Issue description

CPU：Intel 5318Y kernel: 5.12.19 os: debian 10 EGO：v0.4.0 (ecc1a705b7de8c15e1243f6ae888886647d838db)

Grpc server which starts with ego run will become stuck and can not deal with any requests after low stress test. strace result:
htop result:

I try to use numactl to bind server pid in serveral cpus, and the problem can not be reproduced any more.

To reproduce

sample code:

...

func PKCS7Padding(ciphertext []byte, blockSize int) []byte {
    padding := blockSize - len(ciphertext)%blockSize
    padtext := bytes.Repeat([]byte{byte(padding)}, padding)
    return append(ciphertext, padtext...)
}

func PKCS7UnPadding(origData []byte) []byte {
    length := len(origData)
    unpadding := int(origData[length-1])
    return origData[:(length - unpadding)]
}

func AesEncrypt(plaintext []byte, key, iv []byte) ([]byte, error) {
    block, err := aes.NewCipher(key)
    if err != nil {
        return nil, err
    }
    blockSize := block.BlockSize()
    plaintext = PKCS7Padding(plaintext, blockSize)
    blockMode := cipher.NewCBCEncrypter(block, iv)
    crypted := make([]byte, len(plaintext))
    blockMode.CryptBlocks(crypted, plaintext)
    return crypted, nil
}

func AesDecrypt(ciphertext []byte, key, iv []byte) ([]byte, error) {
    block, err := aes.NewCipher(key)
    if err != nil {
        return nil, err
    }
    blockSize := block.BlockSize()
    blockMode := cipher.NewCBCDecrypter(block, iv[:blockSize])
    origData := make([]byte, len(ciphertext))
    blockMode.CryptBlocks(origData, ciphertext)
    origData = PKCS7UnPadding(origData)
    return origData, nil
}

func testAes() {
    key, _ := hex.DecodeString("6368616e676520746869732070617373")
    plaintext := []byte("hello ming")

    c := make([]byte, aes.BlockSize+len(plaintext))
iv := c[:aes.BlockSize]

    ciphertext, err := AesEncrypt(plaintext, key, iv)
    if err != nil {
        panic(err)
    }
fmt.Println(base64.StdEncoding.EncodeToString(ciphertext))

    plaintext, err = AesDecrypt(ciphertext, key, iv)
    if err != nil {
        panic(err)
    }
    fmt.Println(string(plaintext))
}

const (
	port = ":50051"
)

// server is used to implement helloworld.GreeterServer.
type server struct {
	pb.UnimplementedGreeterServer
}

// SayHello implements helloworld.GreeterServer
func (s *server) SayHello(ctx context.Context, in *pb.HelloRequest) (*pb.HelloReply, error) {
	log.Printf("Received: %v", in.GetName())
        testAes()
	return &pb.HelloReply{Message: "Hello " + in.GetName()}, nil
}

func main() {
	lis, err := net.Listen("tcp", port)
	if err != nil {
		log.Fatalf("failed to listen: %v", err)
	}
	s := grpc.NewServer()
	pb.RegisterGreeterServer(s, &server{})
	log.Printf("server listening at %v", lis.Addr())
	if err := s.Serve(lis); err != nil {
		log.Fatalf("failed to serve: %v", err)
	}
}

Steps to reproduce the behavior:

1. Run a simple grpc server through ego. And do aes encryption in it's handler.
2. use ghz to test the server. ghz -c 5000 -n 50000 --insecure --proto helloworld.proto --import-paths=/mnt/storage09/ego/samples/test/platform/vendor/googleapis,/mnt/storage09/ego/samples/test/platform/vendor/ --call helloworld.Greeter/SayHello -d '{"name":"xxx"}' 127.0.0.1:50051
3. repeat step 2 serveral times, the server will stuck and client becomes timeout.

Expected behavior

Additional info / screenshot

When I run ego-go to build something some error occurd

/usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.13.rcgu.o): in function nix::sys::aio::AioCb::cancel': nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio5AioCb6cancel17hbf37e4caf0e7d1a5E+0x8): undefined reference toaio_cancel' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.13.rcgu.o): in function nix::sys::aio::AioCb::error': nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio5AioCb5error17hf891cc64bc4a258fE+0x6): undefined reference toaio_error' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.13.rcgu.o): in function nix::sys::aio::AioCb::fsync': nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio5AioCb5fsync17h2170c97a55ede5a7E+0xb): undefined reference toaio_fsync' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.13.rcgu.o): in function nix::sys::aio::AioCb::read': nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio5AioCb4read17h6ab20e9ec57ec7c4E+0xf): undefined reference toaio_read' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.13.rcgu.o): in function nix::sys::aio::AioCb::aio_return': nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio5AioCb10aio_return17h02e5428ffd38d90dE+0xa): undefined reference toaio_return' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.13.rcgu.o): in function nix::sys::aio::AioCb::write': nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio5AioCb5write17h1d0189666438a4cdE+0x6): undefined reference toaio_write' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.13.rcgu.o): in function nix::sys::aio::aio_cancel_all': nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio14aio_cancel_all17h131da5da30c298cdE+0x5): undefined reference toaio_cancel' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.13.rcgu.o): in function nix::sys::aio::aio_suspend': nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio11aio_suspend17h6a76657106d21cfeE+0x14): undefined reference toaio_suspend' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.13.rcgu.o): in function nix::sys::aio::LioCb::listio': nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio5LioCb6listio17hf4f7f0e84d530c21E+0xeb): undefined reference tolio_listio' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.13.rcgu.o): in function nix::sys::aio::LioCb::listio_resubmit': nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio5LioCb15listio_resubmit17h916197d632bb2286E+0x100): undefined reference toaio_error' /usr/local/bin/ld: nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio5LioCb15listio_resubmit17h916197d632bb2286E+0x155): undefined reference to aio_return' /usr/local/bin/ld: nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio5LioCb15listio_resubmit17h916197d632bb2286E+0x19d): undefined reference toaio_error' /usr/local/bin/ld: nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio5LioCb15listio_resubmit17h916197d632bb2286E+0x242): undefined reference to lio_listio' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.13.rcgu.o): in functionnix::sys::aio::LioCb::aio_return': nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio5LioCb10aio_return17h184cf383cae18f5dE+0x39): undefined reference to aio_return' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.13.rcgu.o): in functionnix::sys::aio::LioCb::error': nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio5LioCb5error17hd159a6dccbce33bfE+0x33): undefined reference to aio_error' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.5.rcgu.o): in functionnix::mqueue::mq_open': nix.1cf2ddbb-cgu.5:(.text._ZN3nix6mqueue7mq_open17he7df94924c300521E+0xd): undefined reference to mq_open' /usr/local/bin/ld: nix.1cf2ddbb-cgu.5:(.text._ZN3nix6mqueue7mq_open17he7df94924c300521E+0x1e): undefined reference tomq_open' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.5.rcgu.o): in function nix::mqueue::mq_unlink': nix.1cf2ddbb-cgu.5:(.text._ZN3nix6mqueue9mq_unlink17hc705c9ffc9c0f4afE+0x6): undefined reference tomq_unlink' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.5.rcgu.o): in function nix::mqueue::mq_close': nix.1cf2ddbb-cgu.5:(.text._ZN3nix6mqueue8mq_close17h7d761cdb4c0b3a15E+0x3): undefined reference tomq_close' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.5.rcgu.o): in function nix::mqueue::mq_receive': nix.1cf2ddbb-cgu.5:(.text._ZN3nix6mqueue10mq_receive17h5fe711652e61d632E+0x3): undefined reference tomq_receive' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.5.rcgu.o): in function nix::mqueue::mq_send': nix.1cf2ddbb-cgu.5:(.text._ZN3nix6mqueue7mq_send17hf3e8ba66fdb6c7f6E+0x3): undefined reference tomq_send' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.5.rcgu.o): in function nix::mqueue::mq_getattr': nix.1cf2ddbb-cgu.5:(.text._ZN3nix6mqueue10mq_getattr17h387ecd7c907a9f4aE+0x11): undefined reference tomq_getattr' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.5.rcgu.o): in function nix::mqueue::mq_setattr': nix.1cf2ddbb-cgu.5:(.text._ZN3nix6mqueue10mq_setattr17h7efc98b84d060136E+0x15): undefined reference tomq_setattr' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.5.rcgu.o): in function nix::mqueue::mq_set_nonblock': nix.1cf2ddbb-cgu.5:(.text._ZN3nix6mqueue15mq_set_nonblock17h03a5cf5a318e775cE+0x17): undefined reference tomq_getattr' /usr/local/bin/ld: nix.1cf2ddbb-cgu.5:(.text._ZN3nix6mqueue15mq_set_nonblock17h03a5cf5a318e775cE+0x4b): undefined reference to mq_setattr' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.5.rcgu.o): in functionnix::mqueue::mq_remove_nonblock': nix.1cf2ddbb-cgu.5:(.text._ZN3nix6mqueue18mq_remove_nonblock17hd97691f08d4c3b46E+0x17): undefined reference to mq_getattr' /usr/local/bin/ld: nix.1cf2ddbb-cgu.5:(.text._ZN3nix6mqueue18mq_remove_nonblock17hd97691f08d4c3b46E+0x4b): undefined reference tomq_setattr' collect2: error: ld returned 1 exit status

Does ego not implement AIO-related functions, or is it difficult to implement？

Hello all,

I run helloworld sample well in sim mode, but failed when running in enclave. The error says

'[erthost] loading enclave ... [error_driver2api sgx_enclave_common.cpp:273] Enclave not authorized to run, .e.g. provisioning enclave hosted in app without access rights to /dev/sgx_provision. You need add the user id to group sgx_prv or run the app as root. ERROR: enclave_load_data failed (addr=0xc0f6c000, prot=0x1, err=0x6) (oe_result_t=OE_PLATFORM_ERROR) [openenclave-src/host/sgx/sgxload.c:oe_sgx_load_enclave_data:695] ERROR: oe_create_enclave failed. (Set OE_SIMULATION=1 for simulation mode.) [src/tools/erthost/erthost.cpp:main:265] ' Have tried as root, not help.

I use ego 0.41, Ubuntu 20.04 with kernel version 5.13.0-30-generic and sgx driver 2.11.

Issue description

I have set up a self-hosted PCCS according to the instructions provided in EGo docs (https://docs.edgeless.systems/ego/#/reference/attest), I try to launch the example of remote attestation (https://github.com/edgelesssys/ego/tree/master/samples/remote_attestation). When launching the server I get the following output:

EGo v1.0.0 (f1255317ec583ed72947f65d83881a0e46ad1ed8)
[erthost] loading enclave ...
[erthost] entering enclave ...
[ego] starting application ...
[get_platform_quote_cert_data ../qe_logic.cpp:378] Error returned from the p_sgx_get_quote_config API. 0xe011
ERROR: quote3_error_t=SGX_QL_NO_PLATFORM_CERT_DATA
 (oe_result_t=OE_PLATFORM_ERROR) [openenclave-src/host/sgx/sgxquote.c:oe_sgx_qe_get_target_info:706]
ERROR: SGX Plugin _get_report(): failed to get ecdsa report. OE_PLATFORM_ERROR (oe_result_t=OE_PLATFORM_ERROR) [openenclave-src/enclave/sgx/attester.c:_get_report:324]
OE_PLATFORM_ERROR
listening ...

OE won't load a binary i'm trying to build with ego, because it contains R_X86_64_IRELATIV

it's a relocation caused by calling any GLIBC stdio function. but according to https://github.com/openenclave/openenclave/issues/4469 glibc isnt even supposed to be involved in the build process.

since ego just calls cgo, cgo will call gcc which usually links the host libc. was i supposed to use CC=musl-gcc to avoid this?

Hey, I am trying to setup docker image and faced issue when I run the build commands for docker images. My system information is

  Operating System: Debian GNU/Linux 9 (stretch)
            Kernel: Linux 5.13.9.rsk.1-amd64
      Architecture: x86-64

Docker version is as follows

Client: Docker Engine - Community
 Version:           19.03.15
 API version:       1.40
 Go version:        go1.13.15
 Built:             Sat Jan 30 03:17:11 2021
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.15
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.13.15
  Built:            Sat Jan 30 03:15:40 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.3
 runc:
  Version:          1.0.0-rc92
 docker-init:
  Version:          0.18.0

When I run any of the following commands inside dockerfiles folder DOCKER_BUILDKIT=1 docker build -o. - < Dockerfile.build OR DOCKER_BUILDKIT=1 docker build --build-arg egotag=master --build-arg erttag=master -o. - < Dockerfile.build I encounter following error.

This is what line 16 of Dockerfile.build looks like.

Anyone recommended fix?

Issue description

Followed the tutorial to get the TLS attestation sample working. Local machine deployment not cloud. Have PCCS running, docker logs output:

Generating RSA private key, 2048 bit long modulus (2 primes)
..................................................................+++++
..............................+++++
e is 65537 (0x010001)
Signature ok
subject=CN = localhost
Getting Private key
Wed, 03 Aug 2022 12:49:45 GMT morgan deprecated default format: use combined format at node_modules/esm/esm.js:1:278827
2022-08-03 12:49:46.871 [info]: DB Migration (Ver.0 -> 1) -- Start
2022-08-03 12:49:46.879 [info]: DB Migration -- Done.
2022-08-03 12:49:46.935 [info]: DB Migration (Ver.1 -> 2) -- Start
2022-08-03 12:49:46.948 [info]: DB Migration -- Done.
2022-08-03 12:49:47.043 [info]: HTTPS Server is running on: https://localhost:8081
2022-08-03 13:04:36.004 [info]: Client Request-ID : 07a4756340594e0ab7c84bca10d56f79
2022-08-03 13:04:36.006 [info]: 172.17.0.1 - - [03/Aug/2022:13:04:36 +0000] "GET /sgx/certification/v3/rootcacrl HTTP/1.1" 200 586 "-" "curl/7.58.0"

As you can see also tried to curl the root ca which worked.

Error I am seeing is:

EGo v1.0.0 (f1255317ec583ed72947f65d83881a0e46ad1ed8)
[erthost] loading enclave ...
[erthost] entering enclave ...
[ego] starting application ...
[load_qe ../qe_logic.cpp:642] Error, call sgx_create_enclave QE fail [load_qe], SGXError:4004.
ERROR: quote3_error_t=SGX_QL_ERROR_INVALID_PRIVILEGE
 (oe_result_t=OE_PLATFORM_ERROR) [openenclave-src/host/sgx/sgxquote.c:oe_sgx_qe_get_target_info:706]
ERROR: SGX Plugin _get_report(): failed to get ecdsa report. OE_PLATFORM_ERROR (oe_result_t=OE_PLATFORM_ERROR) [openenclave-src/enclave/sgx/attester.c:_get_report:324]
panic: OE_PLATFORM_ERROR

goroutine 1 [running]:
main.main()
	/root/golang/ego/samples/attested_tls/server.go:14 +0x192

I have seen the earlier issue https://github.com/edgelesssys/ego/issues/158 but as the error is a different one I dont think it is about a BIOS update.

https://github.com/edgelesssys/ego/blob/3d9a417efb206230a78490fc9773465480c92b9a/samples/remote_attestation/ra_client/client.go#L37-L56

AFAICT, currently the ego library (or at least, the RA example) rely on exposing additional HTTP endpoints on the same server to serve the self-signed cert and a report that binds that to a verifiable SGX quote, and then requires the client to establish a new connection to the server using that (now verified) certificate. This only works if the server is reachable again over a separate connection by the same client (either because there is a single instance of it, or because of some session stickiness, though that would have to be at the TCP level since load balancers would not have any other information).

