./bist runs into error about dynamic-application-loader-host-interface HOT 16 CLOSED

and here is the /etc/jhi/jhi.conf:

transport SOCKET
socket_ip_address 127.0.0.1
log_level RELEASE
socket_path /tmp/jhi_socket
applets_dir /usr/lib/dal/applets
app_repo_dir /var/cache/dal/applet_repository

from dynamic-application-loader-host-interface.

if it's because there is no MEI driver in the Azure VM, why I cant find a MEI driver for ubuntu? I searched everywhere but intel only provides Windows driver.

from dynamic-application-loader-host-interface.

Hi, Can you try to change transport in jhi.conf to default value (AUTO)?

from dynamic-application-loader-host-interface.

@yasminkahlon ,

Thank you for the quick reply. No miracle happens after changing back to AUTO, but error seems a bit different and further in AESMD:

main@PigramUbuntu1804NoEnclave:~/work/wind$ sudo service jhi status
● jhi.service - Intel Dynamic Application Loader Host Interface (JHI)
   Loaded: loaded (/lib/systemd/system/jhi.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2019-09-01 12:24:42 UTC; 5min ago
 Main PID: 50212 (jhid)
    Tasks: 1 (limit: 19164)
   CGroup: /system.slice/jhi.service
           └─50212 /usr/local/sbin/jhid

Sep 01 12:24:42 PigramUbuntu1804NoEnclave systemd[1]: Starting Intel Dynamic Application Loader Host Interface (JHI)...
Sep 01 12:24:42 PigramUbuntu1804NoEnclave jhi[50212]: --> jhi start
Sep 01 12:24:42 PigramUbuntu1804NoEnclave jhi[50212]: <-- jhi start
Sep 01 12:24:42 PigramUbuntu1804NoEnclave systemd[1]: Started Intel Dynamic Application Loader Host Interface (JHI).
Sep 01 12:28:14 PigramUbuntu1804NoEnclave jhi[50212]: JHI service release prints are enabled
Sep 01 12:28:14 PigramUbuntu1804NoEnclave jhid[50212]: me: error: Cannot establish a handle to the Intel MEI driver /dev/mei [-2]:No such file or directory
Sep 01 12:28:14 PigramUbuntu1804NoEnclave jhi[50212]: AppletsManager::discoverVmType(), Couldn't connect to either BHv1 or BHv2.
Sep 01 12:28:14 PigramUbuntu1804NoEnclave jhi[50212]: Error: discoverVmType() failed
Sep 01 12:28:14 PigramUbuntu1804NoEnclave jhi[50212]: JHI init failed
main@PigramUbuntu1804NoEnclave:~/work/wind$ sudo service aesmd status
● aesmd.service - Intel(R) Architectural Enclave Service Manager
   Loaded: loaded (/lib/systemd/system/aesmd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2019-09-01 12:27:07 UTC; 4min 18s ago
  Process: 50596 ExecStart=/opt/intel/libsgx-enclave-common/aesm/aesm_service (code=exited, status=0/SUCCESS)
  Process: 50594 ExecStartPre=/bin/chmod 0755 /var/run/aesmd/ (code=exited, status=0/SUCCESS)
  Process: 50593 ExecStartPre=/bin/chown -R aesmd:aesmd /var/run/aesmd/ (code=exited, status=0/SUCCESS)
  Process: 50581 ExecStartPre=/bin/mkdir -p /var/run/aesmd/ (code=exited, status=0/SUCCESS)
  Process: 50578 ExecStartPre=/opt/intel/libsgx-enclave-common/aesm/linksgx.sh (code=exited, status=0/SUCCESS)
 Main PID: 50597 (aesm_service)
    Tasks: 4 (limit: 19164)
   CGroup: /system.slice/aesmd.service
           └─50597 /opt/intel/libsgx-enclave-common/aesm/aesm_service

Sep 01 12:27:07 PigramUbuntu1804NoEnclave systemd[1]: Starting Intel(R) Architectural Enclave Service Manager...
Sep 01 12:27:07 PigramUbuntu1804NoEnclave systemd[1]: Started Intel(R) Architectural Enclave Service Manager.
Sep 01 12:27:07 PigramUbuntu1804NoEnclave aesm_service[50597]: [ADMIN]White List update requested
Sep 01 12:27:07 PigramUbuntu1804NoEnclave aesm_service[50597]: [ADMIN]Platform Services initializing
Sep 01 12:27:07 PigramUbuntu1804NoEnclave aesm_service[50597]: [ADMIN]Platform Services initialization failed due to DAL error
Sep 01 12:27:07 PigramUbuntu1804NoEnclave aesm_service[50597]: The server sock is 0x56382191be60
Sep 01 12:27:07 PigramUbuntu1804NoEnclave aesm_service[50597]: [ADMIN]White list update request successful for Version: 57
main@PigramUbuntu1804NoEnclave:~/work/wind$ 

