Bare Metal Server Installation
Supported Hardware
You can refer to Intel's processor list for a comprehensive overview. Please note that MacBooks with Intel CPUs are unlikely to be supported. If you come across a compatible configuration, kindly inform us.
In addition to SGX, the hardware module must also support FSGSBASE
, which is an architecture extension enabling direct writes to FS
and GS
segment registers. This facilitates fast thread switching in user applications and provides an additional address register for application use. FSGSBASE
is already supported if your kernel version is 5.9 or higher.
Firmware
Regularly updating the firmware to the latest version is crucial to address security vulnerabilities and ensure the system's security and reliability. Intel sends security bulletins once you apply for a PCS API key. It is recommended to promptly update the firmware upon receiving a security notice, as outdated systems may experience attestation service failures based on the customer's selected policy. Firmware versioning is part of the attestation flow, and customers have the option to fail attestation if known vulnerable firmware is detected.
Note that Supermicro releases firmware updates with a slight delay to the open market, while Asrock does not provide updates unless specifically requested. Hyperscalers may need private agreements with OEMs to obtain firmware updates before CVEs are reported.
Host Operating System
The host operating system needs to support SGX drivers. In recent upstream Linux kernels, the drivers are initialized correctly by default, requiring no additional action. Disregard any instructions from Intel regarding host kernel initialization, as the upstream Linux implementation provides significantly improved launch policy support compared to Intel's original intentions.
To confirm SGX driver initialization, check if "/dev/sgx_enclave" is present. If not, update the BIOS to enable SGX and ensure that the Linux kernel is updated to the latest version. You can use the following command to check (with sudo
access):
Or without sudo
access:
Refer to the board's manual for the required memory layout for SGX. It may stipulate a minimum of 8 populated banks and the need to disable certain memory features. For example, Supermicro provides specific instructions in its manual, while other AMI systems may have similar requirements. Note that SGX is incompatible with NVRAM, hot-pluggable memory, and PCIe-attached memory. Only directly attached DRAM with ECC will function correctly.
If you believe that your hardware supports Intel SGX but you suspect that the driver is missing, follow these steps to proceed:
Check your Linux kernel version:
Ubuntu 21.04 or higher (Kernel version ≥ 5.11) includes the driver by default, upgrade your Linux distribution or kernel version if possible.
Otherwise, if your kernel version is 5.9 or higher, install the DCAP drivers from the Intel SGX repo using the following commands:
After installing the SGX driver, you may need to install additional dependencies. Run the following command:
If your kernel version is older than 5.9, upgrade your kernel to version 5.11 or higher. Follow the instructions provided here.
Register CPU
To register the CPU with Intel and obtain the Provisioning Certification Key (PCK), it is necessary to use the Intel Multipackage Registration Agent. The quickest method is to add the following Ubuntu repository:
Then, install the "mpa_registration_tool" package. Ensure that auto-registration is enabled in the BIOS, which allows the agent to communicate with Intel on behalf of the BIOS. While the agent is not technically required during normal operation, leaving it enabled can facilitate automatic key updates when Intel mandates them.
To subscribe to Intel Provisioning Certificate Service and receive an API key, visit the following link: Intel Provisioning Certificate Service and click on "Subscribe", then log in / create a new account and you will find the key.
DCAP Framework
Follow Intel's installation guidelines for the DCAP framework. To verify the successful installation of DCAP drivers, check if /dev/sgx_provision
is present.
At a high level, the steps to set up the minimum Intel SGX DCAP environment are as follows:
Subscribe to the Intel PCS Attestation service and obtain the necessary API keys.
Set up Intel's Provisioning Certification Caching Service (PCCS), which acts as a reference caching service.
Provision the Intel SGX-enabled platform for SGX workloads.
Verify the provisioning data.
When subscribing to the Intel PCS Service, you will receive two API keys: a primary key and a secondary key. Both keys are interchangeable, and their purpose is to ensure uninterrupted service in case the active key needs to be regenerated.
To subscribe to the service, please visit the Intel SGX Software Services page.
Last updated