Have you considered instead to embed the quote in an extension of the same TLS cert that is used for the "real" connection, so that a client may verify that contextually to establishing the connection?

cc @ipetr0v @anghelcovici @dreemkiller

Issue description

get lots of errors when ego sign

To reproduce

Steps to reproduce the behavior:

first run ego-go build and get myprogramme

then $ ego sign myprogramme

and get errors

EGo v0.5.0 (55bad14bb8d00dbae2000a8d603f9b588bb79451)
/opt/ego/bin/ego-oesign ERROR: oe_sgx_build_enclave(): result=OE_FAILURE (0x1)
2022-09-22T09:32:34+0000.652640Z [(H)ERROR] tid(0x7f3727832b80) | Unsupported elf relocation type 5
 (oe_result_t=OE_UNSUPPORTED_ENCLAVE_IMAGE) [/ertbuild/3rdparty/openenclave/openenclave-src/host/sgx/elf.c:_elf64_load_relocations:1920]
2022-09-22T09:32:34+0000.652660Z [(H)ERROR] tid(0x7f3727832b80) | :OE_UNSUPPORTED_ENCLAVE_IMAGE [/ertbuild/3rdparty/openenclave/openenclave-src/host/sgx/elf.c:elf64_load_relocations:1957]
2022-09-22T09:32:34+0000.652662Z [(H)ERROR] tid(0x7f3727832b80) | :OE_INVALID_IMAGE [/ertbuild/3rdparty/openenclave/openenclave-src/host/sgx/loadelf.c:_load_elf_image:447]
2022-09-22T09:32:34+0000.652853Z [(H)ERROR] tid(0x7f3727832b80) | :OE_INVALID_IMAGE [/ertbuild/3rdparty/openenclave/openenclave-src/host/sgx/loadelf.c:_load_dependent_image:1450]
2022-09-22T09:32:34+0000.652855Z [(H)ERROR] tid(0x7f3727832b80) | :OE_INVALID_IMAGE [/ertbuild/3rdparty/openenclave/openenclave-src/host/sgx/loadelf.c:oe_load_elf_enclave_image:1496]
2022-09-22T09:32:34+0000.653125Z [(H)ERROR] tid(0x7f3727832b80) | :OE_INVALID_IMAGE [/ertbuild/3rdparty/openenclave/openenclave-src/host/sgx/load.c:oe_load_enclave_image:66]
2022-09-22T09:32:34+0000.653128Z [(H)ERROR] tid(0x7f3727832b80) | :OE_FAILURE [/ertbuild/3rdparty/openenclave/openenclave-src/host/sgx/create.c:oe_sgx_build_enclave:909]

Additional info

my ego dependency in go.mod:

go 1.18

require (
	github.com/edgelesssys/ego v0.5.0
	// ...
)

could you pls help me to take a look of this? thanks!

Issue description

Build a program with ego, run and bind it to 28 CPU cores. It does not scale well on multi-core, only scale to 3 cores with only 50%-60% CPU usage of each, and other cores are idle. Build with native go, it scales well to all 28 cores, the each CPU load is almost the same. Client requests are enough and same for both two scenarios.