and the status of JHI before and after ./bist shows as below:

main@PigramUbuntu1804NoEnclave:~/work/wind/dynamic-application-loader-host-interface/bin_linux$ sudo service jhi status
● jhi.service - Intel Dynamic Application Loader Host Interface (JHI)
   Loaded: loaded (/lib/systemd/system/jhi.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2019-09-01 12:37:02 UTC; 11s ago
 Main PID: 51252 (jhid)
    Tasks: 1 (limit: 19164)
   CGroup: /system.slice/jhi.service
           └─51252 /usr/local/sbin/jhid

Sep 01 12:37:02 PigramUbuntu1804NoEnclave systemd[1]: Starting Intel Dynamic Application Loader Host Interface (JHI)...
Sep 01 12:37:02 PigramUbuntu1804NoEnclave jhi[51252]: --> jhi start
Sep 01 12:37:02 PigramUbuntu1804NoEnclave jhi[51252]: <-- jhi start
Sep 01 12:37:02 PigramUbuntu1804NoEnclave systemd[1]: Started Intel Dynamic Application Loader Host Interface (JHI).
main@PigramUbuntu1804NoEnclave:~/work/wind/dynamic-application-loader-host-interface/bin_linux$ ./bist
Opening Intel SD session... TEE_OpenSDSession failed. Status: TEE_STATUS_NO_FW_CONNECTION
main@PigramUbuntu1804NoEnclave:~/work/wind/dynamic-application-loader-host-interface/bin_linux$ sudo service jhi status
● jhi.service - Intel Dynamic Application Loader Host Interface (JHI)
   Loaded: loaded (/lib/systemd/system/jhi.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2019-09-01 12:37:02 UTC; 20s ago
 Main PID: 51252 (jhid)
    Tasks: 1 (limit: 19164)
   CGroup: /system.slice/jhi.service
           └─51252 /usr/local/sbin/jhid

Sep 01 12:37:02 PigramUbuntu1804NoEnclave systemd[1]: Starting Intel Dynamic Application Loader Host Interface (JHI)...
Sep 01 12:37:02 PigramUbuntu1804NoEnclave jhi[51252]: --> jhi start
Sep 01 12:37:02 PigramUbuntu1804NoEnclave jhi[51252]: <-- jhi start
Sep 01 12:37:02 PigramUbuntu1804NoEnclave systemd[1]: Started Intel Dynamic Application Loader Host Interface (JHI).
Sep 01 12:37:19 PigramUbuntu1804NoEnclave jhi[51252]: JHI service release prints are enabled
Sep 01 12:37:19 PigramUbuntu1804NoEnclave jhid[51252]: me: error: Cannot establish a handle to the Intel MEI driver /dev/mei [-2]:No such file or directory
Sep 01 12:37:19 PigramUbuntu1804NoEnclave jhi[51252]: AppletsManager::discoverVmType(), Couldn't connect to either BHv1 or BHv2.
Sep 01 12:37:19 PigramUbuntu1804NoEnclave jhi[51252]: Error: discoverVmType() failed
Sep 01 12:37:19 PigramUbuntu1804NoEnclave jhi[51252]: JHI init failed
main@PigramUbuntu1804NoEnclave:~/work/wind/dynamic-application-loader-host-interface/bin_linux$ 

from dynamic-application-loader-host-interface.

@yasminkahlon @jlahav ,

Could you recommend a hardware and software environment where I can successfully enable SGX for another application? Is Azure VM a right choice?

I created the Azure VM with option No, rather than Yes, to Open Enclave SDK as this stackoverflower suggests:

/dev/sgx (kernel module intel_sgx) is the DCAP driver. It is installed if you select "Open Enclave" when you create an ACC instance.
/dev/isgx (kernel module isgx) is the non-DCAP driver that uses IAS. If you want this, deselect "Open Enclave" when creating your ACC instance and manually install the non-DCAP Intel SGX driver from Intel.

And install SGX driver, SDK and PSW by building source and following guides from intel's open source linux-sgx. Intel also has another kvm-sgx project which has no step by step README to follow. I dont know which one is the correct choice to be installed on Azure VM. If it's the kvm-sgx, where I can find the installation guide?

Sorry for so many problems. I have been working hard and alone for two weeks but still in the puzzle. Your voice is the first and only one I heard, please help. Thank you very much for any further guide.

Kindest regards,
Main C

from dynamic-application-loader-host-interface.

