aesm_service crashes

[tyxben]

My AESM service crashes, but I don't know why.

Mar 13 15:48:48 sgx-2 systemd[1]: Started Intel(R) Architectural Enclave Service Manager.
Mar 13 15:48:48 sgx-2 aesm_service[814396]: The server sock is 0x5bc6f111ca60
Mar 13 15:48:56 sgx-2 systemd[1]: aesmd.service: Main process exited, code=dumped, status=11/SEGV
Mar 13 15:48:56 sgx-2 systemd[1]: aesmd.service: Failed with result 'core-dump'.

My qcln conf is
{
"pccs_url": "https://global.acccache.azure.net/sgx/certification/v3/",
"use_secure_cert": true,
"collateral_service": "https://global.acccache.azure.net/sgx/certification/v3/",
"pccs_api_version": "3.1",
"retry_times": 6,
"retry_delay": 5,
"local_pck_url": "http://169.254.169.254/metadata/THIM/sgx/certification/v3/",
"pck_cache_expire_hours": 24,
"verify_collateral_cache_expire_hours": 24,
"custom_request_options": {
"get_cert": {
"headers": {
"metadata": "true"
},
"params": {
"api-version": "2021-07-22-preview"
}
}
}
}

[juuusto]

Facing the same problem.

[grydz]

I confirm the bug on Ubuntu 20.04 and Ubuntu 22.04 (tested on Microsoft Azure VM Standard_DC2s_v3) with Intel SGX SDK 2.23 (sgx_linux_x64_sdk_2.23.100.2.bin).

Processor and Linux kernel info:

$ uname -a
Linux sgx-ubuntu-22-v2 6.5.0-1019-azure #20~22.04.1-Ubuntu SMP Wed Apr  3 03:28:18 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
$ cat /proc/cpuinfo | grep -i "model name"
model name	: Intel(R) Xeon(R) Platinum 8370C CPU @ 2.80GHz
$ cpuid | grep -i sgx
      SGX: Software Guard Extensions supported = true
      SGX_LC: SGX launch config supported      = true
   Software Guard Extensions (SGX) capability (0x12/0):
      SGX1 supported                           = true
      SGX2 supported                           = true
      SGX ENCLV E*VIRTCHILD, ESETCONTEXT       = false
      SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false
   SGX attributes: ECREATE SECS.ATTRIBUTES (0x12/1):
   SGX Enclave Page Cache (EPC) enumeration (0x12/0x2):
   SGX Enclave Page Cache (EPC) enumeration (0x12/0x3):
      SGX: Software Guard Extensions supported = true
      SGX_LC: SGX launch config supported      = true
   Software Guard Extensions (SGX) capability (0x12/0):
      SGX1 supported                           = true
      SGX2 supported                           = true
      SGX ENCLV E*VIRTCHILD, ESETCONTEXT       = false
      SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false
   SGX attributes: ECREATE SECS.ATTRIBUTES (0x12/1):
   SGX Enclave Page Cache (EPC) enumeration (0x12/0x2):
   SGX Enclave Page Cache (EPC) enumeration (0x12/0x3):

Intel SGX libraries installed:

$ sudo apt list --installed | grep sgx
libsgx-ae-id-enclave/unknown,now 1.20.100.2-jammy1 amd64 [installed,automatic]
libsgx-ae-pce/unknown,now 2.23.100.2-jammy1 amd64 [installed,automatic]
libsgx-ae-qe3/unknown,now 1.20.100.2-jammy1 amd64 [installed,automatic]
libsgx-aesm-ecdsa-plugin/unknown,now 2.23.100.2-jammy1 amd64 [installed,automatic]
libsgx-aesm-pce-plugin/unknown,now 2.23.100.2-jammy1 amd64 [installed,automatic]
libsgx-aesm-quote-ex-plugin/unknown,now 2.23.100.2-jammy1 amd64 [installed]
libsgx-dcap-default-qpl-dbgsym/unknown,now 1.20.100.2-jammy1 amd64 [installed]
libsgx-dcap-default-qpl-dev/unknown,now 1.20.100.2-jammy1 amd64 [installed]
libsgx-dcap-default-qpl/unknown,now 1.20.100.2-jammy1 amd64 [installed]
libsgx-dcap-ql-dbgsym/unknown,now 1.20.100.2-jammy1 amd64 [installed]
libsgx-dcap-ql-dev/unknown,now 1.20.100.2-jammy1 amd64 [installed]
libsgx-dcap-ql/unknown,now 1.20.100.2-jammy1 amd64 [installed]
libsgx-dcap-quote-verify-dbgsym/unknown,now 1.20.100.2-jammy1 amd64 [installed]
libsgx-dcap-quote-verify/unknown,now 1.20.100.2-jammy1 amd64 [installed]
libsgx-enclave-common/unknown,now 2.23.100.2-jammy1 amd64 [installed,automatic]
libsgx-epid/unknown,now 2.23.100.2-jammy1 amd64 [installed]
libsgx-headers/unknown,now 2.23.100.2-jammy1 amd64 [installed,automatic]
libsgx-launch/unknown,now 2.23.100.2-jammy1 amd64 [installed]
libsgx-pce-logic/unknown,now 1.20.100.2-jammy1 amd64 [installed,automatic]
libsgx-qe3-logic/unknown,now 1.20.100.2-jammy1 amd64 [installed,automatic]
libsgx-quote-ex/unknown,now 2.23.100.2-jammy1 amd64 [installed]
libsgx-urts/unknown,now 2.23.100.2-jammy1 amd64 [installed]
linux-base-sgx/jammy,now 4.5ubuntu9 all [installed]
sgx-aesm-service/unknown,now 2.23.100.2-jammy1 amd64 [installed]

