TLS support in HW mode

[fixerivan]

I am trying to run nodejs via

SGXLKL_HEAP=900M SGXLKL_KEY=/root/sgx-lkl/build/config/enclave_debug.key sgx-lkl-run ./sgxlkl-miniroot-fs.img /usr/bin/node --version

[ SGX-LKL ] Warning: The application requires thread-local storage (TLS), but the current system configuration does not allow SGX-LKL to provide full TLS support in hardware mode. See sgx-lkl-run --help-tls for more information.

v8.14.0

so I run

sgx-lkl-run --help-tls

[ SGX-LKL ] Warning: Insufficient arguments. No application path provided.
Usage: sgx-lkl-run [--config=path/to/config] [--app=path/to/appconfig] path/to/encl/file/system path/to/executable
path/to/config: Optional: Path to JSON configuration file. If file system image is provided via configuration file it must not be provided on the command line (see below).
path/to/appconfig: Optional: Path to JSON application configuration file. Can be used to provide application configuration (executable path, arguments, environment variables). Not available in release mode.
path/to/encl/file/system: Path to the ext4 enclave file system image.
path/to/executable: Path to executable on enclave file system.
: Arguments for executable.

sgx-lkl-run --version to print version information.
sgx-lkl-run --help to print this help.
sgx-lkl-run --help-tls to print help on how to enable thread-local storage support in hardware mode.

but there is no info at all about how to enable thread-local storage support in hardware mode ...

please advise, thanks

[cpriebe]

Thanks for reporting this! This is a bug. You can access the help text via sgx-lkl-run -t. I have just pushed a fix, so sgx-lkl-run --help-tls should now work again as well.

Fixed in e3fc437.

[fixerivan]

thanks, help text was displayed, but once i followed the instructions:

root@vitro ~/sgx-lkl/tools/kmod-set-fsgsbase # make set-cr4-fsgsbase
make -C /lib/modules/5.1.16-050116-generic/build M=/root/sgx-lkl/tools/kmod-set-fsgsbase modules
make[1]: Entering directory '/usr/src/linux-headers-5.1.16-050116-generic'
Building modules, stage 2.
MODPOST 1 modules
make[1]: Leaving directory '/usr/src/linux-headers-5.1.16-050116-generic'
sudo insmod ./mod_set_cr4_fsgsbase.ko val=1
sudo rmmod mod_set_cr4_fsgsbase
dmesg | tail -n 10
[29900.749478] SGX-LKL: Successfully set CR4.FSGSBASE to 1 on CPU #0, CR4 before: 0x003606f0, after: 0x003706f0.
[29900.749479] SGX-LKL: Successfully set CR4.FSGSBASE to 1 on CPU #8, CR4 before: 0x003606e0, after: 0x003706e0.
[29900.749480] SGX-LKL: Successfully set CR4.FSGSBASE to 1 on CPU #10, CR4 before: 0x003606e0, after: 0x003706e0.
[29900.749481] SGX-LKL: Successfully set CR4.FSGSBASE to 1 on CPU #2, CR4 before: 0x003606e0, after: 0x003706e0.
[29900.749482] SGX-LKL: Successfully set CR4.FSGSBASE to 1 on CPU #9, CR4 before: 0x003606e0, after: 0x003706e0.
[29900.749483] SGX-LKL: Successfully set CR4.FSGSBASE to 1 on CPU #11, CR4 before: 0x003606e0, after: 0x003706e0.
[29900.749484] SGX-LKL: Successfully set CR4.FSGSBASE to 1 on CPU #12, CR4 before: 0x003606e0, after: 0x003706e0.
[29900.749486] SGX-LKL: Successfully set CR4.FSGSBASE to 1 on CPU #14, CR4 before: 0x003606e0, after: 0x003706e0.
[29900.749487] SGX-LKL: Successfully set CR4.FSGSBASE to 1 on CPU #6, CR4 before: 0x003606e0, after: 0x003706e0.
[29900.749487] SGX-LKL: Successfully set CR4.FSGSBASE to 1 on CPU #15, CR4 before: 0x003606e0, after: 0x003706e0.

the results are even worse than before, i just get a segfault:

SGXLKL_HEAP=900M SGXLKL_KEY=/root/sgx-lkl/build/config/enclave_debug.key sgx-lkl-run ./sgxlkl-miniroot-fs.img /bin/node --version
Segmentation fault

[cpriebe]

What is /bin/node? Node.js?

./tools/sgx-lkl-disk create --alpine="nodejs" --size=200M nodesjs.img
./build/sgx-lkl-run ./nodesjs.img /usr/bin/node --version
v10.16.0

[fixerivan]

ok this works, thanks!

there is a slight problem with sgx-lkl-disk on newer ubuntu versions DNS will not work in chroot without something like: mount --bind /etc/resolv.conf /mnt/alpine/etc/resolv.conf