Hey

I feel you. It's hard working with technologies which are not widespread.

About the question, sadly I can't help with SGX directly as I'm not familiar with the technology. We know DAL and JHI here.

JHI (this repository) is the OS side software of the DAL firmware application. JHI communicates with the firmware through a driver (kernel module on Linux) called mei. mei's device should be under /dev.
If there is no /dev/mei* device, JHI doesn't have a way to communicate with the firmware and its initialization will fail.

If there is such device, let us know and we'll think of another cause for the issue.
If there is no such device, this is where the investigation should continue.

Jonathan

from dynamic-application-loader-host-interface.

I am not sure which driver you installed: if you use non-dcap driver, please follow the driver installation step in open source project: https://github.com/intel/linux-sgx. If you use dcap driver, please follow the driver installation in open source project: https://github.com/intel/SGXDataCenterAttestationPrimitives

By the way, in your VM environment, could you check which device node: /dev/sgx or /dev/isgx? And could you give some information abut your application?

from dynamic-application-loader-host-interface.

@jlahav ,

You moved me. I just found as you mentioned DAL/JHI needs /dev/mei which is absolutely missing and cant be configured/bought to possess in Azure VM.

I was told in another repo/issue that DAL/JHI is just for platform service, it's optional for support to other applications. So even with some reported error in AESMD service, driver and PSW together, without icls/SDK/jhi, can support other applications?

Besides, do you recommend a bare metal machine, rather than a Azure VM, for complete SGX support?

Kindest regards,
Main C

from dynamic-application-loader-host-interface.

@jsun39 ,

With Open Enclave SDK inside the VM, the device is /dev/isgx;
Without Open Enclave SDK inside the VM, there is no device, and I install it from https://github.com/intel/linux-sgx-driver.

The application is also an open source project, https://github.com/signalapp/Signal-Server, which has a dedicated component https://github.com/signalapp/ContactDiscoveryService that requires SGX support, but it's very hard to get all these projects collaborated properly.

from dynamic-application-loader-host-interface.

For JHI you would need bare metal or add /dev/mei or configure passtrhou for 16.0 pci device to your VM guest, I'm not sure you can do that in Azure.
The mei driver is enabled in the stock ubuntu kernel, but you won't see the device node if there is no underlying hardware.

from dynamic-application-loader-host-interface.

I was told in another repo/issue that DAL/JHI is just for platform service, it's optional for support to other applications. So even with some reported error in AESMD service, driver and PSW together, without icls/SDK/jhi, can support other applications?

Sorry, I am not familiar with SGX. For more info about SGX you should ask in the SGX repo.

from dynamic-application-loader-host-interface.

SGX uses DAL for some functionality which is implemented inside CSME (notably monotonic counters IIRC). If you don't need that, maybe it will work without.

from dynamic-application-loader-host-interface.

For JHI you would need bare metal or add /dev/mei or configure passtrhou for 16.0 pci device to your VM guest, I'm not sure you can do that in Azure.
The mei driver is enabled in the stock ubuntu kernel, but you won't see the device node if there is no underlying hardware.

@tomasbw Yes, I found no way to see it in Azure VM, and still no MEI driver for Ubuntu in late 2019.

Sorry, I am not familiar with SGX. For more info about SGX you should ask in the SGX repo.

@jlahav , thank you all the same for feeling the same:D

SGX uses DAL for some functionality which is implemented inside CSME (notably monotonic counters IIRC). If you don't need that, maybe it will work without.

@skochinsky , yes, I am trying to work without it. Hope I can make it

from dynamic-application-loader-host-interface.

@maincui ，I am working on SGX project. I just have a quick view your application: I think your application didn't need platform related feature. So that means you didn't need jhi/CSME/MEi....

When AESMD reported some warning/error message about platform services, just leave it. platform related services are optional for SGX, it is NOT must.

from dynamic-application-loader-host-interface.

@jsun39 , thank you very much for sharing your investigations and insights, I am following your advice leaving AESMD without platform services and going ahead to configure and run CDS. Will definitely report the result upon completion. Thank you again!

from dynamic-application-loader-host-interface.

@jsun39 @jlahav @yasminkahlon @tomasbw and whoever may be confused or confronted this problem, my conclusion and result is:

1. Azure ACC VM can support SGX, install driver and PSW to support other application if you only deploy an application without developing it. The AESMD can tolerate the Platform Services initialization failed due to DAL error to well function.
2. Install SDK if you want to develop an SGX-related application.
3. DAL/JHI is not supported on Azure ACC VM, please find a bare metal machine if you need it.

Thank you four for the help along the long way!

from dynamic-application-loader-host-interface.