Platform Software Failed Due to DAL #190
Comments
|
Behind a proxy? Configure /etc/aesmd.conf with your proxy details |
|
Hi dtzimmerman, I think this is not a proxy issue since I also did not configure the proxy on my notebook with SGX and the call to sgx_ra_get_msg1 works in my notebook. I would like to add a message from the AESMD after restarting the service: Dec 18 11:10:23 rodel aesm_service[2748]: The server sock is 0x558401df0940 What could cause DAL error when the aesmd is started/restarted? Could this cause the call to sgx_ra_get_msg1 to timeout? Thanks! Kind Regards, |
|
DAL is only needed for SGX platform service. In your case, the failure of EPID provisioning is not related to DAL. You can just ignore this error. |
|
In most of cases, the network failure is coming from a wrong proxy setting. Can you retry your program? May be the network issue is gone now. |
|
Thanks @andyzyb . I have tried to do it again but with the same result. I am sure our network doesn't require an HTTP proxy since I was able to make the sgx_ra_get_msg1 work from my notebook with SGX. Note that I did not configure the /etc/aesmd.conf file in my notebook. Could there be other reasons for this issue? "[ADMIN]EPID Provisioning failed due to network error" |
|
So far I cannot think of other failure reason since the error message is clearly saying network error. Can you paste a full log of AESM? |
|
Hi @andyzyb, Dec 19 18:40:18 elephant aesm_service[1318]: The server sock is 0x5654668c8940 Thanks for investigating this. BTW, I can do an HTTP call to any web server outside of our network using HTTPIE. May I know the URL that the sgx_ra_get_msg1 communicates with (to check direct ping/http call to the service)? Thanks. |
|
The server for EPID provisioning is http://ps.sgx.trustedservices.intel.com/. You should get 405 error code if accessing it manually. |
|
Hi @llly, Thanks. From the server that shows the EPID provisioning network failure, I can confirm that I can do an http call to it from command line with the proper 405 error message. So, I still don't see why the error is showing EPID provisioning failed due to network error even if I can communicate with the service properly. One thought that I have is the server's firmware. Can it cause some network error (at least for the SGX SDK API's) if the firmware is outdated? Thanks! |
|
I don't think it's caused by firmware. |
|
Hi @llly, Here's the log messages: [/home/rodel/Projects/linux-sgx/psw/ae/aesm_service/source/aesm/application/aesm_logic.cpp|218|service_start|Fri Dec 22 14:58:19 2017]aesm service is starting |
|
@RodelFMiguel, according following line in the log
It should be a network issue. Can you double check the availability of http://ps.sgx.trustedservices.intel.com:80 on your PC? |
|
@fqiu1 , I have tried the following in the server that doesn't work using HTTPIE command line application in my Ubuntu Server machine: http http://ps.sgx.trustedservices.intel.com:80 HTTP/1.1 405 Method Not Allowed Furthermore, I did a test using CURL on the same machine: curl -v http://ps.sgx.trustedservices.intel.com:80
< HTTP/1.1 405 Method Not Allowed
From the logs, there seems to be a point where we can actually communicate with the server: Thanks! Kind Regards, |
|
@RodelFMiguel your analysis is reasonable, but I cannot reproduce your problem locally. The error code returned from curl is 52(CURLE_GOT_NOTHING), in my understanding, the server will not just drop your request even if you have something wrong in the request. Would you please use some http debug tool(i.e. mitmproxy) to make sure whether there is any response from server, so we can narrow down this issue. |
|
@fqiu1 Happy New Year! I am going to try some debug tool (like mitmproxy), but just for curiosity and just wondering if tcpdump will give some insights to the protocol when calling sgx_ra_get_msg1. From the packet capture below, it seems there's no problem when we are communicating with the service: ps.sgx.trustedservices.intel.com. Also, there seems to be an Expect: 100-continue that did not continue further at the end of the packet capture. There seems to be a handshake towards the end where our server machine did not reply to. I hope this can give some insight to the issue. Thanks a lot! Kind Regards, Here's the packet capture: #####:~/Projects/ADV/attestation/ra_master$ sudo tcpdump -i eno1 port 80 -vv 15:39:58.887752 IP (tos 0x0, ttl 58, id 29475, offset 0, flags [DF], proto TCP (6), length 40) 15:39:59.439055 IP (tos 0x0, ttl 64, id 21458, offset 0, flags [DF], proto TCP (6), length 40) 15:40:00.983783 IP (tos 0x0, ttl 58, id 51945, offset 0, flags [DF], proto TCP (6), length 40) 15:40:02.218827 IP (tos 0x0, ttl 64, id 63931, offset 0, flags [DF], proto TCP (6), length 40) |
|
[UPDATE] The sgx_ra_get_msg1 call works on tag sgx_v1.9 but not on sgx_v2.0 onwards. |
|
[update] Actually your tcpdump shows ps.sgx.trustedservices.intel.com backend may be in AWS, not your host. But still, the logs do indicate a network issue. Please ignore previous comments: notice you are running in AWS environment. By any chance, is there any network resource limits set in anyof your configurations? I'm not very familiar with AWS enough to know exactly what knobs to check here. But the log shows it is likely a network issue. |
|
Thanks for your reply. However, I am certain that it is not a network issue, unless there's something new in the latest SDK/PSW when it communicates with the ps.sgx.trustedservices.intel.com server. If you can see my previous comment, with v1.9 of the SDK/PSW, I am able to do a successful remote attestation. But somewhere in between that release and the latest release, the RA doesn't work anymore. What I did is clean install the driver and the SDK/PSW and tried the RA software again. Thank you. Please check this again with clean install on Ubuntu 14.04. Also, the RA doesn't work with any machines that I have (Lenovo T470s and Intel Server Block) and with the latest SDK/PSW (>= v2.0). |
|
Can you do a tcpdump for both >=2.0 (not working) and 1.9 (working)? |
|
@haitaohuang, I guess there's no need to do the tcpdump because I tried the latest gold release, v2.1, and everything seems to work fine. I noticed that there are lots of changes in the PSW on that version so I am thinking this issue got solved? BTW, I will keep monitoring if I ever hit the same problem again. Thank you. |
|
I'm glad v2.1 worked for you. I'm not aware of anyone else reporting this issue so I don't think there is any fixes targeted for this. Anyway, glad to hear everything works now. Let us know if you hit it again. |
Hi,
I have pulled the latest driver and software, however, I am seeing the following message in the aesmd service:
"[ADMIN]EPID Provisioning failed due to network error"
This causes my call to sgx_ra_get_msg1 to timeout/fail.
Here's the details of the setup:
What could be causing this issue? Thanks!
The text was updated successfully, but these errors were encountered: