/private/rust.bzl: in /usr/local/google/home/tzn/.cache/bazel/_bazel_tzn/0afd379f1411abdcf552c905c7b0282a/external/io_bazel_rules_rust/rust/private/rustc.bzl: Unable to load file '@bazel_version//:def.bzl': file doesn't exist

since both projects define @bazel_version but with a different internal layout.

Is there a way to disambiguate this in the local WORKSPACE file, or do the two repositories need to agree on a naming convention to avoid the clash?

Hi, I am trying out building asylo examples and found that asylo_redis documentation didn't work for me.

After trial and error and thanks to #28, I was able to make it work.

I am not sure whether I was wrong or the documentation itself was misleading, since I am totally new to Bazel build system ;)

I will file a PR. Could you please take a look?

FYI, I am building asylo_redis without Docker

I'm trying to compile hello_world on an Ubuntu 18.04 with the manual installation instructions provided in INSTALL.md. Is the config option still supported? I keep getting an error while compiling sgx_sdk. The only option to compile hello_world that works for me is if I remove --config=sgx-sim and use //asylo/examples/hello_world:hello_world_sgx_sim.

Question is whether --config=sgx-sim or --config=enc-sim still supported?

external/sgx_dcap/QuoteGeneration/common/src/se_thread.c: In function 'se_mutex_init':
external/sgx_dcap/QuoteGeneration/common/src/se_thread.c:67:2: error: #error no pre-defined RECURSIVE_MUTEX found.
 #error no pre-defined RECURSIVE_MUTEX found.
  ^~~~~
external/sgx_dcap/QuoteGeneration/common/src/se_thread.c:71:20: error: 'tmp' undeclared (first use in this function); did you mean 'tm'?
     memcpy(mutex, &tmp, sizeof(tmp));
                    ^~~
                    tm
external/sgx_dcap/QuoteGeneration/common/src/se_thread.c:71:20: note: each undeclared identifier is reported only once for each function it appears in
external/sgx_dcap/QuoteGeneration/common/src/se_thread.c: In function 'se_get_threadid':
external/sgx_dcap/QuoteGeneration/common/src/se_thread.c:89:63: error: '__NR_gettid' undeclared (first use in this function); did you mean 'SYS_gettid'?
 unsigned int se_get_threadid(void) { return (unsigned)syscall(__NR_gettid);}
                                                               ^~~~~~~~~~~
                                                               SYS_gettid
Target //asylo/examples/hello_world:hello_world_sgx_sim failed to build

or another run:

Execution platform: @local_config_platform//:host

Use --sandbox_debug to see verbose messages from the sandbox
external/linux_sgx/common/src/se_event.c:35:10: fatal error: linux/futex.h: No such file or directory
 #include <linux/futex.h>
          ^~~~~~~~~~~~~~~

The difference between --config=sgx-sim and _sgx_sim seems to be in the compiler/toolchain used:

--config=sgx-sim (fails)

bazel build --verbose_failures --config=sgx-sim //asylo/examples/hello_world:hello_world

  exec env - \
    PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin \
    PWD=/proc/self/cwd \
  external/com_google_asylo_toolchain/toolchain/bin/x86_64-elf-g++ -isystemasylo/platform/posix/include -isystemasylo/platform/system/include -isystemexternal/com_google_asylo/asylo/platform/posix/include -isystemexternal/com_google_asylo/asylo/platform/system/include -D__ASYLO__ -DCOMPILER_GCC3 -D__LINUX_ERRNO_EXTENSIONS__ '-std=gnu++17' -MD -MF bazel-out/k8-fastbuild-ST-b8b7b2b153c11a75e8c76309e6086217c874508e819ba2fc3c7ed5dc5a7e7e83/bin/external/sgx_dcap/_objs/quote_wrapper/qe_logic.pic.d

_sgx_sim (without --config options, succeeds)

bazel build -s --verbose_failures   //asylo/examples/hello_world:hello_world_sgx_sim

  exec env - \
    PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin \
    PWD=/proc/self/cwd \
  /usr/bin/gcc -U_FORTIFY_SOURCE -fstack-protector -Wall -Wunused-but-set-parameter -Wno-free-nonheap-object -fno-omit-frame-pointer '-std=c++0x' -MD -MF bazel-out/k8-fastbuild-ST-b8b7b2b153c11a75e8c76309e6086217c874508e819ba2fc3c7ed5dc5a7e7e83/bin/external/sgx_dcap/_objs/quote_wrapper/qe_logic.pic.d

I am following the instructions in

but getting the following errors:

Starting local Bazel server and connecting to it...
ERROR: error loading package 'asylo/examples/bazel-my-project/external/com_google_asylo/asylo/platform/posix/sockets': Unable to load file '//asylo/bazel:proto.bzl': file doesn't exist
Loading: 6 packages loaded
    currently loading: asylo/examples/bazel-my-project/external/com_google_asylo/asylo/test/util ... (19 packages)
ERROR: error loading package 'asylo/examples/bazel-my-project/external/bazel_tools/tools/build_defs/pkg': Every .bzl file must have a corresponding package, but '//tools/build_defs/pkg:pkg.bzl' does not have one. Please create a BUILD file in the same or any parent directory. Note that this BUILD file does not need to do anything except exist.
Loading: 11 packages loaded
    currently loading: asylo/bazel ... (24 packages)
    Fetching @linux_sgx; Restarting.
ERROR: error loading package 'asylo/examples/bazel-my-project/external/com_google_asylo/asylo/examples/quickstart': Unable to load file '//asylo/bazel:proto.bzl': file doesn't exist
Loading: 46 packages loaded
    currently loading: asylo/crypto ... (95 packages)
    Fetching @com_google_asylo_backend_provider; Restarting.
    Fetching @linux_sgx; Restarting.
ERROR: error loading package 'asylo/examples/bazel-my-project/external/bazel_tools/src/main/protobuf': Every .bzl file must have a corresponding package, but '//tools/build_rules:genproto.bzl' does not have one. Please create a BUILD file in the same or any parent directory. Note that this BUILD file does not need to do anything except exist.
Loading: 4 packages loaded
    currently loading: asylo/bazel/application_wrapper ... (20 packages)
    Fetching @linux_sgx; Restarting.
    Fetching @com_google_asylo_backend_provider; Restarting.
INFO: Analyzed 0 targets (0 packages loaded, 0 targets configured).
INFO: Found 0 test targets...
INFO: Deleting stale sandbox base /root/.cache/bazel/_bazel_root/e99e07f24ebd301f8e219cdfec3646b6/sandbox
INFO: Elapsed time: 0.513s, Critical Path: 0.02s
INFO: 0 processes.
INFO: Build completed successfully, 1 total action
INFO: Build completed successfully, 1 total action
INFO: Build options --crosstool_top, --custom_malloc, --define, and 2 more have changed, discarding analysis cache.
INFO: Analyzed 0 targets (0 packages loaded, 0 targets configured).
INFO: Found 0 test targets...
INFO: Elapsed time: 0.336s, Critical Path: 0.00s
INFO: 0 processes.
INFO: Build completed successfully, 1 total action
INFO: Build completed successfully, 1 total action
INFO: Build option --compilation_mode has changed, discarding analysis cache.
INFO: Analyzed 0 targets (0 packages loaded, 0 targets configured).
INFO: Found 0 test targets...
INFO: Elapsed time: 0.251s, Critical Path: 0.00s
INFO: 0 processes.
INFO: Build completed successfully, 1 total action
INFO: Build completed successfully, 1 total action
INFO: Build options --compilation_mode and --define have changed, discarding analysis cache.
INFO: Analyzed 0 targets (0 packages loaded, 0 targets configured).
INFO: Found 0 test targets...
INFO: Elapsed time: 0.240s, Critical Path: 0.00s
INFO: 0 processes.
INFO: Build completed successfully, 1 total action
INFO: Build completed successfully, 1 total action
ONE OR MORE TESTS FAILED

cc @anghelcovici

Hi,

I am building asylo using hardware mode with the following command:

docker run -it --rm
--device=/dev/isgx
-v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket
-v bazel-cache:/root/.cache/bazel
-v "${MY_PROJECT}":/opt/my-project
-w /opt/my-project
gcr.io/asylo-framework/asylo
bazel run --config=sgx //hello_world -- --names="${NAMES}"

However, it says several http archive package cannot be found. Can someone help?

I have attached the full error log when i use the interactive mode to build as following.

rd@rd-desktop:~/Desktop/asylo-docker$ sudo docker run -it --rm -v bazel-cache:/root/.cache/bazel -v "${MY_PROJECT}":/opt/my-project -w /opt/my-project --device=/dev/isgx -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket gcr.io/asylo-framework/asylo
root@73f53a8ff77f:/opt/my-project# bazel run --config=sgx //hello_world -- --names="${NAMES}"
Starting local Bazel server and connecting to it...
ERROR: /root/.cache/bazel/_bazel_root/b6bc0828d5b43c7085b650e0698bf388/external/com_google_asylo/asylo/platform/arch/BUILD:273:1: error loading package '@com_google_asylo//asylo/grpc/auth/core': Unable to load package for '@io_bazel_rules_go//go:def.bzl': The repository '@io_bazel_rules_go' could not be resolved and referenced by '@com_google_asylo//asylo/platform/arch:trusted_fork'
ERROR: /root/.cache/bazel/_bazel_root/b6bc0828d5b43c7085b650e0698bf388/external/com_google_asylo/asylo/platform/arch/BUILD:273:1: error loading package '@com_google_asylo//asylo/grpc/auth/core': Unable to load package for '@io_bazel_rules_go//go:def.bzl': The repository '@io_bazel_rules_go' could not be resolved and referenced by '@com_google_asylo//asylo/platform/arch:trusted_fork'
ERROR: Analysis of target '//hello_world:hello_world' failed; build aborted: error loading package '@com_google_asylo//asylo/grpc/auth/core': Unable to load package for '@io_bazel_rules_go//go:def.bzl': The repository '@io_bazel_rules_go' could not be resolved
INFO: Elapsed time: 5.368s
INFO: 0 processes.
FAILED: Build did NOT complete successfully (54 packages loaded, 2785 targets
FAILED: Build did NOT complete successfully (54 packages loaded, 2785 targets
configured)
currently loading: @com_google_asylo//asylo/grpc/auth/core

Thank you!

oh, i see the quick fix in user group by adding the following to workspace.

load("@com_google_asylo//asylo/bazel:asylo_deps.bzl", "asylo_go_deps")
asylo_go_deps()

Hi,

Is it possible to use Asylo in hardware mode? In particular, would anything in asylo break if the signed enclave shared object is linked against the hardware trts_library, and hardware service_library. Have there been complications in linking Asylo against the hardware libraries/running in hardware?

