On Wed, Nov 18, 2020 at 05:24:38PM +0200, Jarkko Sakkinen wrote:
> On Wed, Nov 18, 2020 at 12:47:03PM +0100, Borislav Petkov wrote:
> > On Wed, Nov 18, 2020 at 12:44:44PM +0100, Borislav Petkov wrote:
> > > 0x0000000000000000 0x0000000000002000 0x03
> > > 0x0000000000002000 0x0000000000001000 0x05
> > > 0x0000000000003000 0x0000000000003000 0x03
> > > encl_load: encl->nr_segments: 3
> > > encl_load: seg2 offset: 0x3000, seg2 size: 12288
> > > encl_load: encl_size: 32768, src_size: 24576
> > > encl_map_area: encl_size: 32768
> > > encl_map_area: area: 0x0x7feae0db2000
> > > encl_map_area: encl_base: 0x7feae0db8000
> > > SGX_IOC_ENCLAVE_INIT failed: errno=1
> >
> > Running that same thing again succeeded this time:
> >
> > 0x0000000000000000 0x0000000000002000 0x03
> > 0x0000000000002000 0x0000000000001000 0x05
> > 0x0000000000003000 0x0000000000003000 0x03
> > encl_load: encl->nr_segments: 3
> > encl_load: seg2 offset: 0x3000, seg2 size: 12288
> > encl_load: encl_size: 32768, src_size: 24576
> > encl_map_area: encl_size: 32768
> > encl_map_area: area: 0x0x7f846bec0000
> > encl_map_area: encl_base: 0x7f846bec0000
> > mapping segment 0, seg->prot: (read write )
> > base: 0x7f846bec0000, offset 0x0, size: 8192
> > mapping segment 1, seg->prot: (read exec)
> > base: 0x7f846bec0000, offset 0x2000, size: 4096
> > mapping segment 2, seg->prot: (read write )
> > base: 0x7f846bec0000, offset 0x3000, size: 12288
> > SUCCESS
> >
> > then I did a couple of successful runs and the next one failed again:
> >
> > 0x0000000000000000 0x0000000000002000 0x03
> > 0x0000000000002000 0x0000000000001000 0x05
> > 0x0000000000003000 0x0000000000003000 0x03
> > encl_load: encl->nr_segments: 3
> > encl_load: seg2 offset: 0x3000, seg2 size: 12288
> > encl_load: encl_size: 32768, src_size: 24576
> > encl_map_area: encl_size: 32768
> > encl_map_area: area: 0x0x7fb09d4a0000
> > encl_map_area: encl_base: 0x7fb09d4a0000
> > SGX_IOC_ENCLAVE_INIT failed: errno=1
> >
> > Fun.
>
> If you adjust log level, then you should probably see this from
> sgx_enclave_init():
>
> } else if (ret) {
> pr_debug("EINIT returned %d\n", ret);
> ret = -EPERM;
> }
>
> EINIT fails with big certainty because SIGSTRUCT is malformed. The only
> dynamic thing in that process is RSA key generation sigstruct.c.
> Otherwise, everything is static between the runs. That's why I'm quite
> confident that key generation is the issue. Given how the issue behaves
> I'd guess it eats the entropy pool.
>
> So what I would propose is that I fix this by adding a static 3072-bit
> key and remove the generation code
>
> I found a patch that I can use to revert dynamic generation:
>
> https://lore.kernel.org/linux-sgx/20200319023306.6875-1-jarkko.sakkinen@xxxxxxxxxxxxxxx/
Not going to use at is. Just replace gen_sign_key(). Will be quite
localized fix.
/Jarkko
