-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error only for the openjdk demo: "Enclave creation IOCTL failed with Input/output error (EIO)." #100
Comments
There are, see: examples/openjdk/java.manifest.template Lines 27 to 28 in ceba8e9
And
So, I'm closing this issue, because everything works as expected, but feel free to ask any more questions (related to this problem) if you have any. // btw. thank you for taking time to report this in a clear and high-quality way, I appreciate :) |
@mkow Thanks for pointing this out. In the docs, I found "sgx.insecure__allow_memfaults_without_exinfo" (https://gramine.readthedocs.io/en/latest/manifest-syntax.html#sgx-exinfo, discussed here: gramineproject/gramine#1744) of which a note says that it "is provided only to allow debugging/testing on old CPUs that do not support the EXINFO feature". This is exactly my situation, since I just want to quickly try out Java with SGX before getting suitable hardware. Therefore, I replaced sgx.use_exinfo with sgx.insecure__allow_memfaults_without_exinfo. Now, the enclave is built and the pages are added, but after that everything freezes and the program is killed (probably a memory issue). Is it therefore right, when I assume that sgx.insecure__allow_memfaults_without_exinfo cannot solve/cover the missing EXINFO support in case of Java applications (with the trade-of of reduced security) and you can definitely only run Java application with a correctly supported sgx.use_exinfo? Or is there another workaround to test a small Java application with a CPU that does not support EXINFO? |
Yeah, it doesn't have "require" in the name because of a slightly different semantics -
Ah, then it's ok to use it, just ensure you won't accidentally ship something with this configuration to production.
It's probably running out of memory, Java likes to preallocate gigabytes of memory relying on lazy allocation, which isn't supported yet by Gramine. Lazy allocation requires EDMM support which your CPU doesn't have and gramineproject/gramine#1513, which is currently blocked on bugs in the SGX Linux driver. Without that you'll need to have enough RAM+swap to store the whole preallocated buffer. Also, remember that even if you free some RAM/add swap it will be quite slow. You only have 93 MB of EPC, which means a lot of swapping to non-SGX RAM (this isn't an issue on newer server CPUs which practically don't have a limit on EPC size).
No, as far as I remember it should work. I think you just don't have enough RAM+swap (see above). |
Description of the problem
I have set up SGX and Gramine, and tested several examples/demos like:
All of them have worked. Then, I wanted to test the Java example (https://github.com/gramineproject/examples/tree/master/openjdk), but this always fails with an IO error when creating the enclave (see below).
It is definitely linked with SGX, because when executing it without SGX, it works as expected.
I will outline what I already did (/installed) and how the context looks like below, but since the other SGX demos work, it surprises me that the simple Java one does not.
Nevertheless, I assume it is my fault and a setting is wrong. Therefore, I hope that you can lead me to the problem source.
Steps to reproduce
Or rather my setup (you might not be able to reproduce it):
Platform:
(Therefore, I should have the in-built SGX driver and does not need to install one myself, right?)
SGX support (SDK and PSW installed):
Important SGX files existing (not sure if also /dev/sgx_vepc must be present?):
Installed DCAP:
Gramine installed:
The make step for the Java example works:
In the error message, it is said that my manifest requires CPU features (e.g.
sgx.require_avx512
) that are not available on this platform. However, no special CPU features are required for this demo, right? Therefore, this should not break anything:Expected results
Terminal output:
Actual results
Terminal output:
Gramine Examples commit hash
ceba8e9
The text was updated successfully, but these errors were encountered: