# Setup Intel SGX

{% hint style="info" %}
Please ensure, that you are using compliant hardware. You can check the list of supported hardware [here](https://docs.swisstronik.com/swisstronik-docs/node-setup/setup-sgx/supported-hardware).
{% endhint %}

## Configure BIOS

* Enable SGX
* Disable Secure Boot
* Disable Hyper Threading
* Disable Turbo Mode
* Enable CPU AES

## Install Intel SGX Driver

{% hint style="info" %}
If  you have Linux kernel version 5.11 or higher, Intel SGX Driver is already included and you can skip this step.
{% endhint %}

Go to [Intel Downloads page](https://download.01.org/intel-sgx/sgx-linux/2.22/distro/) and find your platform. Download the binary file, which should be named something like `sgx_linux_x64_driver_2.11.54c9c4c.bin` and install it. For example (on Ubuntu 22.04):

```bash
wget https://download.01.org/intel-sgx/sgx-linux/2.22/distro/ubuntu22.04-server/sgx_linux_x64_driver_2.11.54c9c4c.bin 
chmod +x sgx_linux_x64_driver_2.11.54c9c4c.bin
sudo ./sgx_linux_x64_driver_2.11.54c9c4c.bin
```

## Install Intel AESM service

### Ubuntu 22.04

Enable the Intel SGX APT repository and install the required packages.

```bash
echo "deb https://download.01.org/intel-sgx/sgx_repo/ubuntu $(lsb_release -cs) main" | sudo tee -a /etc/apt/sources.list.d/intel-sgx.list >/dev/null
curl -sSL "https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key" | sudo -E apt-key add -
sudo apt update
sudo apt install sgx-aesm-service libsgx-aesm-launch-plugin libsgx-aesm-epid-plugin
```

To confirm that AESM service was installed correctly, run:

```bash
sudo systemctl status aesmd.service
```

## Install all required libraries

### Ubuntu 22.04

Enable the Intel SGX APT repository and install required packages to run `swisstronikd`:

```bash
echo "deb https://download.01.org/intel-sgx/sgx_repo/ubuntu $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/intel-sgx.list >/dev/null
curl -sSL "https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key" | sudo -E apt-key add -
sudo apt update
sudo apt install libsgx-launch libsgx-urts libsgx-epid libsgx-quote-ex sgx-aesm-service libsgx-aesm-launch-plugin libsgx-aesm-epid-plugin libsgx-quote-ex libsgx-dcap-ql libsnappy1v5 libsgx-dcap-quote-verify libsgx-dcap-default-qpl
```

After that you are ready to run `swisstronikd`.

## Verify SGX Setup

In order to make sure that your SGX setup is working, you can use the `sgx-detect` tool from the [sgxs-tools](https://lib.rs/crates/sgxs-tools) Rust package.

There are no pre-built packages for it, so you will need to compile it yourself.

### Install Dependencies[​](https://docs.oasis.io/node/run-your-node/prerequisites/set-up-trusted-execution-environment-tee/#install-dependencies) <a href="#checksgxsetup-installdependencies" id="checksgxsetup-installdependencies"></a>

Make sure you have the following installed on your system:

* [GCC](https://gcc.gnu.org/);
* [Protobuf](https://github.com/protocolbuffers/protobuf) compiler;
* [pkg-config](https://www.freedesktop.org/wiki/Software/pkg-config);
* [OpenSSL](https://www.openssl.org/) development package.

On Fedora, you can install all the above with:

```bash
sudo dnf install gcc protobuf-compiler pkg-config openssl-devel
```

On Ubuntu, you can install all the above with:

```bash
sudo apt install gcc protobuf-compiler pkg-config libssl-dev
```

### Install [Rust](https://www.rust-lang.org/)[​](https://docs.oasis.io/node/run-your-node/prerequisites/set-up-trusted-execution-environment-tee/#install-rust) <a href="#checksgxsetup-installrust" id="checksgxsetup-installrust"></a>

Install rustup by running:

```bash
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source "$HOME/.cargo/env"
```

### Build and Install sgxs-tools[​](https://docs.oasis.io/node/run-your-node/prerequisites/set-up-trusted-execution-environment-tee/#build-and-install-sgxs-tools) <a href="#checksgxsetup-buildandinstallsgxs-tools" id="checksgxsetup-buildandinstallsgxs-tools"></a>

```bash
cargo install sgxs-tools
```

