Troubleshooting

This section addresses possible warnings or errors you might encounter while using the Anjuna tools.

Command not found

If you see an error like anjuna-sgxrun: command not found, it indicates that the given command could not be found in any of the PATH search paths.

To resolve the error, ensure your PATH is configured correctly. When running in a VM, you can use the env.sh script to set the appropriate environment variables. In a Dockerfile, see Create a Dockerfile, and ensure the # Setting up environment variables section is present.

If the PATH appears correct, your current user may not be able to read the directory where the Anjuna tools are installed. You can update the directory to grant your user access, using standard Linux file permissions commands like chmod +r or chown.

Command failed with "…is not a valid ELF executable: bad magic number"

When running anjuna-sgxrun, anjuna-sign, or anjuna-compile-manifest, you may see an error like the following:

$ anjuna-sgxrun ./hello.py
'/home/example-user/hello.py' is not a valid ELF executable: bad magic number '[35 33 47 117]' in record at byte 0x0
anjuna-compile-manifest failed

This error occurs when the command you are trying to run (hello.py in the example above) is not an ELF executable. Usually, this indicates that the command is a shebang script.

The Anjuna SGX Runtime is designed to be used with ELF executables only. To resolve the error, find the interpreter for the script and run it explicitly.

For example, if you have an executable Python script named hello.py with the following contents:

#!/usr/bin/python3
print("hello world!")

Then instead of running anjuna-sgxrun ./hello.py, you should explicitly pass the interpreter path from the first line: anjuna-sgxrun /usr/bin/python3 ./hello.py

For bash or other shell scripts, running anjuna-sgxrun /bin/bash <scriptname> can be slow, because the shell will fork a new process for each command (an expensive operation in Intel® SGX). Instead, you can find the underlying command which needs to be secure, and only run that command using anjuna-sgxrun.

For example, if you have a shell script named nginx-wrapper.sh like the following:

#!/bin/bash
echo "Serving directory $1 and using default 'nginx.conf'"
/usr/sbin/nginx -p $1 -c nginx.conf

Then you do not need to protect the echo command, which does not handle sensitive information. You can edit the final line to instead run anjuna-sgxrun /usr/sbin/nginx -p $1 -c nginx.conf, and continue to execute the shell script as ./nginx-wrapper.sh.

Cannot find `libsgx_uae_service.so`

You may see the following error:

Runtime/anjuna-runtime: error while loading shared libraries: libsgx_uae_service.so: cannot open shared object file: No such file or directory

This error usually appears when running Anjuna in Docker. One potential cause is that the Anjuna SGX Runtime for Docker archive was unpacked in a non-root directory.

See Create a Dockerfile: The ADD anjuna-with-deps <…> directive must set the destination to / (the root directory).

Enclave not authorized to run

You may see the following error: [error_driver2api sgx_enclave_common.cpp:261] Enclave not authorized to run, .e.g. provisioning enclave hosted in app without access rights to /dev/sgx_provision. You need add the user id to group sgx_prv or run the app as root.

As the error message suggests, this error occurs when the user running anjuna-sgxrun (or anjuna-runtime) cannot access a required device for using SGX. The device is named /dev/sgx_provision or /dev/sgx/provision depending on the SGX version.

You can add a user to the sgx_prv group with the following commands:

$ sudo groupadd sgx_prv  # create the group, if it does not already exist
$ usermod -a -G sgx_prv <user-to-add>  # add the user to the group
# if the user is currently logged-in, they will need to log out and log in to apply the changes

The Anjuna installer automatically adds the user to this group.

If the error persists after adding the user to the sgx_prv group, you can check the group ownership of /dev/sgx/provision (e.g. with ls -l /dev/sgx/provision). If it is a different group name or group ID from sgx_prv group, you should also run chown :sgx_prv /dev/sgx/provision to fix it. This can occur in Docker environments where the group ID within the container does not match the group ID on the host machine.

Enclave crashes with "thread capacity reached" error

You may see an error like Cannot assign TCS address to new thread: thread capacity reached. This error indicates that the Anjuna SGX Runtime has run out of pre-allocated threads.

To resolve the issue, increase the num_threads in your manifest file to the desired number of threads.

Failed to create symbolic link './Runtime`

You may see an error like failed to create symbolic link './Runtime': Permission denied..

This error indicates that the user running anjuna-sgxrun does not have permission to write to the current working directory. This is required to locate shared libraries used by the Anjuna SGX Runtime.

To resolve this error, you can use standard Linux permissions tools like chmod +w or chown to ensure that the user running anjuna-sgxrun can write to the current working directory.

Potential issues following Intel’s mid-2021 updates to Intel® SGX drivers and libraries

Intel recently updated its Intel® SGX drivers and libraries with changes that can affect running software in Intel® SGX enclaves using Anjuna Runtime. The following information will help you recognize those issues.

Warning messages display when running an application inside an enclave

Since Intel’s release of DCAP library version 1.11, the following warning message may appear on DCAP machines when using Runtime/anjuna-runtime or anjuna-sgxrun:

[get_qpl_handle ../qe_logic.cpp:295] Failed to set logging callback for the quote provider library.

This is only a warning and can be ignored, because it only relates to the DCAP Quote Provider library logging mechanism, which has not yet been implemented by Microsoft’s DCAP Quote Provider library.