Supported Hardware

You can refer to Intel's processor list for a comprehensive overview. Please note that MacBooks with Intel CPUs are unlikely to be supported. If you come across a compatible configuration, kindly inform us.

In addition to SGX, the hardware module must also support FSGSBASE, which is an architecture extension enabling direct writes to FS and GS segment registers. This facilitates fast thread switching in user applications and provides an additional address register for application use. FSGSBASE is already supported if your kernel version is 5.9 or higher.

Firmware

Regularly updating the firmware to the latest version is crucial to address security vulnerabilities and ensure the system's security and reliability. Intel sends security bulletins once you apply for a PCS API key. It is recommended to promptly update the firmware upon receiving a security notice, as outdated systems may experience attestation service failures based on the customer's selected policy. Firmware versioning is part of the attestation flow, and customers have the option to fail attestation if known vulnerable firmware is detected.

Note that Supermicro releases firmware updates with a slight delay to the open market, while Asrock does not provide updates unless specifically requested. Hyperscalers may need private agreements with OEMs to obtain firmware updates before CVEs are reported.

Host Operating System

The host operating system needs to support SGX drivers. In recent upstream Linux kernels, the drivers are initialized correctly by default, requiring no additional action. Disregard any instructions from Intel regarding host kernel initialization, as the upstream Linux implementation provides significantly improved launch policy support compared to Intel's original intentions.

To confirm SGX driver initialization, check if "/dev/sgx_enclave" is present. If not, update the BIOS to enable SGX and ensure that the Linux kernel is updated to the latest version. You can use the following command to check (with sudo access):

sudo dmesg | grep -i sgx
[    3.891614] sgx: EPC section 0x8000c00000-0x807f7fffff

Or without sudo access:

grep sgx /proc/cpuinfo

Refer to the board's manual for the required memory layout for SGX. It may stipulate a minimum of 8 populated banks and the need to disable certain memory features. For example, Supermicro provides specific instructions in its manual, while other AMI systems may have similar requirements. Note that SGX is incompatible with NVRAM, hot-pluggable memory, and PCIe-attached memory. Only directly attached DRAM with ECC will function correctly.

If you believe that your hardware supports Intel SGX but you suspect that the driver is missing, follow these steps to proceed:

1. Check your Linux kernel version:

   Copy

   uname -r

2. Ubuntu 21.04 or higher (Kernel version ≥ 5.11) includes the driver by default, upgrade your Linux distribution or kernel version if possible.

3. Otherwise, if your kernel version is 5.9 or higher, install the DCAP drivers from the Intel SGX repo using the following commands:

   Copy

   sudo apt update
   sudo apt -y install dkms
   wget https://download.01.org/intel-sgx/sgx-linux/2.13.3/linux/distro/ubuntu20.04-server/sgx_linux_x64_driver_1.41.bin -O sgx_linux_x64_driver.bin
   chmod +x sgx_linux_x64_driver.bin
   sudo ./sgx_linux_x64_driver.bin

4. After installing the SGX driver, you may need to install additional dependencies. Run the following command:

   Copy

   sudo apt -y install clang-10 libssl-dev gdb libsgx-enclave-common libsgx-quote-ex libprotobuf17 libsgx-dcap-ql libsgx-dcap-ql-dev az-dcap-client open-enclave

5. If your kernel version is older than 5.9, upgrade your kernel to version 5.11 or higher. Follow the instructions provided here.

Register CPU

To register the CPU with Intel and obtain the Provisioning Certification Key (PCK), it is necessary to use the Intel Multipackage Registration Agent. The quickest method is to add the following Ubuntu repository:

deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main

Then, install the "mpa_registration_tool" package. Ensure that auto-registration is enabled in the BIOS, which allows the agent to communicate with Intel on behalf of the BIOS. While the agent is not technically required during normal operation, leaving it enabled can facilitate automatic key updates when Intel mandates them.

To subscribe to Intel Provisioning Certificate Service and receive an API key, visit the following link: Intel Provisioning Certificate Service and click on "Subscribe", then log in / create a new account and you will find the key.

DCAP Framework

Follow Intel's installation guidelines for the DCAP framework. To verify the successful installation of DCAP drivers, check if /dev/sgx_provision is present.

At a high level, the steps to set up the minimum Intel SGX DCAP environment are as follows:

1. Subscribe to the Intel PCS Attestation service and obtain the necessary API keys.

2. Set up Intel's Provisioning Certification Caching Service (PCCS), which acts as a reference caching service.

3. Provision the Intel SGX-enabled platform for SGX workloads.

4. Verify the provisioning data.

When subscribing to the Intel PCS Service, you will receive two API keys: a primary key and a secondary key. Both keys are interchangeable, and their purpose is to ensure uninterrupted service in case the active key needs to be regenerated.

To subscribe to the service, please visit the Intel SGX Software Services page.