Btw, this project is really cool, thank you!

I'm trying to run bazel sync to download Asylo's dependencies in docker, but get the following error:

INFO: Repository 'six_archive' used the following cache hits instead of downloading the corresponding file.
 * Hash '105f8d68616f8248e24bf0e9372ef04d3cc10104f1980f54d57b2ce73a5ad56a' for https://pypi.python.org/packages/source/s/six/six-1.10.0.tar.gz
If the definition of 'six_archive' was updated, verify that the hashes were also updated.
ERROR: An error occurred during the fetch of repository 'six_archive':
   Traceback (most recent call last):
        File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/bazel_tools/tools/build_defs/repo/http.bzl", line 57
                workspace_and_buildfile(ctx)
        File "/.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/bazel_tools/tools/build_defs/repo/utils.bzl", line 61, in workspace_and_buildfile
                ctx.symlink(ctx.attr.build_file, "BUILD.bazel")
Not a regular file: /.cache/bazel/_bazel_ivanpetrov/b6bc0828d5b43c7085b650e0698bf388/external/com_google_protobuf/six.BUILD

My WORKSPACE looks like this:

workspace(name = "asylo_test")

load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

http_archive(
    name = "com_google_asylo",
    sha256 = "7f53d61d91a8d6963a5665088b02129d643a4cfbcab883f1076b71bcbe07184d",
    strip_prefix = "asylo-088ea3490dd4579655bd5b65b0e31fe18de7f6dd",
    urls = [
        # Head commit on 2019-11-21.
        "https://github.com/google/asylo/archive/088ea3490dd4579655bd5b65b0e31fe18de7f6dd.tar.gz",
    ],
)

load("@com_google_asylo//asylo/bazel:asylo_deps.bzl", "asylo_deps", "asylo_go_deps")
asylo_deps()
asylo_go_deps()

load("@com_google_asylo//asylo/bazel:sgx_deps.bzl", "sgx_deps")
sgx_deps()

And my Dockerfile looks like this:

FROM gcr.io/asylo-framework/asylo:buildenv-v0.5.0

I have been experimenting compiling Rust to a static library and linking it against our existing enclave code (will provide detailed steps if anyone is interested), but while I can link the resulting artifacts against standard C++ code, asylo seems picky about it, and I get the following errors in bazel:

bazel-out/k8-fastbuild/bin/rust/oak_runtime/liboak_runtime--866734307.a(divxc3.o): In function `__divxc3':
/rustc/1423bec54cf2db283b614e527cfd602b481485d1/src/llvm-project/compiler-rt/lib/builtins/divxc3.c:23: undefined reference to `fmaxl'
/rustc/1423bec54cf2db283b614e527cfd602b481485d1/src/llvm-project/compiler-rt/lib/builtins/divxc3.c:23: undefined reference to `logbl'
/rustc/1423bec54cf2db283b614e527cfd602b481485d1/src/llvm-project/compiler-rt/lib/builtins/divxc3.c:26: undefined reference to `scalbnl'
/rustc/1423bec54cf2db283b614e527cfd602b481485d1/src/llvm-project/compiler-rt/lib/builtins/divxc3.c:27: undefined reference to `scalbnl'
/rustc/1423bec54cf2db283b614e527cfd602b481485d1/src/llvm-project/compiler-rt/lib/builtins/divxc3.c:31: undefined reference to `scalbnl'
/rustc/1423bec54cf2db283b614e527cfd602b481485d1/src/llvm-project/compiler-rt/lib/builtins/divxc3.c:33: undefined reference to `scalbnl'

For reference, I also came across this https://dev.to/luzero/building-crates-so-they-look-like-c-abi-libraries-1ibn#static-libraries , but it did not help.

I cannot seem to reproducibly build the enclave code on my machine. I am using the following steps:

1. docker run -it --rm -v bazel-cache:/root/.cache/bazel -v "${PWD}":/opt/my-project -w /opt/my-project gcr.io/asylo-framework/asylo
   • [execute the following steps from within the running Docker container]
2. bazel build --config=sgx-sim //asylo/examples/hello_world
3. cp bazel-bin/asylo/examples/hello_world/hello_enclave_unsigned.so enclave_$(date --iso-8601=seconds).so
4. bazel clean
5. bazel build --config=sgx-sim //asylo/examples/hello_world
6. cp bazel-bin/asylo/examples/hello_world/hello_enclave_unsigned.so enclave_$(date --iso-8601=seconds).so
7. sha1sum enclave_*

Note that the resulting hashes differ, e.g. on my machine I get the following:

b88b0156ebc354ef15cf706fdf4428e998b68356  enclave_2019-10-01T18:51:50+00:00.so
e48909687b68f586e1c3b4facf66cad2b4e51f1a  enclave_2019-10-01T18:55:54+00:00.so

ref project-oak/oak#241
cc @anghelcovici @deeglaze @KeithMoyer @annasapek

Dear Asylo developers,
I have searched (on your websites, blogs, etc) for a list of concrete threats that Asylo will protect against once it's ready for production and how it protects the enclave from those threats.

