openenclave: Enclaves failing with OE_IOCTL_FAILED for OE on platforms without AVX

On a fresh Ubuntu 16.04.5 LTS system (local, bare-metal; not an Azure VM), I built openenclave in SGX1 mode (with no FLC) using the directions here, on the master branch. This resulted in 147/173 failed tests from ctest and enclaves that fail to load on an OE_IOCTL_FAILED error:

johnm@sgxvmoe03:~/src/samples/helloworld$ make run
host/helloworldhost ./enc/helloworldenc.signed
21:26:09:066563 tid(0x7f6c3e805700) (H)[ERROR]rc=0xffffffff
[/home/johnm/git/openenclave/host/sgx/linux/sgxioctl.c sgx_ioctl_enclave_create:64]
21:26:09:066717 tid(0x7f6c3e805700) (H)[ERROR]:OE_IOCTL_FAILED[/home/johnm/git/openenclave/host/sgx/sgxload.c oe_sgx_create_enclave:526]
21:26:09:066799 tid(0x7f6c3e805700) (H)[ERROR]:OE_IOCTL_FAILED[/home/johnm/git/openenclave/host/sgx/create.c oe_sgx_build_enclave:658]
21:26:09:066956 tid(0x7f6c3e805700) (H)[ERROR]:OE_IOCTL_FAILED[/home/johnm/git/openenclave/host/sgx/create.c oe_create_enclave:790]
oe_create_helloworld_enclave(): result=15 (OE_IOCTL_FAILED)
Makefile:13: recipe for target 'run' failed
make: *** [run] Error 1

Examining the enclaves in the sample apps shows that they all contain the undefined symbol __tls_get_addr:

$ nm -A */enc*/*.signed | grep -i ' u '
data-sealing/enc1/enclave_a_v1.signed:                 U __tls_get_addr
data-sealing/enc2/enclave_a_v2.signed:                 U __tls_get_addr
data-sealing/enc3/enclave_b.signed:                 U __tls_get_addr
file-encryptor/enc/file-encryptorenc.signed:                 U __tls_get_addr
helloworld/enc/helloworldenc.signed:                 U __tls_get_addr

About this issue

Original URL
State: closed
Created 5 years ago
Comments: 34 (27 by maintainers)

Commits related to this issue

Merge #1540 1540: Setting SECS Attributes.XFRM in enclave to match that supported by Platform and OS r=anitagov a=anitagov Fix for Bug #1511 filed by Intel. Platform/OS supported X-State Features ar... — committed to openenclave/openenclave by oeciteam 5 years ago

Most upvoted comments

When I run “oesgx” binary, I get the following result:

CPU supports Software Guard Extensions:SGX1 MaxEnclaveSize_64: 2^(36)

I think the results look good?

I am running SGX on a physical machine instead of a VM and my concern is that I may still not install the driver correctly? I tried to install the two .bin files in this link: https://01.org/intel-softwareguard-extensions/downloads/intel-sgx-linux-2.4-release and it shows installation successful while the device “/dev/isgx” does not show. Is there any possible reason for that issue?

One maybe irrelevant question, when I do rmmod intel_sgx, the mode intel_sgx is still there after reboot, does that matter?

I tried to clean the two module I installed and follow the steps exactly here https://github.com/Microsoft/openenclave/blob/bf0b2292545dfabf7d1e8fe1661bce79b67ad948/docs/GettingStartedDocs/SGX1GettingStarted.md, and it works now! Thanks @jmechalas @johnkord @anitagov and everyone else for your help!

sniperyyc on Mar 26, 2019

Here is my experience. If the /dev/sgx driver (intel_sgx) is installed (the DCAP Intel SGX driver), it has to be removed first (with the correct uninstall.sh, which may be somewhere under /opt/intel/). Only then can you install the non-DCAP /dev/isgx driver (the one that uses Intel IAS), module isgx.

Be careful not to overwrite the uninstall.sh script of the old driver with the new driver. Uninstall the /dev/sgx driver first before even thinking of unzipping/untarring the driver files.

You can also go the other way (from /dev/isgx to /dev/sgx).

danintel on Aug 1, 2019

@sniperyyc - Great that it worked and that the SGX1GettingStarted.md doc also helped.

anitagov on Mar 26, 2019

Hey @sniperyyc ! I think your system currently has the DCAP SGX driver installed. I think you need the non-DCAP SGX driver. You can find the latest version of the non-DCAP SGX driver here I think: https://01.org/intel-softwareguard-extensions/downloads/intel-sgx-linux-2.4-release

The DCAP SGX driver can only be installed on SGX systems with FLC, which is what the install_oe_sdk.md guide expects. The DCAP SGX driver installs the “intel_sgx” module, whereas the non-DCAP SGX driver installs the “isgx” module.

Try installing this “isgx” module and see what happens. You might have to remove the intel_sgx module, but I’m not sure. Run this command to see if an sgx device now exists on your system: ls /dev/*sgx. You should see /dev/isgx if the non-DCAP SGX driver is installed properly. (The /dev/sgx device will exist if you’re using the DCAP driver and you’re on an SGX system with FLC)

johnkord on Mar 25, 2019