Trying to enable SGX on a machine with BIOS available only for "Software Controlled".

Question

Trying to enable SGX on a machine with BIOS available only for "Software Controlled".

ronnypeterson opened this issue 6 years ago · 15 comments

I have no experience with Intel SGX, but I was able to do as facilities available here (https://github.com/intel/linux-sgx-driver) and here (https://github.com/intel/linux-sgx).
My machine has available in the BIOS only for "Software Controlled".
I have no idea how to enable the SGX. I got some sample code, but I do not know how they work. I read about sgx_enable_device (), but I could not.
Could someone help me in a simple way, not only indicating the function, but with a real code of how to use it?

Thank you very much for the help!

Answer 1 · 2018-12-15T14:09:22.000Z

I am using Ubuntu Server.

Answer 2 · 2018-12-17T00:18:16.000Z

You can use the code https://github.com/intel/linux-sgx/tree/master/sdk/libcapable/linux to enable SGX .
The code works if and only if you install the OS under UEFI mode. If you install the OS under legacy mode you are not able to use the code.

Answer 3 · 2018-12-17T17:57:33.000Z

I tried compiling using gcc -o sgx_capable sgx_capable.cpp, but gave the following error:

sgx_capable.cpp: 38: 10: fatal error: sgx_uae_service.h: No such file or directory

Answer 4 · 2018-12-17T18:09:36.000Z

You need to git clone the entire linux-sgx tree before trying to build that lib. When you do that, the sgx_uae_service.h should be found automatically in linux-sgx/common/inc when you "make" in that folder (I just built the library to confirm this).

Answer 5 · 2018-12-17T18:17:24.000Z

Yes, I did the git clone https://github.com/intel/linux-sgx/
cd linux-sgx / sdk / libcapable / linux
sudo make
Runs, but does not happen
I tried to compile again gcc -o sgx_capable sgx_capable.cpp
sgx_capable.cpp: 38: 10: fatal error: sgx_uae_service.h: No such file or directory
#include <sgx_uae_service.h>

Answer 6 · 2018-12-17T18:19:41.000Z

You said make "does not happen"... what's the actual output from the make command? You should end up with a libsgx_capable.so library being built in that folder.

Answer 7 · 2018-12-17T18:26:03.000Z

Okay, it has libsgx_capable.so in the directory
sudo ./libsgx_capable.so
Results: Segmentation fault

Answer 8 · 2018-12-17T18:32:19.000Z

That's a library, not an executable, so you can't just run it.

To use it, you need to do the following:

Create a basic app that does the following:

Include the header lib-sgx/common/inc/sgx_capable.h.
Link in the libsgx_capable.so library.
Call sgx_is_capable to make sure SGX can be enabled via SW on your platform.
Call sgx_cap_enable_device to actually enable SGX.

Answer 9 · 2018-12-17T18:51:59.000Z

My code:

#include <stdio.h>
#include "sgx_capable.h"

int main() {
printf("Hello World\n");
sgx_is_capable();
sgx_cap_enable_device();
}

gcc -o test test.cpp

Results:
test.cpp: In function ‘int main()’:
test.cpp:6:20: error: too few arguments to function ‘sgx_status_t sgx_is_capable(int*)’
sgx_is_capable();
^
In file included from test.cpp:2:
sgx_capable.h:63:14: note: declared here
sgx_status_t sgx_is_capable(int* sgx_capable);
^~~~~~~~~~~~~~
test.cpp:7:27: error: too few arguments to function ‘sgx_status_t sgx_cap_enable_device(sgx_device_status_t*)’
sgx_cap_enable_device();
^
In file included from test.cpp:2:
sgx_capable.h:71:14: note: declared here
sgx_status_t sgx_cap_enable_device(sgx_device_status_t* sgx_device_status);

Answer 10 · 2018-12-17T19:07:57.000Z

enable_sgx.cpp:

`#include <stdio.h>
#include "../../../common/inc/sgx_capable.h"

int main()
{
int is_sgx_capable = 0;
sgx_device_status_t status;

sgx_is_capable(&is_sgx_capable);
printf("is_sgx_capable: %d\n", is_sgx_capable);

sgx_cap_enable_device(&status);
printf("status: %d\n", (int)status);

return 0;

}
`

gcc enable_sgx.cpp -o enable_sgx -L. -lsgx_capable
LD_LIBRARY_PATH=. ./enable_sgx

is_sgx_capable has to come back a 1 to be able to be enabled.
If so, then status should come back a 1 also, which means "SGX_DISABLED_REBOOT_REQUIRED". Once you reboot, you should get a 1 back for both.

Answer 11 · 2018-12-17T19:17:38.000Z

Many thanks for the code. It worked, the first result was:
is_sgx_capable: 1
status: 4
I restarted, but the result continues:
is_sgx_capable: 1
status: 4
What does the value 4 mean?

Answer 12 · 2018-12-17T19:21:35.000Z

Apologies, I forgot permissions... try with sudo.

sudo LD_LIBRARY_PATH=. ./enable_sgx

Answer 13 · 2018-12-17T19:29:38.000Z

The first result was:
is_sgx_capable: 1
status: 1
I restarted, the result:
is_sgx_capable: 1
status: 0
Does zero mean that it is enabled?

Answer 14 · 2018-12-17T19:32:56.000Z

Yes! Zero means "SGX_ENABLED". :-)

Answer 15 · 2018-12-17T19:36:19.000Z

Ok. Thank you so much! It worked. I've been beating myself up for a few days alone and could not move forward. Thank you for your patience and for your time.
I used a test at https://github.com/ayeks/SGX-hardware/blob/master/test-sgx.c and it really is enabled.