To reproduce

Steps to reproduce the behavior:

1. Composed a go program, acting as a http server, mainly use golang crypto package, like ecdsa, elliptic, x509 etc, exposing an interface which generates ecdsa keys and some encoding/decoding.
2. use ego build/sign the program: http-server
3. boot command: numactl -C 0-27 ego run http-server
4. use testing tool: ab to give enough requests

Expected behavior

The ego program http-server should scale to 28 cores

Additional info / screenshot

Typically, enclaves are built as trusted libraries that are then loaded by the untrusted application during runtime. Does ego support such interfacing? It appears that the current version can only run an trusted application binary on the enclave directly. I understand that one can use sockets to establish a connection between applications, but it comes with some security concerns.

Awesome project! Thank you!

func main() {
	c := make(chan os.Signal, 2)
	signal.Notify(c, syscall.SIGINT, syscall.SIGTERM)
	s := <-c

	fmt.Printf("Traped signal: %v", s)
}

Signal trap not working. Without it, we can not implement graceful shutdown. Is there any recommendations?

When sealing data, ego first uses oe_get_seal_key_by_policy to get product or unique seal key, then uses a standard go implementation of AES-GCM go encrypt the data.

However, after a deeper dive into OpenEnclave project, I found oe_get_seal_key_by_policy has flaw that it does not populate KeyID field when calling EGETKEY. And the function is not recommended (although not deprecated). The new recommended way of sealing is oe_seal/oe_unseal, which does populate KeyID. See the discussion here: https://github.com/openenclave/openenclave/issues/4665

IMO, possible solutions would be either

• persuade OE this function indeed has a use case,
• and push OE an update to fix the flaw in oe_get_seal_key_by_policy,

or

• abandon oe_get_seal_key_by_policy,
• deprecate SealKey related functions in ego/enclave,
• and use oe_seal/oe_unseal in ego/ecrypto package (is the sealed blob format compatible? )

Thanks for the great product. I would appreciate it if anyone could verify if my understanding of EGo's DCAP-based attestation works correct or wrong.

I understand that EGo uses DCAP-based attestation rather than EPID. And EGo depends on Open Enclave regarding the details of Quoting Enclave.

However, one thing that does not add up is the fact that remote attestation sample generates a report before the quote is generated and signed by Provisioning Certification Enclave (PCE).

1. My understanding of DCAP was the quote will be generated and signed by the PCE, which will then become a report. Could you please help me understand this?

2. Also, where in the code EGo calls the OE APIs regarding QE operations? I don't see any submodule or anything that will use OE. Can you point me to the file/repo?

3. Again, in the remote attestation sample, how does the client retrieves the TCB information when verifying the cached attestation collateral from PCCS using Azure Quote Provider? In other words, how does client knows which attestation collateral to retrieve? Server never sends this information to help client verify.

Use case

My processes in encalve can r/w directly to the file system and all operations are automatically protected by ego. Meanwhile, all files are encrypted.

Describe your solution

Encrypt all files io using the internal unique key of the enclave.

Additional context

Nothing.

I'v installed ego using release binary and run helloworld successfully. But I got error while running remote-attestation and attestation-tls exmaple. Please help me to solve this problem.Thanks

Issue description

When I try to run ml or dl using gotch(Go binding for Pytorch C++ API), ego sign will go wrong. like symbol not found

ldd gotchTest
        linux-vdso.so.1 (0x00007fff719fb000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fac7fb4c000)
        libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007fac7f96b000)
        libc10.so => /usr/local/lib/libtorch/lib/libc10.so (0x00007fac7f8e8000)
        libtorch_cpu.so => /usr/local/lib/libtorch/lib/libtorch_cpu.so (0x00007fac68733000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fac685e4000)
        libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007fac685c7000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fac683d5000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fac8010e000)
        libgomp-52f2fd74.so.1 => /usr/local/lib/libtorch/lib/libgomp-52f2fd74.so.1 (0x00007fac681a2000)
        librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fac68197000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fac68191000)

Cgo may cause this, Is there a simple way to solve this problem?