Azure SGX VM Attestation Problem

Joey 150 Reputation points
2024-12-11T09:40:55.7866667+00:00

I have prepared an Azure SGX VM and want to conduct attestation with MAA(Microsoft Azure Attestation) according to Azure samples based on these two sources:

https://github.com/Azure-Samples/microsoft-azure-attestation/tree/master/sgx.attest.sample.intel.sdk and

https://github.com/openenclave/openenclave/blob/v0.9.x/docs/GettingStartedDocs/install_oe_sdk-Ubuntu_18.04.md .

Both the usage of Intel SDK and the OpenEnclave SDK require the installation of an Intel SGX DCAP Driver.

The following steps are necessary according to the repository:

echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
echo "deb [arch=amd64] https://packages.microsoft.com/ubuntu/18.04/prod bionic main" | sudo tee /etc/apt/sources.list.d/msprod.list
wget -qO - https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -

sudo apt -y update
sudo apt install -y dkms
wget https://download.01.org/intel-sgx/sgx-dcap/1.16/linux/distro/ubuntu18.04-server/sgx_linux_x64_driver_1.41.bin -O sgx_linux_x64_driver.bin
sudo chmod a+x sgx_linux_x64_driver.bin
sudo ./sgx_linux_x64_driver.bin


However, when I exec the "sudo ./sgx_linux_x64_driver.bin", it asks me to configure a password for the third-party drives; here is the "SGX Driver" downloaded.

image.png

User's image The below is the output of "sudo ./sgx_linux_x64_driver.bin" after configuring the password.

azureuser@SgxVm01:~$ sudo ./sgx_linux_x64_driver.bin
Unpacking Intel SGX Driver ... done.
Verifying the integrity of the install package ... done.
Installing Intel SGX Driver ...
/tmp/sgx-driver-Q4rJ6I ~
install -d /opt/intel/sgxdriver/package
install -d /opt/intel/sgxdriver/scripts
cp -r package/* /opt/intel/sgxdriver/package
install scripts/* /opt/intel/sgxdriver/scripts
~

Creating symlink /var/lib/dkms/sgx/1.41/source ->
                 /usr/src/sgx-1.41

DKMS: add completed.

Kernel preparation unnecessary for this kernel.  Skipping...

Building module:
cleaning build area...
'make' KDIR=/lib/modules/5.4.0-1138-azure/build....
Signing module:
 - /var/lib/dkms/sgx/1.41/5.4.0-1138-azure/x86_64/module/intel_sgx.ko
cleaning build area...

DKMS: build completed.

intel_sgx:
Running module version sanity check.
 - Original module
 - Installation
   - Installing to /lib/modules/5.4.0-1138-azure/updates/dkms/

depmod.......

DKMS: install completed.
groupadd: group 'sgx_prv' already exists

You may need to run "/sbin/modprobe intel_sgx (--allow-unsupported)" or reboot system manually!

uninstall.sh script generated in "/opt/intel/sgxdriver".

azureuser@SgxVm01:~$

As the prompt image shows, I think I should reboot the machine and enter the password I set.

But I am in a cloud Environment. How can I enter this password when the system reboots? After reboot, I found the system did pause at launch because I could not ssh to it quickly.

Besides, run "/sbin/modprobe intel_sgx (--allow-unsupported)" didn‘t help:

azureuser@SgxVm01:~$ /sbin/modprobe intel_sgx (--allow-unsupported)
-bash: syntax error near unexpected token `('
azureuser@SgxVm01:~$ sudo /sbin/modprobe intel_sgx (--allow-unsupported)
-bash: syntax error near unexpected token `('
azureuser@SgxVm01:~$ sudo /sbin/modprobe intel_sgx --allow-unsupported
/sbin/modprobe: unrecognized option '--allow-unsupported'

The system information:

Ubuntu Pro 18.04 LTS - x64 Gen2 #(selected at installation)

Linux SgxVm01 5.4.0-1138-azure #145~18.04.1-Ubuntu SMP Fri Aug 30 16:36:55 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

Size: Standard_DC1s_v2

Is there anyone familiar with Azure SGX VM who can tell me what's going wrong? Any suggestions are much appreciated.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
8,278 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.