I know it's hard to say since there are so many possible threats, I found the following on https://asylo.dev/about/overview.html#security-backends

Asylo is designed to integrate applications with enclaves that provide confidentiality and integrity guarantees against the following threats:

• Malicious or compromised administrator
• Malicious or compromised tenant of a hypervisor
• Malicious or compromised network
• Compromised operating system
• Compromised BIOS

I just wonder if there is a more precise answer and a list of techniques that you use to secure the enclave (e.g. ram encryption etc.)

Lastly, I wonder what the best practise is to get sensitive data + code into the enclave running in an untrusted environment. Building the enclave locally, uploading it to the untrusted vm and execute it and afterwards downloading the enclave again including the results? Is there a mechanism in the enclave to protect the user from man-in-the-middle attacks when communicating with the docker container over a port?

I apologize if there is an obvious answer to those questions that I have not found or understood.

Thank you so much and best regards,
Jan

Hi,

I find some descriptions might need update as following.

"${ASYLO}"/sdk/asylo/distrib/sgx_x86_64/install-toolchain
--user
--prefix "${ASYLO}"/toolchains/sgx_x86_64

may need to be updated to

"${ASYLO}"/sdk/asylo/distrib/toolchain/install-toolchain
--user
--prefix "${ASYLO}"/toolchains/sgx_x86_64

or else. Since the install-toolchain script is relocated.

The link address for distrib/README.md
https://github.com/google/asylo/blob/master/asylo/distrib/README.md
may want to change to
https://github.com/google/asylo/blob/master/asylo/distrib/toolchain/README.md

Thanks!

Hello Asylo team,

I've been trying step through the hello_world example (manual installation not Docker container) with GDB but am unable to properly read symbols. More specifically, I'm trying GDB on the hello_world_host_loader but getting "no debugging symbols found".
I have tried building the example with the Bazel options --strip=never and --compilation_mode=dbg but have had no luck.
Do you have any tips?

Thanks!

I wonder if the current BoringSSL wrapper is actually benefiting from the trusted hardware (see https://github.com/google/channel-id-enclave/tree/master/boringssl). Simply put, are the secrets (private key, session key, etc.) allocated inside enclaves?

Asylo has definitions for several types of assertions:

• SetNullAssertionDescription
• SetSgxLocalAssertionDescription
• SetSgxRemoteAssertionDescription

But it looks like only the first two are implemented in a form of gRPC credentials:

• null_credentials_options.cc
• sgx_local_credentials_options.cc

Does it mean that SGX remote attestation for gRPC is not yet implemented, or it is implemented but in different place/form?

An extra null pointer check is not needed in functions like the following.

• SetEnclaveConfig
• SetEnclaveName
• EnclaveManager::Configure

Will you support ARM trustzone?

Hi Dears,

I saw there is posix io interface for secure storage under "asylo/platform/storage/secure", where I need to manually set the encryption key with ioctl and mode with O_SECURE.

Can I use this feature via c++ fstream, i.e. how can I set the key and how can I refer this is an encrypted file ?

It'd be important to get some more practical information on how to sign production enclaves. I think one needs to request an enclave signing certificate from Intel.

Asylo manual instruction guide has broken links and version mismatch.

The master branch now uses SGX SDK version 2.4, but the page says it is using SGX SDK 2.3 and the corresponding link is broken.

I did a manual installation inside a centos/7 VM (via vagrant) as follows:

Vagrant.configure("2") do |config|
  config.vm.box = "centos/7"
  config.vm.synced_folder ".", "/sgx-poc"
  config.vm.provision "shell", inline: <<-SHELL

    # SGX prerequisites
    yum clean all
    sudo yum -y groupinstall 'Development Tools'
    sudo yum -y install ocaml ocaml-ocamlbuild wget python openssl-devel libcurl-devel protobuf-devel

    # SGX driver, PSW & SDK (see https://download.01.org/intel-sgx/linux-2.3/centos7.5-server/)
    wget https://download.01.org/intel-sgx/linux-2.3/centos7.5-server/sgx_linux_x64_driver_4d69b9c.bin
    wget https://download.01.org/intel-sgx/linux-2.3/centos7.5-server/sgx_linux_x64_sdk_2.3.100.46354.bin
    wget https://download.01.org/intel-sgx/linux-2.3/centos7.5-server/sgx_linux_x64_psw_2.3.100.46354.bin
    sudo chmod +x *.bin
    sudo ./sgx_linux_x64_driver_4d69b9c.bin
    sudo ./sgx_linux_x64_sdk_2.3.100.46354.bin --p /sgx
    sudo ./sgx_linux_x64_psw_2.3.100.46354.bin
    echo "source /sgx/sgxsdk/environment" >> /home/vagrant/.bash_profile

