Comments (11)
mythi
commented on August 15, 2024
1
agent still need these devices to be mounted
/dev/sgx dir volume mount alone is enough.
from enclave-cc.
mythi
commented on August 15, 2024
check what is the minor for that device on your node from /proc/misc
from enclave-cc.
mythi
commented on August 15, 2024
since we install the SGX SDK libs from their APT repository, we automatically get the latest version 2.18 which is broken due to intel/linux-sgx#920. Creating a symlink from the non-standard /dev/sgx/enclave -> /dev/sgx_enclave fixes the problem
from enclave-cc.
hairongchen
commented on August 15, 2024
currently our e2e does not check with HW mode so this issue is not reflected in time in all the PR e2e test, this situation should be improved.
from enclave-cc.
mythi
commented on August 15, 2024
The SDK fix is expected to be released maybe this week still.
from enclave-cc.
hairongchen
commented on August 15, 2024
app container also has this issue:
root@iZ2ze49w79e4zvkn2mcbscZ:~# cat /var/log/pods/default_enclave-cc-pod_28c552b5-cc3f-4cf4-ab49-c958edd2416b/hello-world/0.log
2023-01-12T00:37:34.512107365+08:00 stderr F [get_driver_type /home/sgx/jenkins/ubuntuServer2004-release-build-trunk-218/build_target/PROD/label/Builder-UbuntuSrv20/label_exp/ubuntu64/linux-trunk-opensource/psw/urts/linux/edmm_utility.cpp:111] Failed to open Intel SGX device.
2023-01-12T00:37:34.512127777+08:00 stderr F [ERROR] occlum-pal: Failed to create enclave with error code 0x2006: Invalid SGX device. Please make sure SGX module is enabled in the BIOS, and install SGX driver afterwards. (line 152, file src/pal_enclave.c)
from enclave-cc.
hairongchen
commented on August 15, 2024
that means to workaround this bug, we need change both agent's config.json and app's yaml to add sgx devices:
for this workload POD definition hello_world-enc.yaml, the device addition example:
apiVersion: v1
kind: Pod
metadata:
name: enclave-cc-pod
spec:
containers:
- image: docker.io/eqmcc/helloworld_enc
name: hello-world
workingDir: "/run/rune/boot_instance/"
volumeMounts:
- mountPath: /dev/sgx/enclave
name: sgx-enclave
- mountPath: /dev/sgx/provision
name: sgx-provision
securityContext:
privileged: true
resources:
limits:
sgx.intel.com/epc: 600Mi
env:
- name: OCCLUM_RELEASE_ENCLAVE
value: "1"
command:
- /run/rune/boot_instance/build/bin/occlum-run
- /bin/hello_world
runtimeClassName: enclave-cc
volumes:
- name: sgx-enclave
hostPath:
path: /dev/sgx_enclave
- name: sgx-provision
hostPath:
path: /dev/sgx_provision
from enclave-cc.
mythi
commented on August 15, 2024
@hairongchen if you create these /dev/sgx/enclave -> /dev/sgx_enclave symlinks on the host and use v0.24 device plugin it will just work
from enclave-cc.
hairongchen
commented on August 15, 2024
PR for temp fix: #90
from enclave-cc.
haosanzi
commented on August 15, 2024
@hairongchen if you create these
/dev/sgx/enclave -> /dev/sgx_enclavesymlinks on the host and use v0.24 device plugin it will just work
Make sense. Since 0.24.0 intel sgx plugin mount /dev/sgx dir to /dev/sgx dir in container environment. Thank you very much.
from enclave-cc.
hairongchen
commented on August 15, 2024
this would work for workload container, but agent still need these devices to be mounted in as it does not ask k8s to add sgx resource via plugin.
from enclave-cc.
Related Issues (20)
- enable dependabot updates for rust dependencies HOT 1
- image pull failures with multi-layer images
- Get rid of eaa-kbc & verdictd HOT 4
- update to combined image-rs+ocicrypt+AA repo HOT 1
- Update Quickstart for v0.8 HOT 2
- CI failed because of key not found HOT 4
- enable signature checks for sample_kbc in CI
- update operator flows for NFD and Debug
- Operator tests are currently failing
- specify rust version used in builds
- Replace apt yum repos for installing Kubernetes HOT 1
- RFC: enclave-cc improvement ideas HOT 4
- Failed to create agent enclave - Invalid enclave metadata. (line 152, file src/pal_enclave.c) HOT 27
- [ERROR] occlum-pal: Failed to create enclave with error code 0x2006: Invalid SGX device. Please make sure SGX module is enabled in the BIOS, and install SGX driver afterwards. (line 152, file src/pal_enclave.c) HOT 5
- Error while creating enclave-cc in HW mode with encrypted image which requires attestation HOT 10
- shim: RPC protos and dependencies need rework
- Attestation: Verifier evaluate failed: SGX Verifier: REPORT_DATA is different from that in SGX Quote HOT 24
- setup cargo workspace
- deploy enclave-cc failed HOT 5
- how to configure image decryption keys HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from enclave-cc.