Setup Intel SGX
Configure BIOS
Enable SGX
Disable Secure Boot
Disable Hyper Threading
Disable Turbo Mode
Enable CPU AES
Install Intel SGX Driver
Go to Intel Downloads page and find your platform. Download the binary file, which should be named something like sgx_linux_x64_driver_2.11.54c9c4c.bin
and install it. For example (on Ubuntu 22.04):
wget https://download.01.org/intel-sgx/sgx-linux/2.22/distro/ubuntu22.04-server/sgx_linux_x64_driver_2.11.54c9c4c.bin
chmod +x sgx_linux_x64_driver_2.11.54c9c4c.bin
sudo ./sgx_linux_x64_driver_2.11.54c9c4c.bin
Install Intel AESM service
Ubuntu 22.04
Enable the Intel SGX APT repository and install the required packages.
echo "deb https://download.01.org/intel-sgx/sgx_repo/ubuntu $(lsb_release -cs) main" | sudo tee -a /etc/apt/sources.list.d/intel-sgx.list >/dev/null
curl -sSL "https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key" | sudo -E apt-key add -
sudo apt update
sudo apt install sgx-aesm-service libsgx-aesm-launch-plugin libsgx-aesm-epid-plugin
To confirm that AESM service was installed correctly, run:
sudo systemctl status aesmd.service
Install all required libraries
Ubuntu 22.04
Enable the Intel SGX APT repository and install required packages to run swisstronikd
:
echo "deb https://download.01.org/intel-sgx/sgx_repo/ubuntu $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/intel-sgx.list >/dev/null
curl -sSL "https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key" | sudo -E apt-key add -
sudo apt update
sudo apt install libsgx-launch libsgx-urts libsgx-epid libsgx-quote-ex sgx-aesm-service libsgx-aesm-launch-plugin libsgx-aesm-epid-plugin libsgx-quote-ex libsgx-dcap-ql libsnappy1v5 libsgx-dcap-quote-verify libsgx-dcap-default-qpl
After that you are ready to run swisstronikd
.
Verify SGX Setup
In order to make sure that your SGX setup is working, you can use the sgx-detect
tool from the sgxs-tools Rust package.
There are no pre-built packages for it, so you will need to compile it yourself.
Install Dependenciesβ
Make sure you have the following installed on your system:
On Fedora, you can install all the above with:
sudo dnf install gcc protobuf-compiler pkg-config openssl-devel
On Ubuntu, you can install all the above with:
sudo apt install gcc protobuf-compiler pkg-config libssl-dev
Install rustup by running:
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source "$HOME/.cargo/env"
Build and Install sgxs-toolsβ
cargo install sgxs-tools
Run sgx-detect
toolβ
sgx-detect
toolβAfter the installation completes, run sgx-detect
to make sure that everything is set up correctly:
sudo $(which sgx-detect)
Note: If you don't run the sgx-detect
tool as root
, it might not have the necessary permissions to access the SGX kernel device.
When everything is working correctly, you should receive output similar to the following (some details may vary depending on hardware features):
Detecting SGX, this may take a minute...
β SGX instruction set
β CPU support
β CPU configuration
β Enclave attributes
β Enclave Page Cache
SGX features
β SGX2 β EXINFO β ENCLV β OVERSUB β KSS
Total EPC size: 92.8MiB
β Flexible launch control
β CPU support
οΌ CPU configuration
β Able to launch production mode enclave
β SGX system software
β SGX kernel device (/dev/isgx)
β libsgx_enclave_common
β AESM service
β Able to launch enclaves
β Debug mode
β Production mode
β Production mode (Intel whitelisted)
The important part is the checkbox under Able to launch enclaves in both Debug mode and Production mode (Intel whitelisted).
In case you encounter errors, see the list of common SGX installation issues for help.
Common issues
Permission Denied When Accessing SGX Kernel Deviceβ
If running sgx-detect --verbose
reports:
SGX system software > SGX kernel devicePermission denied while opening the SGX device (/dev/sgx/enclave, /dev/sgx or/dev/isgx). Make sure you have the necessary permissions to create SGX enclaves.If you are running in a container, make sure the device permissions arecorrectly set on the container.debug: Error opening device: Permission denied (os error 13)debug: cause: Permission denied (os error 13)
Ensure you are running the sgx-detect
tool as root
via:
sudo $(which sgx-detect) --verbose
Error Opening SGX Kernel Deviceβ
If running sgx-detect --verbose
reports:
SGX system software > SGX kernel deviceThe SGX device (/dev/sgx/enclave, /dev/sgx or /dev/isgx) could not be opened:"/dev" mounted with `noexec` option.debug: Error opening device: "/dev" mounted with `noexec` optiondebug: cause: "/dev" mounted with `noexec` option
Ensure your system's /dev
is NOT mounted with the noexec
mount option.
Unable to Launch Enclavesβ.
If running sgx-detect --verbose
reports:
SGX system software > Able to launch enclaves > Debug modeThe enclave could not be launched.debug: failed to load report enclavedebug: cause: failed to load report enclavedebug: cause: Failed to map enclave into memory.debug: cause: Operation not permitted (os error 1)
Ensure your system's /dev
is NOT mounted with the noexec
mount option.
Last updated