attestation-tool: Check production enclaves #39
Description
On my system, debug enclaves don't seem to work. I get:
# ./attestation-tool
Testing DCAP (ECDSA) attestation
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Create(Io(Os { code: 5, kind: Uncategorized, message: "Input/output error" }))
failed to load report enclave', src/ecdsa.rs:213:51
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Also:
# ./sgx-detect --verbose
Detecting SGX, this may take a minute...
✔ SGX instruction set
✔ CPU support
✔ CPU configuration
✔ Enclave attributes
✔ Enclave Page Cache
SGX features
✔ SGX2 ✔ EXINFO ✘ ENCLV ✘ OVERSUB ✔ KSS
Total EPC size: 1006.0MiB (no integrity protection)
✔ Flexible launch control
✔ CPU support
✔ CPU configuration
✔ Able to launch production mode enclave
✘ SGX system software
✔ SGX kernel device (/dev/sgx_enclave)
✔ libsgx_enclave_common
✔ AESM service
✘ Able to launch enclaves
✘ Debug mode
✔ Production mode
🕮 SGX system software > Able to launch enclaves > Debug mode
The enclave could not be launched.
debug: failed to load report enclave
debug: cause: Failed to call ECREATE.
debug: cause: I/O ctl failed.
debug: cause: Input/output error (os error 5)
More information: https://edp.fortanix.com/docs/installation/help/#run-enclave-debug
But the production enclaves (e.g. Sapphire) work fine. I think it would make sense to test whether the production enclave can be spun up and not the debug ones. We are removing the sgx-detect from our docs in favor of attestation-tool since there are no official binaries available and you need to install the whole rust tooling to build it. It would be nice that this really works on all systems.