Preparing SGX Env on Ubuntu20.04
Background
In 2015 Intel released Software Guard Extensions. This introduces a new set of instruction codes for Intel CPUs that offer new security options in the way of a hardware enclave.Intel(R) Software Guard Extensions (Intel(R) SGX) is an Intel technology for application developers seeking to protect select code and data from disclosure or modification.
The Linux SGX software stack is comprised of the Intel(R) SGX driver, the Intel(R) SGX SDK, and the Intel(R) SGX Platform Software. The Intel(R) SGX SDK and Intel(R) SGX PSW are hosted in the linux-sgx project.
This post will focus on installing the SGX driver, SDK, and PSW on Ubuntu 20.04. Support for SGX can be found for major Linux distributions as well as Windows.
The linux-sgx-driver project hosts the out-of-tree driver for the Linux Intel(R) SGX software stack, which will be used until the driver upstreaming process is complete.
There are currently three different drivers that can be used to support Intel® SGX. The platform must be configured with only one of these drivers:
- In-kernel Driver (/dev/{sgx_enclave, sgx_provision}): Mainline kernel release 5.11 or higher includes the SGX In-Kernel driver. The In-Kernel Driver requires the platform to support and to be configured for Flexible Launch Control.
- DCAP Driver (/dev/{sgx_enclave, sgx_provision}): The goal of the DCAP driver is to provide an interface close to the In-kernel Driver in order to provide Intel® SGX support to Linux OSs that do not have the Intel® SGX driver built into the kernel. This driver also requires the platform to support and to be configured for Flexible Launch Control. Since this driver supports an out-oftree implementation, it does not include new features supported by later kernel releases such as EDMM, SGX KVM, SGX cgroups, and NUMA aware EPC allocation. This driver is only updated for necessary security fixes. The in-kernel driver should be used whenever it is possible.
- Out-of-tree Driver (/dev/isgx): This driver is provided to support running Intel® SGX enclaves on platforms that only support Legacy Launch Control. It may also be installed on platforms configured with Flexible Launch Control; however, then these platforms will only load enclaves that conform to the Legacy Launch Control Policy.
Pre-check
Before we get started, it’s good to understand if your processor supports SGX.
Method:
$ cpuid -1 | grep -i sgx
SGX: Software Guard Extensions supported = true
SGX_LC: SGX launch config supported = false
Software Guard Extensions (SGX) capability (0x12/0):
SGX1 supported = true
SGX2 supported = false
SGX ENCLV E*VIRTCHILD, ESETCONTEXT = false
SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false
Install Steps
First Step: Out-of-Tree Driver Installation
The Out-of-Tree Driver is recommended for use on platforms that do not support or are not configured for Flexible Launch Control.
- Update the system first:
sudo apt update
sudo apt upgrade
- Install the Out-of-Tree Driver:
a.
Since the Out-of-Tree Driver is built from the driver package, install the required components that support the Intel® SGX PSW installation. Note: This command line contains modules needed beyond the Out-of-Tree Driver installation.
sudo apt-get install build-essential ocaml automake autoconf libtool
wget python libssl-dev
b.
Download the latest Intel® SGX Driver binary file from the distro directory: https://download.01.org/intel-sgx/latest/linux-latest/distro/ For example, to download the driver for Ubuntu server 20.04, use the following command:
wget - [https://download.01.org/intel-sgx/latest/linuxlatest/distro/ubuntu20.04-server/](https://download.01.org/intel-sgx/latest/linuxlatest/distro/ubuntu20.04-server/)
sgx_linux_x64_driver_2.11.0_0373e2e.bin
c.
Set the protections to allow for the .bin file execution:
chmod 777 sgx_linux_x64_driver_2.11.0_0373e2e.bin
d. Install the driver:
sudo ./ sgx_linux_x64_driver_2.11.0_0373e2e.bin
The installer also loads the Out-of-Tree Driver and sets it to auto-load when the system reboots.
NOTE:
After install, run commands:
sudo /sbin/depmod
sudo /sbin/modprobe isgx
If there’s a error like
ERROR: could not insert 'isgx': Required key not available.
Or:
no permission to load 'isgx'
you need to update BIOS setting
Set Intel ® SGX Control to “Enabled”
Set Secure Boot to “Disabled”
Second Step: Install SDK
- Install the prerequisite software.
sudo apt-get install build-essential python
- Download the Intel® SGX SDK and install it.
wget https://download.01.org/intel-sgx/sgx-linux/2.15.1/distro/ubuntu20.04-server/sgx_linux_x64_sdk_2.15.101.1.bin
chmod +x sgx_linux_x64_sdk_2.15.101.1.bin
sudo ./sgx_linux_x64_sdk_2.15.101.1.bin
source <User Input Path>/sgxsdk/environment
- Install the appropriate developer packages l
sudo apt-get install libsgx-enclave-common-dev libsgx-dcap-ql-dev libsgxdcap-default-qpl-dev
Last Step: Check Status
Go to sdk install path, like sgxsdk/SampleCode/SampleEnclave
make
./app
check output, if output likes
Checksum(0x0x7ffe1b63a710, 100) = 0xfffd4143
Info: executing thread synchronization, please wait...
Info: SampleEnclave successfully returned.
Enter a character before exit ...
Bingo! We Done successful.
Intel_SGX_SW_Installation_Guide_for_Linux https://github.com/intel/linux-sgx-driver Error-Invalid-SGX-device/