    # install docker
    sudo yum install -y docker
    sudo groupadd docker
    sudo usermod -aG docker $USER
    sudo systemctl enable docker
    sudo systemctl start docker

    # bazel dependencies
    sudo yum install -y bison build-essential flex libisl-0.18-dev libmpc-dev libmpfr-dev rsync texinfo wget zlib1g-dev

    # clone asylo tool chain
    ASYLO="${HOME}"/asylo
    git clone https://github.com/google/asylo.git "${ASYLO}"/sdk

    # build asylo tool chain
    "${ASYLO}"/sdk/asylo/distrib/sgx_x86_64/install-toolchain \
        --user \
        --prefix "${ASYLO}"/toolchains/sgx_x86_64

    # bazel dependencies
    sudo yum install -y ocaml-nox ocamlbuild python-jinja2

    # bazel installation
    sudo yum install -y curl gnupg
    sudo wget -P /etc/yum.repos.d/ https://copr.fedorainfracloud.org/coprs/vbatts/bazel/repo/epel-7/vbatts-bazel-epel-7.repo
    sudo yum install -y update
    sudo yum install -y install bazel openjdk-8-jdk-headless
  SHELL
end

However I got the following error when I run the build of the grpc_server example

$ bazel build //grpc_server --incompatible_package_name_is_a_function=false
INFO: Invocation ID: 9b54bf94-9ead-40da-a394-0e5e0a539f9f
ERROR: /home/vagrant/.cache/bazel/_bazel_vagrant/b9d0be009bfac4e144aee182fff6b184/external/com_google_asylo/asylo/platform/posix/BUILD:51:12: Configurable attribute "deps" doesn't match this configuration (would a default condition help?).
Conditions checked:
 @com_google_asylo//asylo/platform/arch:sgx
WARNING: /home/vagrant/.cache/bazel/_bazel_vagrant/b9d0be009bfac4e144aee182fff6b184/external/com_github_grpc_grpc/BUILD:1992:1: in srcs attribute of cc_library rule @com_github_grpc_grpc//:grpc_nanopb: please do not import '@com_github_grpc_grpc//third_party/nanopb:pb_common.c' directly. You should either move the file to this package or depend on an appropriate rule there. Since this rule was created by the macro 'grpc_generate_one_off_targets', the error might have been caused by the macro implementation in /home/vagrant/.cache/bazel/_bazel_vagrant/b9d0be009bfac4e144aee182fff6b184/external/com_github_grpc_grpc/bazel/grpc_build_system.bzl:180:12
WARNING: /home/vagrant/.cache/bazel/_bazel_vagrant/b9d0be009bfac4e144aee182fff6b184/external/com_github_grpc_grpc/BUILD:1992:1: in srcs attribute of cc_library rule @com_github_grpc_grpc//:grpc_nanopb: please do not import '@com_github_grpc_grpc//third_party/nanopb:pb_decode.c' directly. You should either move the file to this package or depend on an appropriate rule there. Since this rule was created by the macro 'grpc_generate_one_off_targets', the error might have been caused by the macro implementation in /home/vagrant/.cache/bazel/_bazel_vagrant/b9d0be009bfac4e144aee182fff6b184/external/com_github_grpc_grpc/bazel/grpc_build_system.bzl:180:12
WARNING: /home/vagrant/.cache/bazel/_bazel_vagrant/b9d0be009bfac4e144aee182fff6b184/external/com_github_grpc_grpc/BUILD:1992:1: in srcs attribute of cc_library rule @com_github_grpc_grpc//:grpc_nanopb: please do not import '@com_github_grpc_grpc//third_party/nanopb:pb_encode.c' directly. You should either move the file to this package or depend on an appropriate rule there. Since this rule was created by the macro 'grpc_generate_one_off_targets', the error might have been caused by the macro implementation in /home/vagrant/.cache/bazel/_bazel_vagrant/b9d0be009bfac4e144aee182fff6b184/external/com_github_grpc_grpc/bazel/grpc_build_system.bzl:180:12
ERROR: Analysis of target '//grpc_server:grpc_server' failed; build aborted: 

/home/vagrant/.cache/bazel/_bazel_vagrant/b9d0be009bfac4e144aee182fff6b184/external/com_google_asylo/asylo/platform/posix/BUILD:51:12: Configurable attribute "deps" doesn't match this configuration (would a default condition help?).
Conditions checked:
 @com_google_asylo//asylo/platform/arch:sgx
INFO: Elapsed time: 0.289s
INFO: 0 processes.
FAILED: Build did NOT complete successfully (0 packages loaded, 0 targets configured)

This appeared to be fixed when I modified the following section of the platform posix build /asylo/platform/posix/BUILD file.

