FLC support in Intel® Xeon® E systems is also dependent on the BIOS and firmware. The platform must have an Intel® Server Platform Services (Intel® SPS)–based BIOS and firmware. Check with your platform manufacturer to verify if it is SPS-based or not.
CPUID is not sufficient to detect the usability of Intel® Software Guard Extensions (Intel® SGX) on a platform. Read Properly Detecting Intel® Software Guard Extensions (Intel® SGX) in Your Applications for more details on how to determine if your processor supports Intel SGX and Intel SGX is enabled
8th Generation Intel® Core™ Processor or newer with Flexible Launch Control and Intel® Advanced Encryption Standard New Instructions (Intel® AES-NI) supportIntel Atom® Processor with Flexible Launch Control and Intel® AES-NI support
Software Controlled setting in the BIOS allows OEMs to ship systems with support for Intel SGX in a ready state, where it can be activated via software (this is the software opt-in). This is a compromise between having Intel SGX fully enabled by default and potentially consuming system resources even when no Intel SGX software is present on the system and having it turned off completely.
Intel SGX Platform Software package, or PSW, must be installed on the system. The PSW includes:
Runtime libraries
Services that support and maintain the trusted compute block on the end user’s system
Services that perform and manage critical Intel SGX operations such as attestation
Interfaces to platform services such as the trusted time and monotonic counters
Dynamic linking is not an option, since systems that lack Intel SGX support will not have the PSW package installed. Attempting to run a dynamically linked executable on a system without the PSW package will result in unresolved symbol errors that prevent the application from launching
Note that the check for the PSW package that is described above begins with a dynamic load of the necessary shared libraries. The application can simply keep these handles open
OS is outside of the Trusted Compute Base and malicious software can attempt to influence the preferred load order of dynamic libraries. This can lead to a denial of service of Intel SGX. Application developers can take basic precautions to mitigate against dynamic library preload attacks, but there are no foolproof solutions.
The AESM service on Windows, which is part of the PSW, has always provided support for the software enable operation from user-level processes. As of this writing, the Linux distribution of the PSW does not provide this capability
functions for detecting Intel SGX capability as well as performing the software enable when running with administrator privileges. This library is intended to be used by application installers. The 1.9 and earlier versions of the Intel SDK for Linux do not include an equivalent library. However it is available in a branch of the source code repository as both a static and dynamic library (libsgx_capable.a and libsgx_capable.so, respectively). It is expected to be merged into the main distribution in a future release
