attestation keys & xxd, somethings wrong.. #1397

nmwael · 2023-06-16T06:06:01Z

nmwael
Jun 16, 2023

This is not working, to unlock my encrypted filesystem, what did I forget?
echo "4E50472AFE29DC83571313539AC19F65" | xxd -r -p > /dev/attestation/keys/mykey

Answered by dimakuv

Jun 16, 2023

@nmwael I'm assuming you're running this command inside Gramine.

This is unfortunately wrong, because the xxd command will run in its own Gramine enclave (I think echo is a built-in command in shell, so it won't run in its own Gramine enclave).

So basically you have the following:

Gramine enclave 1 -- runs your sh (shell, which is probably Bash or Dash) program. It runs echo built-in command and then spawns a child enclave because xxd is a separate executable.
Gramine enclave 2 -- runs xxd. Receives the key string from the parent enclave and stores this key under /dev/attestation/keys/mykey.

The problem here is that /dev/attestation/keys/ is not propagated from children to parent (only …

View full answer

dimakuv · 2023-06-16T06:42:07Z

dimakuv
Jun 16, 2023

@nmwael I'm assuming you're running this command inside Gramine.

This is unfortunately wrong, because the xxd command will run in its own Gramine enclave (I think echo is a built-in command in shell, so it won't run in its own Gramine enclave).

So basically you have the following:

Gramine enclave 1 -- runs your sh (shell, which is probably Bash or Dash) program. It runs echo built-in command and then spawns a child enclave because xxd is a separate executable.
Gramine enclave 2 -- runs xxd. Receives the key string from the parent enclave and stores this key under /dev/attestation/keys/mykey.

The problem here is that /dev/attestation/keys/ is not propagated from children to parent (only the other way around). So your parent enclave (the shell) won't ever see the child-created key.

Solution: you shouldn't use xxd command but rather use some built-in way to put a raw key bytes directly into the file... Unfortunately, I don't know of any such way in shell (echo -e and printf are separate executables, afaik). The best would be to switch to e.g. Python as your script wrapper. The best-best solution would be to write your wrapper in C or Rust.

1 reply

dimakuv Jun 16, 2023

The problem here is that /dev/attestation/keys/ is not propagated from children to parent (only the other way around). So your parent enclave (the shell) won't ever see the child-created key.

Just to be clear: this is a limitation in Gramine. Ideally, this shouldn't be a problem, and Gramine should synchronize files in children and in parent... But this is currently a low-priority (and very complex) task for us, so we are suggesting workarounds for this, knowing that in the near future we won't have time to solve it in Gramine.

nmwael · 2023-06-16T09:00:19Z

nmwael
Jun 16, 2023
Author

Thanks again Dimitry for this great explanation. It makes sense, and I've also encountered the limitation with tmpfs.

If that limitation would be "fixed", it would decrease the complexity and learning curve of gramine a lot.

Again thanks a lot to you and the gramine team for being so supportive.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

attestation keys & xxd, somethings wrong.. #1397

{{title}}

Replies: 2 comments 1 reply

{{title}}

{{title}}

{{title}}

Select a reply

attestation keys & xxd, somethings wrong.. #1397

nmwael Jun 16, 2023

Replies: 2 comments · 1 reply

dimakuv Jun 16, 2023

dimakuv Jun 16, 2023

nmwael Jun 16, 2023 Author

nmwael
Jun 16, 2023

Replies: 2 comments 1 reply

dimakuv
Jun 16, 2023

nmwael
Jun 16, 2023
Author