From:

cc_library(
    name = "trusted_posix",
    copts = ASYLO_DEFAULT_COPTS,
    deps = select({
        "//asylo/platform/arch:sgx": [":posix"],
    }),
)

To:

cc_library(
    name = "trusted_posix",
    copts = ASYLO_DEFAULT_COPTS,
    deps = select({
        "//asylo/platform/arch:sgx": [":posix"],
        "//conditions:default": [":posix"],
    }),
)

This can easily be reproduced by running the vagrant file and trying to build the grpc_server example from https://asylo.dev/asylo-examples.tar.gz.

I am doing something so that my configuration is not correctly being detected?

Is the lack of a default configuration a bug?

Hi,

I have problems with running grpc server inside SGX enclave with asylo.
Everything works but processor usage is strange.
Even when grpc server is running in idle 4 processor cores are used 100%

This can easily be reproduced by running grpc_server example from https://asylo.dev/asylo-examples.tar.gz

Could you please take a look?

br,
Mario

Hello,

I'm going through the manual installation of the newest version of Asylo and I'm running into a couple of errors. I've updated all the dependencies and Bazel and I'm trying to do the bazel run of hello_world in simulation mode.

1. The tutorial doesn't seem to name the SGX toolchain installed by the Asylo sdk's install-toolchain properly:

.../external/com_google_asylo_sgx_backend/toolchain/BUILD:60:1: in cc_toolchain rule @com_google_asylo_sgx_backend//toolchain:cc-compiler-sgx_x86_64-gcc: Error while selecting cc_toolchain: Toolchain identifier 'asylo_sgx_x86_64' was not found, valid identifiers are [sgx_x86_64, asylo_k8]

I changed the line in BUILD from

toolchain_identifier = "asylo_sgx_x86_64",

to

toolchain_identifier = "sgx_x86_64",

and that seemed to solve it.

2. Next I'm running into this error:

... /external/com_google_asylo/asylo/platform/arch/BUILD:114:1: C++ compilation of rule '@com_google_asylo//asylo/platform/arch:untrusted_sgx' failed (Exit 1) gcc failed: error executing command /usr/bin/gcc -U_FORTIFY_SOURCE -fstack-protector -Wall -B/usr/bin -B/usr/bin -Wunused-but-set-parameter -Wno-free-nonheap-object -fno-omit-frame-pointer -g0 -O2 '-D_FORTIFY_SOURCE=1' -DNDEBUG ... (remaining 83 argument(s) skipped)

Use --sandbox_debug to see verbose messages from the sandbox
external/com_google_asylo/asylo/platform/arch/sgx/untrusted/sgx_client.cc: In member function 'virtual asylo::StatusOr<std::unique_ptrasylo::EnclaveClient > asylo::SgxLoader::LoadEnclave(const string&, void*) const':
external/com_google_asylo/asylo/platform/arch/sgx/untrusted/sgx_client.cc:180:10: error: could not convert 'client' from 'std::unique_ptrasylo::SgxClient' to 'asylo::StatusOr<std::unique_ptrasylo::EnclaveClient >'
return client;
^~~~~~
external/com_google_asylo/asylo/platform/arch/sgx/untrusted/sgx_client.cc: In member function 'virtual asylo::StatusOr<std::unique_ptrasylo::EnclaveClient > asylo::SgxEmbeddedLoader::LoadEnclave(const string&, void*) const':
external/com_google_asylo/asylo/platform/arch/sgx/untrusted/sgx_client.cc:217:10: error: could not convert 'client' from 'std::unique_ptrasylo::SgxClient' to 'asylo::StatusOr<std::unique_ptrasylo::EnclaveClient >'
return client;
^~~~~~
Target //hello_world:hello_world failed to build

Any help would be appreciated, thanks.

I‘m trying to introduce opencv to my enclave application. I started from modifying the hello_world example as following:

1. add some opencv code to hello_enclave.cc:

#include <opencv2/opencv.hpp>
#include <opencv2/core.hpp>
...
cv::Mat image;
image = cv::imread( "image.jpg", 1 );
LOG(INFO) << "Hello " << visitor;

2. add dependence to BUILD:

cc_unsigned_enclave(
    name = "hello_enclave_unsigned.so",
    srcs = ["hello_enclave.cc"],
    deps = [
        ":hello_cc_proto",
        "@com_google_absl//absl/strings",
        "@com_google_asylo//asylo:enclave_runtime",
        "@com_google_asylo//asylo/util:logging",
        "@com_google_asylo//asylo/util:status",
        "@opencv//:opencv"
    ],
)

3. define opencv dependence in WORKSPACE:

new_local_repository(
    name = "opencv",
    path = "/opt/my-project/opencv_bazel/opencv/opencv-install",
    build_file = "opencv.BUILD",
)

4. and here's the opencv.BUILD:

cc_library(
    name = "opencv",
    srcs = glob(["lib/*.so*"]),
    hdrs = glob(["include/**/*.hpp", "include/**/*.h"]),
    includes = ["include"],
    visibility = ["//visibility:public"],
    linkstatic = 1,
)

