Install the Linux Sgx Driver
FleetingFirst, let’s get the source code
cd ~/test
if ! [ -e SGXDataCenterAttestationPrimitives ]
then
git clone --recurse-submodules https://github.com/intel/SGXDataCenterAttestationPrimitives
fi
cd SGXDataCenterAttestationPrimitives
Then, let’s try to find out whether I have the correct hardware.
Anyway, let’s try to build the driver now.
To check if matching kernel headers are installed:
dpkg-query -s linux-headers-$(uname -r)
Package: linux-headers-5.8.0-2-amd64
Status: install ok installed
Priority: optional
Section: kernel
Installed-Size: 4995
Architecture: amd64
Source: linux
Version: 5.8.10-1
= 5.8.10-1), linux-compiler-gcc-10-x86
Description: Header files for Linux 5.8.0-2-amd64
This package provides the architecture-specific kernel header files for
Linux kernel 5.8.0-2-amd64, generally used for building out-of-tree kernel
modules. These files are going to be installed into
/usr/src/linux-headers-5.8.0-2-amd64, and can be used for building modules
that load into the kernel provided by the linux-image-5.8.0-2-amd64
package.
Homepage: https://www.kernel.org/
Great, let’s move on.
Note: Refer to the “Intel® SGX Resource Enumeration Leaves” section in the Intel SGX Programming reference guide to make sure your cpu has the SGX feature.
Hmmm, let’s take a look at this.
Great, how can I dump this CPUID information to find out what my processor is capable of?
apt info cpuid
Package: cpuid
Version: 20201006-1
Priority: optional
Section: admin
Installed-Size: 410 kB
= 2.7), perl:any
Homepage: http://www.etallen.com/cpuid.html
Tag: hardware::detection, implemented-in::c, interface::commandline,
role::program, scope::utility, use::viewing
Download-Size: 117 kB
APT-Manual-Installed: yes
APT-Sources: http://deb.debian.org/debian testing/main amd64 Packages
Description: tool to dump x86 CPUID information about the CPU(s)
cpuid dumps detailed information about the CPU(s) gathered from the
CPUID instruction, and also determines the exact model of CPU(s). It
supports Intel, AMD, and VIA CPUs, as well as older Transmeta, Cyrix,
UMC, NexGen, Rise, and SiS CPUs.
[33mN: [0mThere is 1 additional record. Please use the '-a' switch to see it[0m
Awesome, what can cpuid tell us about the support of sgx
cpuid --one-cpu|grep -i sgx
SGX: Software Guard Extensions supported = true
SGX_LC: SGX launch config supported = true
Software Guard Extensions (SGX) capability (0x12/0):
SGX1 supported = true
SGX2 supported = true
SGX ENCLV E*VIRTCHILD, ESETCONTEXT = true
SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = true
SGX attributes (0x12/1):
SGX EPC enumeration (0x12/n):
Great, this confirms that my processor understands sgx. There is nothing about Flexible Launch Control, but there is launch config.
pushd driver/linux/
make
popd
~/test/SGXDataCenterAttestationPrimitives/driver/linux ~/test/SGXDataCenterAttestationPrimitives
make -C /lib/modules/5.8.0-2-amd64/build M=/home/sam/test/SGXDataCenterAttestationPrimitives/driver/linux CFLAGS_MODULE="-I/home/sam/test/SGXDataCenterAttestationPrimitives/driver/linux -I/home/sam/test/SGXDataCenterAttestationPrimitives/driver/linux/include" modules
make[1]: Entering directory '/usr/src/linux-headers-5.8.0-2-amd64'
CC [M] /home/sam/test/SGXDataCenterAttestationPrimitives/driver/linux/encl.o
CC [M] /home/sam/test/SGXDataCenterAttestationPrimitives/driver/linux/main.o
/home/sam/test/SGXDataCenterAttestationPrimitives/driver/linux/main.c: In function ‘sgx_init’:
pragma message: kernel version may not be supported’
pragma message "kernel version may not be supported"
| ^~~~~~~
CC [M] /home/sam/test/SGXDataCenterAttestationPrimitives/driver/linux/driver.o
CC [M] /home/sam/test/SGXDataCenterAttestationPrimitives/driver/linux/ioctl.o
LD [M] /home/sam/test/SGXDataCenterAttestationPrimitives/driver/linux/intel_sgx.o
MODPOST /home/sam/test/SGXDataCenterAttestationPrimitives/driver/linux/Module.symvers
ERROR: modpost: "kallsyms_lookup_name" [/home/sam/test/SGXDataCenterAttestationPrimitives/driver/linux/intel_sgx.ko] undefined!
make[3]: *** [/usr/src/linux-headers-5.8.0-2-common/scripts/Makefile.modpost:111: /home/sam/test/SGXDataCenterAttestationPrimitives/driver/linux/Module.symvers] Error 1
make[3]: *** Deleting file '/home/sam/test/SGXDataCenterAttestationPrimitives/driver/linux/Module.symvers'
make[2]: *** [/usr/src/linux-headers-5.8.0-2-common/Makefile:1677: modules] Error 2
make[1]: *** [/usr/src/linux-headers-5.8.0-2-common/Makefile:185: __sub-make] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-5.8.0-2-amd64'
make: *** [Makefile:22: default] Error 2
~/test/SGXDataCenterAttestationPrimitives
It looks like something is missing, the problematic line appears to be:
ERROR: modpost: “kallsyms_lookup_name” [/home/sam/test/SGXDataCenterAttestationPrimitives/driver/linux/intel_sgx.ko] undefined!
Why did intel_sgx.ko fail to appear? Is it because the “kernel version may not be supported”?
Indeed, the code looks like
#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 7, 0) )
#pragma message "kernel version may not be supported"
#endif
While I am running on.
uname -r
5.8.0-2-amd64
Unfortunately, newer kernel requires too much effort to be taken into account.
unfortunately, it requires too much effort to support mput_async interface in kernels above 5.7. See this commit: 0826b44
If you build your own kernel, please export kallsyms_lookup_name
— https://github.com/intel/SGXDataCenterAttestationPrimitives/issues/146
We could try to run in a virtual machine, provided it emulates the sgx features.
Yet, it seems like no virtualization tool supports this so far.
Indeed, when running a compatible ubuntu in vagrant, we get
vagrant@ubuntu2004:~$ cpuid --one-cpu | grep -i sgx
SGX: Software Guard Extensions supported = false
SGX_LC: SGX launch config supported = false