Konubinix' opinionated web of thoughts

Check for Sgx Availability

Fleeting

Which Platforms Support Intel® Software Guard Extensions (Intel® SGX)…

How to fix it:If a processor supports Intel® SGX and FLC, it supports DCAP

https://www.intel.com/content/www/us/en/support/articles/000057420/software/intel-security-products.html

two options to determine if your system’s processor supports FLC:

https://www.intel.com/content/www/us/en/support/articles/000057420/software/intel-security-products.html

Open a terminal and run: $ cpuid | grep -i sgxLook for output: SGX_LC: SGX launch config supported = true

https://www.intel.com/content/www/us/en/support/articles/000057420/software/intel-security-products.html

FLC support in Intel® Xeon® E systems is also dependent on the BIOS and firmware. The platform must have an Intel® Server Platform Services (Intel® SPS)–based BIOS and firmware. Check with your platform manufacturer to verify if it is SPS-based or not.

https://www.intel.com/content/www/us/en/support/articles/000057420/software/intel-security-products.html

CPUID is not sufficient to detect the usability of Intel® Software Guard Extensions (Intel® SGX) on a platform. Read Properly Detecting Intel® Software Guard Extensions (Intel® SGX) in Your Applications for more details on how to determine if your processor supports Intel SGX and Intel SGX is enabled

https://www.intel.com/content/www/us/en/support/articles/000057420/software/intel-security-products.html

Only the top three SKUs of the Intel® Xeon® E-21xx family support FLC (E-2174G, E-2176G, E-2186G) on Intel® SPS–based platforms

https://www.intel.com/content/www/us/en/support/articles/000057420/software/intel-security-products.html

DCAP only works with:

8th Generation Intel® Core™ Processor or newer with Flexible Launch Control and Intel® Advanced Encryption Standard New Instructions (Intel® AES-NI) supportIntel Atom® Processor with Flexible Launch Control and Intel® AES-NI support

https://www.intel.com/content/www/us/en/support/articles/000057420/software/intel-security-products.html

what is the proper way to detect Intel SGX support on a system so that my applications and their installers behave accordingly?

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

individual CPU may support Intel SGX, whether or not Intel SGX is actually available for use depends on two components:

BIOS Intel SGX Platform Software package

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

requires a BIOS from the OEM that explicitly supports Intel SGX

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

Check with your device manufacturer to determine whether or not Intel SGX is supported on your system.

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

When Intel SGX is set to Enabled in the BIOS, Intel SGX has been enabled, and Intel SGX instructions and resources are available to applications

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

Intel SGX reserves up to 128 MB of system RAM as Processor Reserved Memory (PRM), which is used to hold the Enclave Page Cache (EPC).

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

enabling Intel SGX consumes a portion of the system’s resources, effectively making them unavailable to other applications.

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

Software Controlled setting in the BIOS allows OEMs to ship systems with support for Intel SGX in a ready state, where it can be activated via software (this is the software opt-in). This is a compromise between having Intel SGX fully enabled by default and potentially consuming system resources even when no Intel SGX software is present on the system and having it turned off completely.

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

Software enabling is a one-way operation: Intel SGX cannot be disabled via software

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

The only ways to disable Intel SGX once it has been enabled are to do so via the BIOS

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

Intel SGX Platform Software package, or PSW, must be installed on the system. The PSW includes:

Runtime libraries Services that support and maintain the trusted compute block on the end user’s system Services that perform and manage critical Intel SGX operations such as attestation Interfaces to platform services such as the trusted time and monotonic counters

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

These two libraries are installed into the system library directory on Linux platforms (typically /usr/lib or /usr/lib64):

libsgx_uae_service.so libsgx_urts.so

Applications need to load the shared objects in this order.

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

Use dynamic loading, not dynamic linking

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

Dynamic linking is not an option, since systems that lack Intel SGX support will not have the PSW package installed. Attempting to run a dynamically linked executable on a system without the PSW package will result in unresolved symbol errors that prevent the application from launching

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

Note that the check for the PSW package that is described above begins with a dynamic load of the necessary shared libraries. The application can simply keep these handles open

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

Linux developers will need to explicitly use dynamic loading in their applications

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

OS is outside of the Trusted Compute Base and malicious software can attempt to influence the preferred load order of dynamic libraries. This can lead to a denial of service of Intel SGX. Application developers can take basic precautions to mitigate against dynamic library preload attacks, but there are no foolproof solutions.

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

The CPUID instruction is not sufficient to detect the usability of Intel SGX on a platform

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

It can report whether or not the processor supports the Intel SGX instructions, but Intel SGX usability depends on both the BIOS settings and the PSW

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

Figure 1: Intel® Software Guard Extensions feature-detection flowchart for installers

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

All Intel SGX applications must install the PSW

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

The Intel® Software Guard Extensions Feature-Detection Procedure for Linux Systems

The procedures for Linux systems are similar to those for Windows systems, but are complicated by disparities between the two platforms

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

The AESM service on Windows, which is part of the PSW, has always provided support for the software enable operation from user-level processes. As of this writing, the Linux distribution of the PSW does not provide this capability

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

functions for detecting Intel SGX capability as well as performing the software enable when running with administrator privileges. This library is intended to be used by application installers. The 1.9 and earlier versions of the Intel SDK for Linux do not include an equivalent library. However it is available in a branch of the source code repository as both a static and dynamic library (libsgx_capable.a and libsgx_capable.so, respectively). It is expected to be merged into the main distribution in a future release

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

must call into libsgx_capable to perform the feature detection and software enable functions

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

Note that sgx_cap_enable_device() requires root privileges in order to perform the software enable, so applications installers need to be run as root

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

user-mode processes can detect the state of Intel SGX thanks to the efivarfs filesystem

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

Figure 3: Intel® Software Guard Extensions feature-detection flowchart for Linux* applications

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html

not possible to differentiate between the following three cases:

  • Intel SGX is not supported by the CPU
  • Intel SGX is not supported by the BIOS
  • Intel SGX is supported by the BIOS and CPU, but explicitly disabled in the BIOS

https://software.intel.com/content/www/us/en/develop/articles/properly-detecting-intel-software-guard-extensions-in-your-applications.html