### Run `sgx-detect` tool[​](https://docs.oasis.io/node/run-your-node/prerequisites/set-up-trusted-execution-environment-tee/#run-sgx-detect-tool) <a href="#checksgxsetup-runsgx-detecttool" id="checksgxsetup-runsgx-detecttool"></a>

After the installation completes, run `sgx-detect` to make sure that everything is set up correctly:

```bash
sudo $(which sgx-detect)
```

**Note**: If you don't run the `sgx-detect` tool as `root`, it might not have the necessary permissions to access the SGX kernel device.

When everything is working correctly, you should receive output similar to the following (some details may vary depending on hardware features):

```log
Detecting SGX, this may take a minute...
✔  SGX instruction set  
  ✔  CPU support  
  ✔  CPU configuration  
  ✔  Enclave attributes  
  ✔  Enclave Page Cache  
  SGX features
      ✔  SGX2  ✔  EXINFO  ✔  ENCLV  ✔  OVERSUB  ✔  KSS    
      Total EPC size: 92.8MiB
✘  Flexible launch control  
  ✔  CPU support  
  ？ CPU configuration  
  ✘  Able to launch production mode enclave
✔  SGX system software  
  ✔  SGX kernel device (/dev/isgx)  
  ✘  libsgx_enclave_common  
  ✔  AESM service  
  ✔  Able to launch enclaves    
    ✔  Debug mode    
    ✘  Production mode    
    ✔  Production mode (Intel whitelisted)
```

The important part is the checkbox under *Able to launch enclaves* in both *Debug mode* and *Production mode (Intel whitelisted)*.

In case you encounter errors, see the [list of common SGX installation issues](https://edp.fortanix.com/docs/installation/help/) for help.

### Common issues

#### Permission Denied When Accessing SGX Kernel Device[​](https://docs.oasis.io/node/run-your-node/prerequisites/set-up-trusted-execution-environment-tee/#permission-denied-when-accessing-sgx-kernel-device) <a href="#checksgxsetup-permissiondeniedwhenaccessingsgxkerneldevice" id="checksgxsetup-permissiondeniedwhenaccessingsgxkerneldevice"></a>

If running `sgx-detect --verbose` reports:

```
SGX system software > SGX kernel devicePermission denied while opening the SGX device (/dev/sgx/enclave, /dev/sgx or/dev/isgx). Make sure you have the necessary permissions to create SGX enclaves.If you are running in a container, make sure the device permissions arecorrectly set on the container.debug: Error opening device: Permission denied (os error 13)debug: cause: Permission denied (os error 13)
```

Ensure you are running the `sgx-detect` tool as `root` via:

```bash
sudo $(which sgx-detect) --verbose
```

#### Error Opening SGX Kernel Device[​](https://docs.oasis.io/node/run-your-node/prerequisites/set-up-trusted-execution-environment-tee/#error-opening-sgx-kernel-device) <a href="#checksgxsetup-erroropeningsgxkerneldevice" id="checksgxsetup-erroropeningsgxkerneldevice"></a>

If running `sgx-detect --verbose` reports:

```
SGX system software > SGX kernel deviceThe SGX device (/dev/sgx/enclave, /dev/sgx or /dev/isgx) could not be opened:"/dev" mounted with `noexec` option.debug: Error opening device: "/dev" mounted with `noexec` optiondebug: cause: "/dev" mounted with `noexec` option
```

Ensure your system's `/dev` is NOT mounted with the `noexec` mount option.

#### Unable to Launch Enclaves[​](https://docs.oasis.io/node/run-your-node/prerequisites/set-up-trusted-execution-environment-tee/#unable-to-launch-enclaves). <a href="#checksgxsetup-unabletolaunchenclaves" id="checksgxsetup-unabletolaunchenclaves"></a>

If running `sgx-detect --verbose` reports:

```
SGX system software > Able to launch enclaves > Debug modeThe enclave could not be launched.debug: failed to load report enclavedebug: cause: failed to load report enclavedebug: cause: Failed to map enclave into memory.debug: cause: Operation not permitted (os error 1)
```

Ensure your system's `/dev` is NOT mounted with the `noexec` mount option.