Trying Intel's quote generation code sample:

~/SGXDataCenterAttestationPrimitives/SampleCode/QuoteGenerationSample$ make DEBUG=1
make target
make[1]: Entering directory '/home/azureuser/SGXDataCenterAttestationPrimitives/SampleCode/QuoteGenerationSample'
cd App && /opt/intel/sgxsdk/bin/x64/sgx_edger8r --untrusted ../Enclave/Enclave.edl
GEN  =>  App/Enclave_u.c
CC   <=  App/Enclave_u.c
CXX  <=  App/App.cpp
g++ App/Enclave_u.o App/App.o -o app -m64 -O2 -lsgx_dcap_ql -lsgx_urts -ldl -lpthread -ldcap_quoteprov
LINK =>  app
GEN  =>  Enclave/Enclave_t.c
CC   <=  Enclave/Enclave_t.c
CXX  <=  Enclave/Enclave.cpp
LINK =>  enclave.so
<EnclaveConfiguration>
    <ProdID>0</ProdID>
    <ISVSVN>0</ISVSVN>
    <StackMaxSize>0x40000</StackMaxSize>
    <HeapMaxSize>0x100000</HeapMaxSize>
    <TCSNum>1</TCSNum>
    <TCSPolicy>1</TCSPolicy>
    <DisableDebug>0</DisableDebug>
    <MiscSelect>0</MiscSelect>
    <MiscMask>0xFFFFFFFF</MiscMask>
</EnclaveConfiguration>
tcs_num 1, tcs_max_num 1, tcs_min_pool 1
INFO: Enclave configuration 'MiscSelect' and 'MiscSelectMask' will prevent enclave from using dynamic features. To use the dynamic features on SGX2 platform, suggest to set MiscMask[0]=0 and MiscSelect[0]=1.
The required memory is 1478656B.
The required memory is 0x169000, 1444 KB.
handle_compatible_metadata: Overwrite with metadata version 0x100000004
Succeed.
SIGN =>  enclave.signed.so
The project has been built in release hardware mode.
make[1]: Leaving directory '/home/azureuser/SGXDataCenterAttestationPrimitives/SampleCode/QuoteGenerationSample'

~/SGXDataCenterAttestationPrimitives/SampleCode/QuoteGenerationSample$ SGX_AESM_ADDR=1 sudo -E ./app
[APP] Step1: Call sgx_qe_get_target_info:
Error in sgx_qe_get_target_info. 0xe001

$ sudo systemctl status aesmd
● aesmd.service - Intel(R) Architectural Enclave Service Manager
     Loaded: loaded (/lib/systemd/system/aesmd.service; enabled; vendor preset: enabled)
     Active: activating (auto-restart) (Result: core-dump) since Wed 2024-04-24 09:59:12 UTC; 2s ago
    Process: 3762 ExecStartPre=/opt/intel/sgx-aesm-service/aesm/linksgx.sh (code=exited, status=0/SUCCESS)
    Process: 3775 ExecStartPre=/bin/mkdir -p /var/run/aesmd/ (code=exited, status=0/SUCCESS)
    Process: 3776 ExecStartPre=/bin/chown -R aesmd:aesmd /var/run/aesmd/ (code=exited, status=0/SUCCESS)
    Process: 3777 ExecStartPre=/bin/chmod 0755 /var/run/aesmd/ (code=exited, status=0/SUCCESS)
    Process: 3778 ExecStartPre=/bin/chown -R aesmd:aesmd /var/opt/aesmd/ (code=exited, status=0/SUCCESS)
    Process: 3779 ExecStartPre=/bin/chmod 0750 /var/opt/aesmd/ (code=exited, status=0/SUCCESS)
    Process: 3780 ExecStart=/opt/intel/sgx-aesm-service/aesm/aesm_service (code=exited, status=0/SUCCESS)
   Main PID: 3781 (code=dumped, signal=SEGV)
        CPU: 81ms

Apr 24 09:59:12 sgx-ubuntu-22-v2 systemd[1]: aesmd.service: Failed with result 'core-dump'.

Tried to run aesmd with --no-daemon but it fails with no more info:

$ sudo systemctl stop aesmd
$ sudo -u aesmd bash -c "LD_LIBRARY_PATH=/opt/intel/sgx-aesm-service/aesm /opt/intel/sgx-aesm-service/aesm/aesm_service --supported_attestation_types=ECDSA --no-daemon"
The path of system bundle: System Bundle
ecdsa_quote_service_bundle_name:2.0.0
linux_network_service_bundle_name:2.0.0
pce_service_bundle_name:2.0.0
quote_ex_service_bundle_name:2.0.0
system_bundle:4.0.0
Segmentation fault

[llly]

Yes. This is a bug that aesm_service crashes on Azure. See SGXDataCenterAttestationPrimitives/366. Fix has been committed and will be released in 2.24 release very soon.

[grydz]

Whoops, I missed the issue on SGXDataCenterAttestationPrimitives repository...

Thanks, I just saw that version 1.21.100.3 has been released in Intel's APT repository. It solves the issue!