openenclave: Ctest for the attestation failed

When I build with LVI mitigation, run:

cmake .. \
-DLVI_MITIGATION=ControlFlow \
-DLVI_MITIGATION_BINDIR=/usr/local/lvi-mitigation/bin
make

I got the result:

[ 15%] Linking CXX executable safecrt_enc-lvi-cfg
/usr/bin/ld: cannot find -link-lvi-mitigation
/usr/bin/ld: CMakeFiles/safecrt_enc-lvi-cfg.dir/__/common/test.cpp.o: unable to initialize decompress status for section .debug_str
/usr/bin/ld: CMakeFiles/safecrt_enc-lvi-cfg.dir/__/common/test.cpp.o: unable to initialize decompress status for section .debug_str
CMakeFiles/safecrt_enc-lvi-cfg.dir/__/common/test.cpp.o: file not recognized: File format not recognized
clang: error: linker command failed with exit code 1 (use -v to see invocation)
tests/safecrt/enc/CMakeFiles/safecrt_enc-lvi-cfg.dir/build.make:149: recipe for target 'tests/safecrt/enc/safecrt_enc-lvi-cfg' failed
make[2]: *** [tests/safecrt/enc/safecrt_enc-lvi-cfg] Error 1
CMakeFiles/Makefile2:8668: recipe for target 'tests/safecrt/enc/CMakeFiles/safecrt_enc-lvi-cfg.dir/all' failed
make[1]: *** [tests/safecrt/enc/CMakeFiles/safecrt_enc-lvi-cfg.dir/all] Error 2
Makefile:181: recipe for target 'all' failed
make: *** [all] Error 2

It works on Ubuntu18.04, SGX1+FLC model My environment path is:

/home/dylan/.local/bin:/home/dylan/bin:.:/usr/local/jdk1.8/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

I have installed the dependencies according to the guidance document, contents under the director /usr/local/lvi-mitigation/bin are:

drwxr-xr-x 2 root root  4096 Mar 15 14:51 ./
drwxr-xr-x 4 root root  4096 Mar 14 11:38 ../
lrwxrwxrwx 1 root root    57 Mar 14 11:38 as -> /usr/local/lvi-mitigation/external/toolset/ubuntu18.04/as*
-rwxr-xr-x 1 root root   231 Mar 15 19:49 clang-8*
-rwxr-xr-x 1 root root   233 Mar 15 19:49 clang++-8*
lrwxrwxrwx 1 root root    16 Mar 14 11:38 clang-8_symlink -> /usr/bin/clang-8*
lrwxrwxrwx 1 root root    18 Mar 14 11:38 clang++-8_symlink -> /usr/bin/clang++-8*
-rwxr-xr-x 1 root root   227 Mar 15 19:49 g++*
-rwxr-xr-x 1 root root   227 Mar 15 19:49 gcc*
lrwxrwxrwx 1 root root    12 Mar 14 11:38 gcc_symlink -> /usr/bin/gcc*
-r-xr-xr-x 1 root root   660 Mar 14 11:38 generate_wrapper*
lrwxrwxrwx 1 root root    12 Mar 14 11:39 g++_symlink -> /usr/bin/g++*
-r-xr-xr-x 1 root root  2649 Mar 14 11:38 install_lvi_mitigation_bindir*
-r-xr-xr-x 1 root root  1093 Mar 14 11:38 invoke_compiler*
lrwxrwxrwx 1 root root    57 Mar 14 11:38 ld -> /usr/local/lvi-mitigation/external/toolset/ubuntu18.04/ld*
lrwxrwxrwx 1 root root    62 Mar 15 14:50 ld.gold -> /usr/local/lvi-mitigation/external/toolset/ubuntu18.04/ld.gold*
-r-xr-xr-x 1 root root 11514 Mar 14 11:38 lvi-mitigation.py*
lrwxrwxrwx 1 root root    62 Mar 15 14:51 objdump -> /usr/local/lvi-mitigation/external/toolset/ubuntu18.04/objdump*

There is another error when I first run make

/usr/bin/as: unrecognized option '-mlfence-before-indirect-branch=register'

Then I create a soft link for as in the directory /usr/bin like, it works.

dylan@dylan:/usr/bin$ ll | grep as
lrwxrwxrwx  1 root  root          57 Mar 15 17:28 as -> /usr/local/lvi-mitigation/external/toolset/ubuntu18.04/as*

But after make again, I got the result showed at the beginning: [ 15%] Linking CXX executable safecrt_enc-lvi-cfg /usr/bin/ld: cannot find -link-lvi-mitigation

About this issue

Original URL
State: closed
Created 3 years ago
Comments: 56 (7 by maintainers)

Most upvoted comments

@DylanWangWQF Good to know that TCB status has been logged properly. For tls_e2e testing, it failed due to oe_verify_attestation_certificate() cannot accept an invalid TCB status. If you need such function, you can use oe_verify_attestation_certificate_with_evidence() if invalid TCB status is acceptable to you.

qiucwang on Jun 4, 2021

Ok, I solved my issues with attestation. I checked PCCS’s with curl, it was returning 200, but CRL data was invalid (unexpected stream end). To fix that issue I had to remove pckcache.db file after downgrade and restart PCCS service. Finally PCCS responded with proper CRL, then ctest passed.

Thanks for help

specio on Apr 7, 2021

Thanks for the update. Based on the error messages, there seems a version mismatch:

 This is a positive test case. Expect no errors
2021-03-16T13:33:47+1300.870073Z [(H)ERROR] tid(0x7f71177ff700) | Expected version to be 1, but got 3 (oe_result_t=OE_INVALID_ENDORSEMENT) [/home/dylan/Documents/SGX_Programming/openenclave/host/sgx/sgxquoteprovider.c:oe_get_sgx_quote_verification_collateral:100]
2021-03-16T13:33:47+1300.870085Z [(H)ERROR] tid(0x7f71177ff700) | :OE_INVALID_ENDORSEMENT [/home/dylan/Documents/SGX_Programming/openenclave/host/sgx/ocalls/ocalls.c:oe_get_quote_verification_collateral_ocall:173]
2021-03-16T13:33:47+1300.870178Z [(E)ERROR] tid(0x7f71177ff700) | mbedtls_tls_client_enc::OE_INVALID_ENDORSEMENT [/home/dylan/Documents/SGX_Programming/openenclave/enclave/sgx/collateralinfo.c:oe_get_sgx_quote_verification_collateral:311]
Assertion failed: "_check_block() panic" == NULL (/home/dylan/Documents/SGX_Programming/openenclave/enclave/core/debugmalloc.c: _check_block: 147)

@ryanhsu19 @yentsanglee Do you know the possible cause of this error (on non-ACC machine)?

I’m reading the log and Intel® Software Guard Extensions (Intel® SGX) Data Center Attestation Primitives: ECDSA Quote Library API. One possible reason is that it automatically installed the latest PCCS/PCS API providing V3 APIs when building the OE according to your guidances.

But as shown on Page 20 in the manual: The ‘version’ field of the gx_ql_qve_collateral_t structure will reflect the version of the PCCS/PCS API used to retrieve the collateral. For V1 and V2 APIs, the ‘version’ field have a value of 1. For V3 APIs, the ‘version’ field will have the value of 3.

So I got the error msg Expected version to be 1, but got 3 (oe_result_t=OE_INVALID_ENDORSEMENT).

I’m trying to re-install it with the lower version and check if it works. I will let you know if I get any result.

DylanWangWQF on Mar 17, 2021