Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CapsuleManager启动失败 #34

Open
rrsakura opened this issue Nov 25, 2024 · 6 comments
Open

CapsuleManager启动失败 #34

rrsakura opened this issue Nov 25, 2024 · 6 comments
Labels
no-issue-activity

Comments

@rrsakura
Copy link

PCCS应该是安装好了,状态如下:
root@R750xa:/home/admin/occlum_instance# systemctl status pccs
pccs.service - Provisioning Certificate Caching Service (PCCS)
Loaded: loaded (/var/run/systemd/system/pccs.service, enabled)
Active: active (running)

启动CapsuleManager时报错如下:
root@R750xa:/home/admin/occlum_instance# occlum run /bin/capsule_manager_grpc --tls_config.enable_tls false
OU, SecretFlow
L, HZ
O, AntGroup
ST, HZ
CN, CapsuleManager
C, CN
[2024-11-22 08:55:12.635] [info] [sgx2_generator.cc:102] Start generating sgx2 report
[get_platform_quote_cert_data ../qe_logic.cpp:388] Error returned from the p_sgx_get_quote_config API. 0xe011
thread 'main' panicked at bin/grpc-as/src/main.rs:108:6:
capsule_manager init error: Error { code: InternalErr, details: Some("runified_attestation_generate_auth_report err: "[Enforce fail at trustflow/attestation/generation/sgx2/sgx2_generator.cc:114] ioctl(sgx_fd, SGXIOC_GET_DCAP_QUOTE_SIZE, &quote_size) == 0. -1 vs 0.Fail to get quote size, errno = 22\0""), location: Some(ErrorLocation { line: 261, file: "capsule-manager/src/server.rs" }) }
note: run with RUST_BACKTRACE=1 environment variable to display a backtrace

配置PCCS时若设置为LAZY模式则报错0xe011,若设置为REQ模式则报错0xe047,请问这种情况有什么解决办法吗?
@zhongtianq
Copy link
Collaborator

0xe011的错误对应的是SGX_QL_NO_PLATFORM_CERT_DATA,The platform library doesn't have any platfrom cert data.
0xe047对应的是SGX_QL_PLATFORM_UNKNOWN,Platform was not found in the cache.

看起来都是平台的证书等没有正确配置。请检查一下pccs部署的时候有没有正确订阅intel的api以及配置相关证书、密钥。
可以参考:https://hub.docker.com/r/intel/pccs

@rrsakura
Copy link
Author

谢谢,另外请问运行TrustFlow整体流程所需的电脑配置如何,SGX和TDX更优先推荐哪个呢?

@zhongtianq
Copy link
Collaborator

电脑配置与实际运行的TEE APP有关,如果是运行一个小的app,对配置要求不高,内存上推荐16G或者32G以上内存。

我们更优推荐TDX,我们后续的规划也会全面拥抱机密虚拟机。

@rrsakura
Copy link
Author

你好,在PCCS配置中设置代理后报错0xe019,请问还是证书的问题吗?已经订阅intel的api密钥了,因为没有证书所以运行的是没有开启mTLS的命令:occlum run /bin/capsule_manager_grpc --tls_config.enable_tls false,但是还是报错。
另外成功运行和SGX1/SGX2有关系吗,用私钥构建occlum时有一条INFO: SGX1 only enclave, which will run on all platforms.是指SGX2没有成功启动吗?

@zhongtianq
Copy link
Collaborator

zhongtianq commented Nov 29, 2024
edited
Loading

occlum的这个INFO可以忽略。0xe019还是访问PCCS的网络问题,请确认一下/etc/sgx_default_qcnl.conf这个配置,例如:

# PCCS server address
"pccs_url": "https://localhost:8081/sgx/certification/v4/",

# To accept insecure HTTPS certificate, set this option to FALSE
"use_secure_cert": false

并且确保配置后把它复制到了occlum_instance目录的./image/etc/sgx_default_qcnl.conf下,然后重新occlum build。

@github-actions GitHub Actions
Copy link

Stale issue message. Please comment to remove stale tag. Otherwise this issue will be closed soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
no-issue-activity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rrsakura @zhongtianq