Hardware Report: packet.net
lacabra opened this issue · 3 comments
packet.net offers Trusted Compute: a cryptographic chain of trust from hardware to the distributed cluster. Yet, not all of the 9 CPU configurations that they offer under this service are Intel-based, and only one is SGX-capable: C1.SMALL.X86 based on a E3-1240 v5 CPU.
As of April 2018, in talking with their customer and technical support teams, they provided a quote for $270/month with a one-year contract and a 30-day cancellation for a dedicated C1.SMALL.X86 bare metal server, a very similar quote to what IBM quoted at the same time for the same specs.
Yet, when querying further about the feasibility of them enabling SGX through the BIOS when provisioning these dedicated servers, I got a more discouraging response:
I completed my testing against all of our potentially capable Intel servers: c1.small, c1.xlarge, m1.xlarge and m2.xlarge.
Unfortunately, none of them have SGX enabled. Enabling SGX is BIOS dependent (as some of you know), and for reasons that are unclear our hardware partners ship that turned off. I looked for this setting on some of our systems, and could not find it. It may be hidden behind other features (like TXT) that we cannot turn on. It may require new BIOS/UEFI firmware loaded on these systems to support that feature. We can't support TXT because we cannot enable a fully trusted boot chain and we cannot support manual steps during our provisioning and deprovisioning processes that TXT require.
Either way, enabling SGX on our Intel platforms would require a large amount of integration testing so I don't think it will be something we can support in the short term.
Quick update - Packet does provide SGX enabled machines using our reserved hardware model. We are working on an API update to support enabling/disabled SGX at provision time. This should be released in Q4 2018.
Here's the report from a c1.small instance @ Packet :
eax: 906e9 ebx: 7100800 ecx: 7ffafbff edx: bfebfbff
stepping 9
model 14
family 6
processor type 0
extended model 9
extended family 0
smx: 1
Extended feature bits (EAX=07H, ECX=0H)
eax: 0 ebx: 29c6fbf ecx: 0 edx: 9c000000
sgx available: 1
CPUID Leaf 12H, Sub-Leaf 0 of Intel SGX Capabilities (EAX=12H,ECX=0)
eax: 1 ebx: 0 ecx: 0 edx: 241f
sgx 1 supported: 1
sgx 2 supported: 0
MaxEnclaveSize_Not64: 1f
MaxEnclaveSize_64: 24
CPUID Leaf 12H, Sub-Leaf 1 of Intel SGX Capabilities (EAX=12H,ECX=1)
eax: 36 ebx: 0 ecx: 1f edx: 0
CPUID Leaf 12H, Sub-Leaf 2 of Intel SGX Capabilities (EAX=12H,ECX=2)
eax: 80200001 ebx: 0 ecx: 5d80001 edx: 0
CPUID Leaf 12H, Sub-Leaf 3 of Intel SGX Capabilities (EAX=12H,ECX=3)
eax: 0 ebx: 0 ecx: 0 edx: 0
CPUID Leaf 12H, Sub-Leaf 4 of Intel SGX Capabilities (EAX=12H,ECX=4)
eax: 0 ebx: 0 ecx: 0 edx: 0
CPUID Leaf 12H, Sub-Leaf 5 of Intel SGX Capabilities (EAX=12H,ECX=5)
eax: 0 ebx: 0 ecx: 0 edx: 0
CPUID Leaf 12H, Sub-Leaf 6 of Intel SGX Capabilities (EAX=12H,ECX=6)
eax: 0 ebx: 0 ecx: 0 edx: 0
CPUID Leaf 12H, Sub-Leaf 7 of Intel SGX Capabilities (EAX=12H,ECX=7)
eax: 0 ebx: 0 ecx: 0 edx: 0
CPUID Leaf 12H, Sub-Leaf 8 of Intel SGX Capabilities (EAX=12H,ECX=8)
eax: 0 ebx: 0 ecx: 0 edx: 0
CPUID Leaf 12H, Sub-Leaf 9 of Intel SGX Capabilities (EAX=12H,ECX=9)
eax: 0 ebx: 0 ecx: 0 edx: 0
Great! Feel free to reference documentation for SGX on packet.net