flnnhuman
commented
5 months ago updated my bios from version 0027 to version 0072, got it working IA32_FEATURE_CONTROL.SGX_LAUNCH_CONTROL[bit 17] (Is the SGX LE PubKey writable?): 1
Closed flnnhuman closed 5 months ago
flnnhuman
commented
5 months ago updated my bios from version 0027 to version 0072, got it working IA32_FEATURE_CONTROL.SGX_LAUNCH_CONTROL[bit 17] (Is the SGX LE PubKey writable?): 1
Just got my NUC7CJYH, it was https://www.intel.com/content/www/us/en/support/articles/000057420/software/intel-security-products.html that this kit supports SGX2 and FLC, but after kernel 5.15 install seems like driver is failing to launch with a following error Apr 18 11:24:44 sgx aesm_service[6231]: [get_driver_type edmm_utility.cpp:116] Failed to open Intel SGX device. Apr 18 11:24:44 sgx aesm_service[6231]: [get_driver_type edmm_utility.cpp:116] Failed to open Intel SGX device. Apr 18 11:24:44 sgx aesm_service[6231]: [get_driver_type edmm_utility.cpp:116] Failed to open Intel SGX device. Apr 18 11:24:44 sgx aesm_service[6231]: [load_qe ../qe_logic.cpp:721] Error, call sgx_create_enclave QE fail [load_qe], SGXError:2006. Apr 18 11:24:44 sgx aesm_service[6231]: Failed to load QE3: 0x2006 Apr 18 11:24:44 sgx aesm_service[6231]: The server sock is 0x56048e35edb0 Apr 18 11:24:44 sgx aesm_service[6231]: [get_driver_type edmm_utility.cpp:116] Failed to open Intel SGX device.
After running
test-sgxI can see thatIA32_FEATURE_CONTROL.SGX_LAUNCH_CONTROL[bit 17] (Is the SGX LE PubKey writable?): 0which means FLC is disabled in BIOS and in bios there isn't such an option to enable it specificallyCPUID is available The CPU is Genuine Intel CPUID is capable of examining SGX capabilities CPU: Intel(R) Celeron(R) J4005 CPU @ 2.00GHz Stepping 1 Model 10 Family 6 Processor type 0 Extended model 7 Extended family 0 Safer Mode Extensions (SMX): 0 Extended feature bits (EAX=7, ECX=0): eax: 00000000 ebx: 2294e287 ecx: 40400004 edx: ac000400 Supports SGX SGX Launch Configuration (SGX_LC): 1 SGX Attestation Services (SGX_KEYS): 0 SGX1 leaf instructions (SGX1): 1 SGX2 leaf instructions (SGX2): 1 EINCVIRTCHILD, EDECVIRTCHILD, and ESETCONTEXT (OVERSUB-VMX): 0 ETRACKC, ERDINFO, ELDBC, and ELDUC (OVERSUB-Supervisor): 0 EVERIFYREPORT2: 0 Allow attestation w/ updated microcode (EUPDATESVN): 0 Allow enclave thread to decrement TCS.CSSA (EDECCSSA): 0 Supported Extended features for MISC region of SSA (MISCSELECT) 0x00000001 The maximum supported enclave size in non-64-bit mode is 2^31 The maximum supported enclave size in 64-bit mode is 2^36 Raw ECREATE SECS.ATTRIBUTES[63:0]: 00000000 00000036 ECREATE SECS.ATTRIBUTES[DEBUG] (Debugger can read/write enclave data w/ EDBGRD/EDBGWR): 1 ECREATE SECS.ATTRIBUTES[MODE64BIT] (Enclave can run as 64-bit): 1 ECREATE SECS.ATTRIBUTES[PROVISIONKEY] (Provisioning key available from EGETKEY): 1 ECREATE SECS.ATTRIBUTES[EINITTOKEN_KEY] (EINIT token key available from EGETKEY): 1 ECREATE SECS.ATTRIBUTES[CET] (Enable Control-flow