Permission Denied when opening encrypted files with _sgx_enclave

[kvinwang]

Hey there,

We've built a graime based app which using encrypted files with key_name=_sgx_enclave. After deployment, many customer report that the app can not open the encrypted files with a Permission Denied error after a system reboot. Some of the machine have a linux kernel update during the reboot, some haven't.

I can reproduce the issue on Ubuntu 20.04 by writing the encrypted file in one verison of kernel and reboot to anthor version of kernel to read the file.

I also tried removing the mask bits as bellow, but didn't help, it still can not open a file saved by the app running on a different version kernel.

sgx.seal_key.flags_mask = "0x0000000000000000"
sgx.seal_key.xfrm_mask  = "0x0000000000000000"
sgx.seal_key.misc_mask  = "0x00000000"

So my question is:

• What kind of reasons are there would cause the file broken?
• Is there any solution for the issue?

more info

The configuration for the encrypted files we used is:

[[fs.mounts]]
path = "/protected_files"
uri = "file:protected_files"
type = "encrypted"
key_name = "_sgx_mrenclave"

The kernel versions I switched between are:

Linux version 5.15.0-71-generic (buildd@lcy02-amd64-111) (gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #78~20.04.1-Ubuntu SMP Wed Apr 19 11:26:48 UTC 2023
and
Linux version 5.15.0-79-generic (buildd@lcy02-amd64-014) (gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #86~20.04.2-Ubuntu SMP Mon Jul 17 23:27:17 UTC 2023

---

Update

I just tried to call the EGETKEY directly inside the workload, and found it never change between the two kernel version. So, I think this should be a Gramine issue.
The code I used to repoduce it is here.
Steps to reproduce:

1. Install Rust toolchain
2. git clone https://github.com/kvinwang/gramine-encrypted-files-demo && cd gramine-encrypted-files-demo
3. make SGX=1
4. ./run.sh
   It would show the following logs:
   
5. reboot the system and load another version of kernel
6. ./run.sh again
   It now show the same egetkey result but failed to read the encrypted files as below:
   

[kailun-qin]

@kvinwang Thanks for your question! I replied to the corresponding issue reported. Let's discuss further there.

[dimakuv]

The discussion was moved to #1504. I'm closing this one to avoid duplication.