When I execute bazel run, following error encountered:

bazel run --config=sgx-sim //hello_world:hello_world --verbose_failures
INFO: Analyzed target //hello_world:hello_world (0 packages loaded, 0 targets configured).
INFO: Found 1 target...
INFO: From Signing for debug: //hello_world:hello_enclave_unsigned_sgx_sim.so:
Symbol table incorrect The input enclave file is not correct. Error happened while signing the enclave. 0 0 0x40000 0x2000000 12 0 0 0 0 0 0xffffffff
ERROR: /opt/my-project/hello_world/BUILD:56:1: output 'hello_world/hello_enclave_sgx_sim.so' was not created
ERROR: /opt/my-project/hello_world/BUILD:56:1: not all outputs were created or valid
Target //hello_world:hello_world failed to build
INFO: Elapsed time: 0.859s, Critical Path: 0.08s
INFO: 1 process: 1 processwrapper-sandbox.
FAILED: Build did NOT complete successfully
FAILED: Build did NOT complete successfully

Will try to build opencv as static library later, might that helps?

I build the project with docker. I test it on both MacOS and Ubuntu.

I run sqlite3 example with gcr.io/asylo-framework/asylo:latest image.

I go to the following directory:
/opt/my-project/bazel-cache/_bazel_root/b6bc0828d5b43c7085b650e0698bf388/execroot/asylo_examples/bazel-out/k8-fastbuild/bin/sqlite3#

I run the following command:
./asylo_sqlite_sgx_sim ex1.db

I run the following sqlite shell command:
create table tbl1(one varchar(10), two smallint);

I get this error from sqlite shell:
Error: disk I/O error

I am currently testing non-docker mode of Asylo installation.

I simply ran bazel run --coinfig=sgx //hello-world and got the following error

ERROR: The enclave image should have '.note.sgxmeta' section Regular sections incorrect The input enclave file is not correct. Error happened while signing the enclave. <EnclaveConfiguration> <ProdID>0</ProdID> <ISVSVN>0</ISVSVN> <StackMaxSize>0x40000</StackMaxSize> <HeapMaxSize>0x47000000</HeapMaxSize> <TCSNum>200</TCSNum> <TCSPolicy>0</TCSPolicy> <DisableDebug>0</DisableDebug> <ProvisionKey>0</ProvisionKey> <EnableKSS>0</EnableKSS> <MiscSelect>0</MiscSelect> <MiscMask>0xffffffff</MiscMask> </EnclaveConfiguration>

Actually the .note.sgxmeta section header is missing in libhello_enclave_unsigned.so

$ objdump -h bazel-bin/hello-world/libhello_enclave_unsigned.so
libhello_enclave_unsigned.so:     file format elf64-x86-64

Sections:
Idx Name          Size      VMA               LMA               File off  Algn

  0 .interp       0000000f  0000000000000200  0000000000000200  00000200  2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  1 .note.gnu.property 00000040  0000000000000210  0000000000000210  00000210  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  2 .hash         00000054  0000000000000250  0000000000000250  00000250  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  3 .dynsym       00000180  00000000000002a8  00000000000002a8  000002a8  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  4 .dynstr       000000ea  0000000000000428  0000000000000428  00000428  2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  5 .gnu.version  00000020  0000000000000512  0000000000000512  00000512  2**1
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  6 .gnu.version_d 00000038  0000000000000538  0000000000000538  00000538  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  7 .rela.dyn     00034728  0000000000000570  0000000000000570  00000570  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  8 .rela.plt     000000c0  0000000000034c98  0000000000034c98  00034c98  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  9 .plt          00000090  0000000000034d60  0000000000034d60  00034d60  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 10 .text         004569d9  0000000000034e00  0000000000034e00  00034e00  2**6
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 11 .nipx         00000b36  000000000048b7d9  000000000048b7d9  0048b7d9  2**0
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 12 malloc_hook   00000212  000000000048c310  000000000048c310  0048c310  2**1
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 13 .rodata       0008d6c0  000000000048d000  000000000048d000  0048d000  2**12
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 14 .eh_frame     00118144  000000000051a6c0  000000000051a6c0  0051a6c0  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 15 .gcc_except_table 0001c001  0000000000632804  0000000000632804  00632804  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 16 .tdata        00000010  000000000084e808  000000000084e808  0064e808  2**3
                  CONTENTS, ALLOC, LOAD, DATA, THREAD_LOCAL
 17 .tbss         00000250  000000000084e818  000000000084e818  0064e818  2**3
                  ALLOC, THREAD_LOCAL
 18 .init_array   000004c8  000000000084e818  000000000084e818  0064e818  2**3
                  CONTENTS, ALLOC, LOAD, DATA
 19 .fini_array   00000018  000000000084ece0  000000000084ece0  0064ece0  2**3
                  CONTENTS, ALLOC, LOAD, DATA
 20 .data.rel.ro  00015538  000000000084ed00  000000000084ed00  0064ed00  2**5
                  CONTENTS, ALLOC, LOAD, DATA
 21 .dynamic      000001b0  0000000000864238  0000000000864238  00664238  2**3
                  CONTENTS, ALLOC, LOAD, DATA
 22 .got          00000050  00000000008643e8  00000000008643e8  006643e8  2**3
                  CONTENTS, ALLOC, LOAD, DATA
 23 .got.plt      00000058  0000000000864438  0000000000864438  00664438  2**3
                  CONTENTS, ALLOC, LOAD, DATA
 24 .data         000037ac  00000000008644a0  00000000008644a0  006644a0  2**5
                  CONTENTS, ALLOC, LOAD, DATA
 25 .niprod       000008c0  0000000000867c80  0000000000867c80  00667c80  2**6
                  CONTENTS, ALLOC, LOAD, DATA
 26 .nipd         00000008  0000000000868540  0000000000868540  00668540  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 27 .reserved_data 00100000  0000000000868560  0000000000868560  00668560  2**5
                  CONTENTS, ALLOC, LOAD, DATA
 28 .reserved_bss 00100000  0000000000968560  0000000000968560  00768560  2**5
                  CONTENTS, ALLOC, LOAD, DATA
 29 .reserved_heap 00100000  0000000000a68560  0000000000a68560  00868560  2**5
                  CONTENTS, ALLOC, LOAD, DATA
 30 .bss          0001a468  0000000000b68580  0000000000b68580  00968560  2**6
                  ALLOC
 31 .comment      00000011  0000000000000000  0000000000000000  00968560  2**0
                  CONTENTS, READONLY

To my understanding, the .note.sgxmeta section is derived from libsgx_trts.a library.

AS the header is not found, there may be some problem with linking TRTS library?

Since I am not a bazel expert, it is hard for me to pinpoint the root cause

Hi devs,

It appears that enclaves created with Asylo can produce assertions of their identity (known as an enclave report in SGX lingo) which can be verified by some remote authority. However, I cannot find any examples of an authority performing remote attestation using the Intel Attestation Service (IAS). Is this a feature that is currently supported, and if not, do you expect remote attestation via IAS to be supported in the future?

As a follow-up question (if relevant): without IAS, I believe we cannot fully verify that the hardware running an enclave is authentic. Do the identity assertions provided by Asylo still offer some degree of confidence that an enclave is authentic? In other words, is remote attestation still relatively useful even without support for hardware verification via IAS?

Hi, I've noticed that Ayslo already support using Intel SGX hardware backend.
I wonder if Aylso will support using AMD SEV hardware backend in the future?

Thanks a lot!

https://software.intel.com/security-software-guidance/insights/deep-dive-load-value-injection#applysgxmitigation

Some part of it should be handled by the patched LLVM: https://reviews.llvm.org/D75938
but that may not cover e.g. BoringSSL assembly code

Hi.
I’m having problems when trying to build the example in platform/primitives/examples
I’ve built the docker image from Dockerfile and for building the example I’m following the steps in README.

First, when building hello_enclave with
bazel build :hello_enclave.so --config=asylo --define=ASYLO_SIM=1
I get an error saying that config value asylo is not defined.

Second, when building the hello_driver with
bazel build :hello_driver --define=ASYLO_SIM=1
I get following compile error

Any chance you could help to figure out what is wrong here?
Thanks!

I'm trying to compile an Asylo gRPC client for android using the Android Native Development Kit (NDK), but get the following error:

ERROR: /usr/local/google/home/ivanpetrov/.cache/bazel/_bazel_ivanpetrov/8772cf28264fce63c397d94b96d607b4/external/com_google_asylo/asylo/identity/null_identity/BUILD:58:1: C++ compilation of rule '@com_google_asylo//asylo/identity/null_identity:null_assertion_verifier' failed (Exit 1) clang failed: error executing command external/androidndk/ndk/toolchains/llvm/prebuilt/linux-x86_64/bin/clang '-D__ANDROID_API__=28' -isystemexternal/androidndk/ndk/sysroot/usr/include/arm-linux-androideabi -target ... (remaining 74 argument(s) skipped)

Use --sandbox_debug to see verbose messages from the sandbox
In file included from external/com_google_asylo/asylo/identity/null_identity/null_assertion_verifier.cc:19:
In file included from external/com_google_asylo/asylo/identity/null_identity/null_assertion_verifier.h:25:
In file included from external/com_google_asylo/asylo/identity/enclave_assertion_verifier.h:24:
In file included from external/com_google_asylo/asylo/identity/enclave_assertion_authority.h:24:
In file included from external/com_google_asylo/asylo/crypto/util/byte_container_util.h:24:
external/com_google_asylo/asylo/crypto/util/byte_container_util_internal.h:45:2: error: "Only supported on x86_64 architecture"
#error "Only supported on x86_64 architecture"
 ^
1 error generated.

More information in project-oak/oak#353

cc @tiziano88 @annasapek

I was following the quick start guide to asylo applications and replicating the steps. I noticed that although in dockerfile the wget application is among the applications installed during the construction of the docker image, while running the image, the wget application is not installed. Is the docker image of this link updated?

Asylo Image : gcr.io/asylo-framework/asylo

Hi, Asylo uses protobuf for trustapplication enclave input and output, but as far as I know Protobuf can not be used inside an enclave due to some io problem, like iosfwd.. Then how can asylo work with SGX ? Thanks!
Regards
you.w.l