Enforcement Technology in enclave): 0 ECREATE SECS.ATTRIBUTES[KSS] (Key Separation and Sharing Enabled): 0 ECREATE SECS.ATTRIBUTES[AEXNOTIFY] (Threads may receive AEX notifications): 0 Raw ECREATE SECS.ATTRIBUTES[127:64] (XFRM: Copy of XCR0): 00000000 0000001b EPC[0]: Protection: ci Base phys addr: 0000000070200000 size: 0000000005e00000 vDSO base address: 0x7ffeda18b000 Printing Symbol Table: vDSO symbol: __vdso_time vDSO symbol: getcpu vDSO symbol: vdso_clock_getres vDSO symbol: vdso_getcpu vDSO symbol: clock_getres vDSO symbol: vdso_gettimeofday vDSO symbol: LINUX_2.6 vDSO symbol: gettimeofday vDSO symbol: vdso_clock_gettime vDSO symbol: time vDSO symbol: __vdso_sgx_enter_enclave vDSO symbol: clock_gettime Raw IA32_FEATURE_CONTROL: 0000000000040005 IA32_FEATURE_CONTROL.LOCK_BIT[bit 0]: 1 IA32_FEATURE_CONTROL.SGX_LAUNCH_CONTROL[bit 17] (Is the SGX LE PubKey writable?): 0 IA32_FEATURE_CONTROL.SGX_GLOBAL_ENABLE[bit 18]: 1 The SGX Launch Enclave Public Key Hash can NOT be changed IA32_SGXLEPUBKEYHASH: a6053e051270b7ac 6cfbe8ba8b3b413d c4916d99f2b3735d d4f8c05909f9bb3b Raw IA32_SGX_SVN_STATUS: 0000000000000001 MSR_SGXOWNEREPOCH not readable XSAVE features and state-components Maximum size (in bytes) of current XCR0 XSAVE area: 1088 Maximum size (in bytes) of all-set XCR0 XSAVE area: 1088 Size (in bytes) of current XCR0+IA32_XSS XSAVE area: 704 Supported XCR0: 000000000000001b Actual XCR0: 000000000000001b Supported IA32_XSS: 0000000000000100 Actual IA32_XSS: 0000000000000000 Register Name Supported Value Description ======== ======= ========= ===== =========== XCR0 x87: yes set x87 Floating Point Unit & MMX XCR0 SSE: yes set MXCSR and XMM registers XCR0 AVX: no clear YMM registers XCR0 BNDREG: yes set MPX for BND registers XCR0 BNDCSR: yes set MPX for BNDCFGU and BNDSTATUS registers XCR0 opmask: no clear AVX-512 for AVX opmask and AKA k-mask XCR0 ZMM_hi256: no clear AVX-512 for the upper-halves of lower ZMM registers XCR0 Hi16_ZMM: no clear AVX-512 for the upper ZMM registers IA32_XSS PT: yes clear Processor Trace XCR0 PKRU: no clear User Protection Keys IA32_XSS PASID: no clear Process Address Space ID IA32_XSS CET_U: no clear Control-flow Enforcement Technology: user-mode functionality MSRs IA32_XSS CET_S: no clear CET: shadow stack pointers for rings 0,1,2 IA32_XSS HDC: no clear Hardware Duty Cycling IA32_XSS UINTR: no clear User-Mode Interrupts IA32_XSS LBR: no clear Last Branch Record IA32_XSS HWP: no clear Hardware P-state control XCR0 TILECFG: no clear AMX - Advanced Matrix Extensions XCR0 TILEDATA: no clear AMX - Advanced Matrix Extensions XCR0 APX: no clear Extended General Purpose Registers R16-R31 Supported XSAVE feature flags: 0000000f xsaveopt - save state-components that have been modified since last XRSTOR: 1 xsavec - save/restore state with compaction: 1 xgetbv_ecx1 - XGETBV with ECX=1 support: 1 xss - save/restore state with compaction, including supervisor state: 1 xfd - Extended Feature Disable supported: 0 End test-sgx