PAL_ERROR_INVAL when using loader.env_src_file with GSC

[tiagorvmartins]

Hello, I am currently facing an error when launching an enclave using GSC using env_src_file.
I have enabled the debug mode and the only lines being shown are the following:

(host_main.c:562:initialize_enclave) debug: Added all pages to SGX enclave
(host_framework.c:515:init_enclave) debug: Enclave initializing:
(host_framework.c:516:init_enclave) debug:     enclave id:   0x00000001fffff000
(host_framework.c:517:init_enclave) debug:     mr_enclave:   3741f3b782906f57cc39f23d9322783c313219215329fccadf0e3b19d226ab57
(host_framework.c:520:init_enclave) debug:     isv_prod_id:  0
(host_framework.c:521:init_enclave) debug:     isv_svn:      0
(host_main.c:1043:load_enclave) debug: Using SGX attestation type "dcap"
(pal_main.c:550:pal_main) error: PAL failed Building the final environment based on the original environment and the manifest failed: Invalid argument (PAL_ERROR_INVAL)
(pal_process.c:248:_PalProcessExit) debug: PalProcessExit: Returning exit code 1

I am trying to feed some environment variables that will be used by the entrypoint of the base image.
I can't use an hardcoded loader.env in the manifest, because it depends on a external configuration that can't be hardcoded on the manifest.

My current entrypoint (last line in the base dockerfile):

ENTRYPOINT the_binary --the_env_var=${THE_ENV_VAR}

Then on the sgx manifest I have the following related pieces:

fs.mounts = [
{ path = "/mnt/app/argv", uri = "file:/mnt/app/argv" }
]

sgx.allowed_files = [
"file:/mnt/app/argv"
]

loader.env_src_file = "file:/mnt/app/argv"

Note: I have been explained before that using allowed_files and fs.mounts for the same path file, doesn't make sense, actually they are mutually exclusive (the statement was made here: #1575 (comment))

But the issue is that, I was getting Permission denied, for the mounted argv file that I am mounting from the host to the container when just using the fs.mounts.

Generation of the env argv file:

gramine-argv-serializer "the_binary" "THE_ENV_VAR" > /mnt/app/argv

This generates the file on the host, and when changing the entrypoint of my graminized to a simple bash, I can see that the file has been correctly mounted to the container.

For reference, I believe the error might be coming from one of this places (maybe):

gramine/pal/src/pal_main.c

Line 167 in 94fcedf

return -PAL_ERROR_INVAL;

gramine/pal/src/pal_main.c

Line 171 in 94fcedf

return -PAL_ERROR_INVAL;

gramine/pal/src/pal_main.c

Line 195 in 94fcedf

return -PAL_ERROR_INVAL;

What am I missing here?
Thank you in advance!

[dimakuv]

You are confusing command-line arguments (argv for short) and environment variables (envs or envp for short).

If you want to use environment variables, then you need to specify them as proper envvars:
gramine-argv-serializer "ENVVAR1=VALUE1" "ENVVAR2=VALUE2" > /mnt/app/envs

Is it confusing that the tool is called gramine-argv-serializer? This tool is used both for argv and for envs.

Note: I have been explained before that using allowed_files and fs.mounts for the same path file, doesn't make sense, actually they are mutually exclusive (the statement was made here: #1575 (comment))

That's not exactly correct. The statement was made for sgx.allowed_files and fs.mounts = { type="encrypted" }, i.e. the same paths for allowed files and encrypted files can not co-exist in the same manifest (it makes no sense to declare the files as both allowed and encrypted).

ENTRYPOINT the_binary --the_env_var=${THE_ENV_VAR}

But why? This is not environment variables, this is just a command-line argument that looks like an environment variable...

[tiagorvmartins]

Hello @dimakuv thank you for your reply,
The binary itself depends on other command-line arguments which are static and hard-coded on the base image, but there is another argument which depends from external config, that's why its using an environment variable as part of a command line argument.

So in reality its something along this:

ENTRYPOINT the_binary --enabled=true --datadir=hardcoded_data_dir --verbosity=info --another_arg_depending_on_env_var=${THE_ENV_VAR}

After using the gramine-argv-serializer the way you mention (I was using the way its done for args and not envs), it started working,
Thank you!