Setup Intel SGX

Please ensure, that you are using compliant hardware. You can check the list of supported hardware here.

Configure BIOS

  • Enable SGX

  • Disable Secure Boot

  • Disable Hyper Threading

  • Disable Turbo Mode

  • Enable CPU AES

Install Intel SGX Driver

If you have Linux kernel version 5.11 or higher, Intel SGX Driver is already included and you can skip this step.

Go to Intel Downloads page and find your platform. Download the binary file, which should be named something like sgx_linux_x64_driver_2.11.54c9c4c.bin and install it. For example (on Ubuntu 22.04):

wget https://download.01.org/intel-sgx/sgx-linux/2.22/distro/ubuntu22.04-server/sgx_linux_x64_driver_2.11.54c9c4c.bin 
chmod +x sgx_linux_x64_driver_2.11.54c9c4c.bin
sudo ./sgx_linux_x64_driver_2.11.54c9c4c.bin

Install Intel AESM service

Ubuntu 22.04

Enable the Intel SGX APT repository and install the required packages.

echo "deb https://download.01.org/intel-sgx/sgx_repo/ubuntu $(lsb_release -cs) main" | sudo tee -a /etc/apt/sources.list.d/intel-sgx.list >/dev/null
curl -sSL "https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key" | sudo -E apt-key add -
sudo apt update
sudo apt install sgx-aesm-service libsgx-aesm-launch-plugin libsgx-aesm-epid-plugin

To confirm that AESM service was installed correctly, run:

sudo systemctl status aesmd.service

Install all required libraries

Ubuntu 22.04

Enable the Intel SGX APT repository and install required packages to run swisstronikd:

echo "deb https://download.01.org/intel-sgx/sgx_repo/ubuntu $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/intel-sgx.list >/dev/null
curl -sSL "https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key" | sudo -E apt-key add -
sudo apt update
sudo apt install libsgx-launch libsgx-urts libsgx-epid libsgx-quote-ex sgx-aesm-service libsgx-aesm-launch-plugin libsgx-aesm-epid-plugin libsgx-quote-ex libsgx-dcap-ql libsnappy1v5 libsgx-dcap-quote-verify libsgx-dcap-default-qpl

After that you are ready to run swisstronikd.

Verify SGX Setup

In order to make sure that your SGX setup is working, you can use the sgx-detect tool from the sgxs-tools Rust package.

There are no pre-built packages for it, so you will need to compile it yourself.

Install Dependencies​

Make sure you have the following installed on your system:

On Fedora, you can install all the above with:

sudo dnf install gcc protobuf-compiler pkg-config openssl-devel

On Ubuntu, you can install all the above with:

sudo apt install gcc protobuf-compiler pkg-config libssl-dev

Install Rust​

Install rustup by running:

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source "$HOME/.cargo/env"

Build and Install sgxs-tools​

cargo install sgxs-tools

Run sgx-detect tool​

After the installation completes, run sgx-detect to make sure that everything is set up correctly:

sudo $(which sgx-detect)

Note: If you don't run the sgx-detect tool as root, it might not have the necessary permissions to access the SGX kernel device.

When everything is working correctly, you should receive output similar to the following (some details may vary depending on hardware features):

Detecting SGX, this may take a minute...
βœ”  SGX instruction set  
  βœ”  CPU support  
  βœ”  CPU configuration  
  βœ”  Enclave attributes  
  βœ”  Enclave Page Cache  
  SGX features
      βœ”  SGX2  βœ”  EXINFO  βœ”  ENCLV  βœ”  OVERSUB  βœ”  KSS    
      Total EPC size: 92.8MiB
✘  Flexible launch control  
  βœ”  CPU support  
  ? CPU configuration  
  ✘  Able to launch production mode enclave
βœ”  SGX system software  
  βœ”  SGX kernel device (/dev/isgx)  
  ✘  libsgx_enclave_common  
  βœ”  AESM service  
  βœ”  Able to launch enclaves    
    βœ”  Debug mode    
    ✘  Production mode    
    βœ”  Production mode (Intel whitelisted)

The important part is the checkbox under Able to launch enclaves in both Debug mode and Production mode (Intel whitelisted).

In case you encounter errors, see the list of common SGX installation issues for help.

Common issues

Permission Denied When Accessing SGX Kernel Device​

If running sgx-detect --verbose reports:

SGX system software > SGX kernel devicePermission denied while opening the SGX device (/dev/sgx/enclave, /dev/sgx or/dev/isgx). Make sure you have the necessary permissions to create SGX enclaves.If you are running in a container, make sure the device permissions arecorrectly set on the container.debug: Error opening device: Permission denied (os error 13)debug: cause: Permission denied (os error 13)

Ensure you are running the sgx-detect tool as root via:

sudo $(which sgx-detect) --verbose

Error Opening SGX Kernel Device​

If running sgx-detect --verbose reports:

SGX system software > SGX kernel deviceThe SGX device (/dev/sgx/enclave, /dev/sgx or /dev/isgx) could not be opened:"/dev" mounted with `noexec` option.debug: Error opening device: "/dev" mounted with `noexec` optiondebug: cause: "/dev" mounted with `noexec` option

Ensure your system's /dev is NOT mounted with the noexec mount option.

Unable to Launch Enclaves​.

If running sgx-detect --verbose reports:

SGX system software > Able to launch enclaves > Debug modeThe enclave could not be launched.debug: failed to load report enclavedebug: cause: failed to load report enclavedebug: cause: Failed to map enclave into memory.debug: cause: Operation not permitted (os error 1)

Ensure your system's /dev is NOT mounted with the noexec mount option.

PreviousSupported HardwareNextSetup node

Last updated