Error, call sgx_create_enclave QE fail [load_qe], SGXError:4004

[khairulislam]

I am trying to start aesmd service on my remote server. But it fails with the following logs. Any help how to solve this will be appreciated. I have also tried reinstalling the whole thing couple of times. But always got stuck here.

--
-- The unit dnf-makecache.service has successfully entered the 'dead' state.
Jan 24 20:10:28 users systemd[1]: Started dnf makecache.
-- Subject: Unit dnf-makecache.service has finished start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit dnf-makecache.service has finished starting up.
--
-- The start-up result is done.
Jan 24 20:10:40 users sudo[513744]:    user : TTY=pts/1 ; PWD=/home/user/sgx_bin ; USER=root ; COMMAND=/bin/systemctl start aesmd
Jan 24 20:10:40 users sudo[513744]: pam_systemd(sudo:session): Cannot create session: Already running in a session or user slice
Jan 24 20:10:40 users sudo[513744]: pam_unix(sudo:session): session opened for user root by user(uid=0)
Jan 24 20:10:40 users systemd[1]: Couldn't stat device /dev/sgx/enclave: No such file or directory
Jan 24 20:10:40 users systemd[1]: /dev/sgx is not a device.
Jan 24 20:10:40 users systemd[1]: Starting Intel(R) Architectural Enclave Service Manager...
-- Subject: Unit aesmd.service has begun start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit aesmd.service has begun starting up.
Jan 24 20:10:40 users systemd[513748]: aesmd.service: Failed to determine user credentials: No such process
Jan 24 20:10:40 users systemd[513748]: aesmd.service: Failed at step USER spawning /opt/intel/sgx-aesm-service/aesm/linksgx.sh: No such process
-- Subject: Process /opt/intel/sgx-aesm-service/aesm/linksgx.sh could not be executed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- The process /opt/intel/sgx-aesm-service/aesm/linksgx.sh could not be executed and failed.
--
-- The error number returned by this process is 3.
Jan 24 20:10:40 users systemd[1]: aesmd.service: Control process exited, code=exited status=217
Jan 24 20:10:40 users systemd[1]: aesmd.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- The unit aesmd.service has entered the 'failed' state with result 'exit-code'.
Jan 24 20:10:40 users systemd[1]: Failed to start Intel(R) Architectural Enclave Service Manager.
-- Subject: Unit aesmd.service has failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit aesmd.service has failed.
--
-- The result is failed.
Jan 24 20:10:40 users sudo[513744]: pam_unix(sudo:session): session closed for user root

[3]+  Stopped                 journalctl -xe

My kernel version is linux 4.18.0-348.7.1.el8_5.x86_64 on CentOS 8.2. It doesn't support FLC, only SGX launch config. So I have installed the out of tree driver. I found /dev/isgx was created after installing the sgx driver. I have installed the sdk, psw and driver following the Intel_SGX_SW_Installation_Guide_for_Linux. I have also installed the libraries mentioned in https://github.com/intel/linux-sgx. My user name and aesmd both are added in the sgx_prv group.

Update: after fixing the previous issue I have the following error:

[user@user ~]$ sudo systemctl status aesmd.service
● aesmd.service - Intel(R) Architectural Enclave Service Manager
   Loaded: loaded (/usr/lib/systemd/system/aesmd.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2022-01-25 20:13:57 EST; 7s ago
  Process: 1656172 ExecStart=/opt/intel/sgx-aesm-service/aesm/aesm_service (code=exited, status=0/SUCCESS)
  Process: 1656170 ExecStartPre=/bin/chmod 0750 /var/opt/aesmd/ (code=exited, status=0/SUCCESS)
  Process: 1656168 ExecStartPre=/bin/chown -R aesmd:aesmd /var/opt/aesmd/ (code=exited, status=0/SUCCESS)
  Process: 1656166 ExecStartPre=/bin/chmod 0755 /var/run/aesmd/ (code=exited, status=0/SUCCESS)
  Process: 1656163 ExecStartPre=/bin/chown -R aesmd:aesmd /var/run/aesmd/ (code=exited, status=0/SUCCESS)
  Process: 1656161 ExecStartPre=/bin/mkdir -p /var/run/aesmd/ (code=exited, status=0/SUCCESS)
  Process: 1656151 ExecStartPre=/opt/intel/sgx-aesm-service/aesm/linksgx.sh (code=exited, status=0/SUCCESS)
 Main PID: 1656173 (aesm_service)
    Tasks: 4 (limit: 408018)
   Memory: 6.5M
   CGroup: /system.slice/aesmd.service
           └─1656173 /opt/intel/sgx-aesm-service/aesm/aesm_service

Jan 25 20:13:57 user systemd[1]: Starting Intel(R) Architectural Enclave Service Manager...
Jan 25 20:13:57 user systemd[1]: Started Intel(R) Architectural Enclave Service Manager.
Jan 25 20:13:57 user aesm_service[1656173]: [ADMIN]White List update requested
Jan 25 20:13:57 user aesm_service[1656173]: [load_qe ../qe_logic.cpp:642] Error, call sgx_create_enclave QE fail [load_qe], SGXError:4004.
Jan 25 20:13:57 user aesm_service[1656173]: Failed to load QE3: 0x4004
Jan 25 20:13:57 user aesm_service[1656173]: The server sock is 0xd52c50
Jan 25 20:13:57 user aesm_service[1656173]: [ADMIN]White list update request successful for Version: 108

[llly]

The error message is expected since your platform doesn't support FLC.
QE3 is for DCAP ECDSA-based attestation and requires FLC. Your platform can perform EPID based attestation.

[khairulislam]

Thanks, that makes sense.