Intel® Software Guard Extensions (SGX) is a hardware-based isolation and memory encryption mechanism provided by modern Intel® CPUs. Normally, it is disabled in the BIOS by the manufacture of your motherboard. In order to use it, the SGX option in the BIOS must be set to Enable or Software Controlled.
By setting the option to Enable, all of the SGX instructions and resources are available to applications, making it easy to deploy SGX related program on your machine. However, in some motherboards, the only available options in the BIOS are Software Controlled and Disable. According to the official document of Intel, Software Controlled indicates that Intel SGX can be enabled by software applications, but it is not available until this occurs (called the “software opt-in”).
So now the question is, how to make this occurs? Actually, two functions are provided for us to enable SGX by program:
sgx_status_t sgx_is_capable(int *sgx_capable);
sgx_status_t sgx_cap_enable_device(sgx_device_status_t *sgx_device_status);
sgx_is_capable determines whether the system is capable of executing Intel SGX instructions under the current operating environment (Is secure boot disabled? Does your CPU support SGX?…) The return value is an indicator showing that whether the inquiry is successful. If it returns SGX_SUCCESS, the function successfully queried the SGX support characteristic of your machine and stored it into sgx_capable (of course, 1 means yes, 0 means no). A return of it is SGX_ERROR_NO_PRIVILEGE means the user has no root/administrator privilege. Any other return value means that the SGX capability of this machine could not be determined.
(Notes: Your Ubuntu must be installed and booted in UEFI mode)
sgx_cap_enable_device attempts the software opt-in for the SGX and set the final state of SGX in sgx_device_status. This is a mandatory procedure for Software Controlled motherboards to fully enable the SGX. The meaning of the return value is identical to that of sgx_is_capable. And the inquiry result will be stored into sgx_device_status only if the software opt-in is attempted.
The meaning of the output value is listed here:
- SGX_ENABLED = 0
- SGX_DISABLED_REBOOT_REQUIRED = 1, /* A reboot is required to finish enabling SGX */
- SGX_DISABLED_LEGACY_OS = 2, /* SGX is disabled and a Software Control Interface is not available to enable it */
- SGX_DISABLED = 3, /* SGX is not enabled on this platform. More details are unavailable. */
- SGX_DISABLED_SCI_AVAILABLE = 4, /* SGX is disabled, but a Software Control Interface is available to enable it */
- SGX_DISABLED_MANUAL_ENABLE = 5, /* SGX is disabled, but can be enabled manually in the BIOS setup */
- SGX_DISABLED_HYPERV_ENABLED = 6, /* Detected an unsupported version of Windows* 10 with Hyper-V enabled */
- SGX_DISABLED_UNSUPPORTED_CPU = 7, /* SGX is not supported by this CPU */
Now using these functions, we can write the following sample code to fully enable the software controlled SGX:
enable_sw_sgx.cpp
#include <stdio.h>
#include "../../../common/inc/sgx_capable.h"
int main()
{
int is_sgx_capable = 0;
sgx_device_status_t status;
sgx_is_capable(&is_sgx_capable);
printf("is_sgx_capable: %d\n", is_sgx_capable);
sgx_cap_enable_device(&status);
printf("status: %d\n", (int)status);
return 0;
}
In order to compile the above code, we need to tell the compiler where the two functions are. Actually, they are declared in linux-sgx/common/inc/sgx_capable.h, and their implementations are in linux-sgx/sdk/libcapable/linux/. Here linux-sgx is this Github repository.
As the libcapable rely on some other libraries in the repo, we need to compile it to a dynamic link library first by simply running
$ make
inside the linux-sgx/sdk/libcapable/linux/ directory. Then there should be a libsgx_capable.so library in this directory. Now save your enable_sw_sgx.cpp inside the same directory and compile it with the following command:
$ gcc enable_sw_sgx.cpp -o enable_sw_sgx -L. -lsgx_capable
$ sudo LD_LIBRARY_PATH=. ./C
Now the output should be
$ sudo LD_LIBRARY_PATH=. ./enable_sw_sgx
is_sgx_capable: 1
status: 1
Let’s give a review of the meaning of sgx_device_status. 1 is SGX_DISABLED_REBOOT_REQUIRED, which means A reboot is required to finish enabling SGX. And after rebooting your machine, if no error occurs, you may run enable_sw_sgx again and the output should be
$ sudo LD_LIBRARY_PATH=. ./enable_sw_sgx
is_sgx_capable: 1
status: 0
This indicates that SGX is fully enabled in your system. Now you can start any work with SGX enabled.