-
Notifications
You must be signed in to change notification settings - Fork 196
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to read encrypted files after a kernel upgrade. #1504
Comments
The reason might be the |
@kvinwang Thanks for the report! Pls see my comments below.
I saw in the corresponding discussion - "Some of the machine have a linux kernel update during the reboot, some haven't.", so this seems to happen for reboots even w/o kernel updates. Then why would CPUSVN change if it's a plain/normal reboot (w/o kernel update)? Can we first make sure that it's the change of the CPUSVN that caused your reported issue. In your reproduction test, the printed SGX sealing keys were directly from EGETKEY (w/ CPUSVN hardcoded), instead would you pls show the keys that Gramine actually used for encrypted fs by reading them from
Yes, this is doable where we could extend gramine/common/src/protected_files/protected_files_format.h Lines 31 to 37 in 9ef75eb
key_request for getting SGX sealing keys.
|
This is a duplicate of #855. Please see there, we have lots of discussions in that thread. So, I think we have three users (user bases) that hit this problem of CPUSVN. I will raise this issue in one of the Gramine meetings, and I'll probably write a PoC, so that we at least have something concrete to discuss. |
We finally comfirmed that all our cases was due to intel-microcode update which further changed the CPUSVN. As this issue is duplicate of #855, let closing this one and continue there. |
Description of the problem
Gramine encrypted files cannot be opened after a kernel upgrade.
I originally posted this issue as a discussion thread #1503. However, after digging further, I believe it is worth opening an issue here.
Steps to reproduce
git clone https://github.com/kvinwang/gramine-encrypted-files-demo && cd gramine-encrypted-files-demo
make SGX=1
./run.sh
It would show the following logs:
./run.sh
againIt now show the same egetkey result but failed to read the encrypted files as below:
Expected results
Encrypted files should be read successfully.
Actual results
Permission Denied
Gramine commit hash
ede508c
The text was updated successfully, but these errors were encountered: