Comments (11)
agent still need these devices to be mounted
/dev/sgx
dir volume mount alone is enough.
from enclave-cc.
check what is the minor
for that device on your node from /proc/misc
from enclave-cc.
since we install the SGX SDK libs from their APT repository, we automatically get the latest version 2.18 which is broken due to intel/linux-sgx#920. Creating a symlink from the non-standard /dev/sgx/enclave -> /dev/sgx_enclave
fixes the problem
from enclave-cc.
currently our e2e does not check with HW mode so this issue is not reflected in time in all the PR e2e test, this situation should be improved.
from enclave-cc.
The SDK fix is expected to be released maybe this week still.
from enclave-cc.
app container also has this issue:
root@iZ2ze49w79e4zvkn2mcbscZ:~# cat /var/log/pods/default_enclave-cc-pod_28c552b5-cc3f-4cf4-ab49-c958edd2416b/hello-world/0.log
2023-01-12T00:37:34.512107365+08:00 stderr F [get_driver_type /home/sgx/jenkins/ubuntuServer2004-release-build-trunk-218/build_target/PROD/label/Builder-UbuntuSrv20/label_exp/ubuntu64/linux-trunk-opensource/psw/urts/linux/edmm_utility.cpp:111] Failed to open Intel SGX device.
2023-01-12T00:37:34.512127777+08:00 stderr F [ERROR] occlum-pal: Failed to create enclave with error code 0x2006: Invalid SGX device. Please make sure SGX module is enabled in the BIOS, and install SGX driver afterwards. (line 152, file src/pal_enclave.c)
from enclave-cc.
that means to workaround this bug, we need change both agent's config.json and app's yaml to add sgx devices:
for this workload POD definition hello_world-enc.yaml, the device addition example:
apiVersion: v1
kind: Pod
metadata:
name: enclave-cc-pod
spec:
containers:
- image: docker.io/eqmcc/helloworld_enc
name: hello-world
workingDir: "/run/rune/boot_instance/"
volumeMounts:
- mountPath: /dev/sgx/enclave
name: sgx-enclave
- mountPath: /dev/sgx/provision
name: sgx-provision
securityContext:
privileged: true
resources:
limits:
sgx.intel.com/epc: 600Mi
env:
- name: OCCLUM_RELEASE_ENCLAVE
value: "1"
command:
- /run/rune/boot_instance/build/bin/occlum-run
- /bin/hello_world
runtimeClassName: enclave-cc
volumes:
- name: sgx-enclave
hostPath:
path: /dev/sgx_enclave
- name: sgx-provision
hostPath:
path: /dev/sgx_provision
from enclave-cc.
@hairongchen if you create these /dev/sgx/enclave -> /dev/sgx_enclave
symlinks on the host and use v0.24 device plugin it will just work
from enclave-cc.
PR for temp fix: #90
from enclave-cc.
@hairongchen if you create these
/dev/sgx/enclave -> /dev/sgx_enclave
symlinks on the host and use v0.24 device plugin it will just work
Make sense. Since 0.24.0 intel sgx plugin mount /dev/sgx
dir to /dev/sgx
dir in container environment. Thank you very much.
from enclave-cc.
this would work for workload container, but agent still need these devices to be mounted in as it does not ask k8s to add sgx resource via plugin.
from enclave-cc.
Related Issues (20)
- enable dependabot updates for rust dependencies HOT 1
- image pull failures with multi-layer images
- Get rid of eaa-kbc & verdictd HOT 4
- update to combined image-rs+ocicrypt+AA repo HOT 1
- Update Quickstart for v0.8 HOT 2
- CI failed because of key not found HOT 4
- enable signature checks for sample_kbc in CI
- update operator flows for NFD and Debug
- Operator tests are currently failing
- specify rust version used in builds
- Replace apt yum repos for installing Kubernetes HOT 1
- RFC: enclave-cc improvement ideas HOT 4
- Failed to create agent enclave - Invalid enclave metadata. (line 152, file src/pal_enclave.c) HOT 27
- [ERROR] occlum-pal: Failed to create enclave with error code 0x2006: Invalid SGX device. Please make sure SGX module is enabled in the BIOS, and install SGX driver afterwards. (line 152, file src/pal_enclave.c) HOT 5
- Error while creating enclave-cc in HW mode with encrypted image which requires attestation HOT 10
- shim: RPC protos and dependencies need rework
- Attestation: Verifier evaluate failed: SGX Verifier: REPORT_DATA is different from that in SGX Quote HOT 24
- setup cargo workspace
- deploy enclave-cc failed HOT 5
- how to configure image decryption keys HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from enclave-cc.