topic Re: Why is "Software Guard Extensions supported = false"? in Intel® Software Guard Extensions (Intel® SGX)

Why is "Software Guard Extensions supported = false"?

rrsakura — Thu, 05 Dec 2024 12:48:15 GMT

My CPU is an Intel® Core™ i7-10700 Processor, and it shows support for SGX:

Intel® Software Guard Extensions (Intel® SGX) Yes with Intel® ME.

I have also set SGX to Software Controlled in the BIOS and booted the BIOS in UEFI mode.

However, when I run "cpuid | grep -i sgx" in the virtual machine, the output is:

SGX: Software Guard Extensions supported = false

SGX_LC: SGX launch config supported = false

Software Guard Extensions (SGX) capability (0x12/0):

SGX1 supported = false

SGX2 supported = false

SGX ENCLV E*VIRTCHILD, ESETCONTEXT = false

SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false

Why are all the values showing as "false"?

Re: Why is "Software Guard Extensions supported = false"?

Scott_R_Intel — Thu, 05 Dec 2024 14:01:54 GMT

Hello.

"Software Controlled" mode means a piece of software has to write to a specific UEFI variable and reboot before SGX is actually enabled. You should set SGX to "Enabled" in the BIOS if you want it to actually be enabled without using the aforementioned app to enable.

Re: Why is "Software Guard Extensions supported = false"?

rrsakura — Fri, 06 Dec 2024 01:44:15 GMT

Hello, after setting SGX to "Enabled" in the BIOS, I am still encountering the above situation.

Additionally, when I try to install the SGX driver "sgx_linux_x64_driver_1.41.bin", the following error appears:

Creating symlink /var/lib/dkms/sgx/1.41/source -> /usr/src/sgx-1.41

Kernel preparation unnecessary for this kernel. Skipping...

Building module:

cleaning build area...

'make' KDIR=/lib/modules/6.8.0-49-generic/build...(bad exit status: 2)

Failed to build driver.

DKMS make.log for sgx-1.41 for kernel 6.8.0-49-generic (x86_64)

Makefile:24: *** Can't install DCAP SGX driver with inkernel SGX support.  Stop.

Is there any solution to this?

Re: Why is "Software Guard Extensions supported = false"?

n_scott_pearson — Fri, 06 Dec 2024 01:54:49 GMT

There is always the possibility that the BIOS has a bug in it. Have you checked to see if there are any BIOS updates for your motherboard/system?

Hope this helps,

...S

Re: Why is "Software Guard Extensions supported = false"?

rrsakura — Fri, 06 Dec 2024 07:16:39 GMT

Hello, I encountered a new issue. After configuring SGX and PCCS, when I run the command "PCKIDRetrievalTool", it reports an error:

Intel(R) Software Guard Extensions PCK Cert ID Retrieval Tool Version 1.22.100.3 Warning: platform manifest is not available or current platform is not multi-package platform. the pccs_url setting coming from network_setting.conf, and the value is: https://localhost:8081/sgx/certification/v4/platforms. the use_secure_cert setting coming from network_setting.conf, and the value is: FALSE. the user_token setting coming from network_setting.conf, and the value is: *** (actual value hidden). the proxy_type setting coming from network_setting.conf, and the value is: DIRECT. Error: the input password is not correct. pckid_retrieval.csv has been generated successfully, however the data couldn't be sent to cache server!

Another window running "node pccs_server.js" also reports an error:

2024-12-06 06:49:46.285 [info]: HTTPS Server is running on: https://localhost:8081 2024-12-06 06:49:55.733 [info]: Client Request-ID : 759dc7c1f52e4a0fae468a5b6d0399d3 2024-12-06 06:49:55.742 [error]: Error: Authentication failed. at validateUser (file:///opt/intel/pccs/middleware/auth.js:45:13) at Layer.handle [as handle_request] (/opt/intel/pccs/node_modules/express/lib/router/layer.js:95:5) at next (/opt/intel/pccs/node_modules/express/lib/router/route.js:144:13) at Route.dispatch (/opt/intel/pccs/node_modules/express/lib/router/route.js:114:3) at Layer.handle [as handle_request] (/opt/intel/pccs/node_modules/express/lib/router/layer.js:95:5) at /opt/intel/pccs/node_modules/express/lib/router/index.js:284:15 at Function.process_params (/opt/intel/pccs/node_modules/express/lib/router/index.js:346:12) at next (/opt/intel/pccs/node_modules/express/lib/router/index.js:280:10) at /opt/intel/pccs/node_modules/body-parser/lib/read.js:137:5 at AsyncResource.runInAsyncScope (node:async_hooks:203:9) at invokeCallback (/opt/intel/pccs/node_modules/raw-body/index.js:238:16) at done (/opt/intel/pccs/node_modules/raw-body/index.js:227:7) at IncomingMessage.onEnd (/opt/intel/pccs/node_modules/raw-body/index.js:287:7) at IncomingMessage.emit (node:events:525:35) at endReadableNT (node:internal/streams/readable:1358:12) at processTicksAndRejections (node:internal/process/task_queues:83:21) 2024-12-06 06:49:55.746 [info]: XXX.XXX.XXX.XXX - - [06/Dec/2024:06:49:55 +0000] "POST /sgx/certification/v4/platforms HTTP/1.1" 401 22 "-" "-"

Could you please clarify what the "input password" is? I have already subscribed to the Intel API keys and written the primary key into config/default.json. Where exactly should I input the password?

Re: Why is "Software Guard Extensions supported = false"?

Scott_R_Intel — Fri, 06 Dec 2024 13:50:14 GMT

In the PCCS config file (/opt/intel/sgx-dcap-pccs/config/default.json), there are two fields that are passwords: "UserTokenHash" and "AdminTokenHash". These are asked for during the initial install/setup script of the PCCS and stored. You can manually create password hashes to add to the config file after installation with the command line below (as found in the PCCS install script):

MY_PASSWORD | sha512sum | tr -d '[:space:]-'

Regards.

Re: Why is "Software Guard Extensions supported = false"?

rrsakura — Tue, 10 Dec 2024 07:57:55 GMT

Thank you very much for your response.

After the password issue was resolved, a new error occurred:

Error: unexpected error occurred while sending data to cache server.

The error message from the PCCS side is:

2024-12-10 07:38:08.098 [info]: Client Request-ID : 2b6c52bfa29f42b3b8fe79b0f584fb41 2024-12-10 07:38:09.630 [info]: Request-ID is : 4099e5a5eceb4a25b1bceaab042360d5 2024-12-10 07:38:09.631 [debug]: Request URL https://api.trustedservices.intel.com/sgx/certification/v4/pckcerts 2024-12-10 07:38:09.631 [error]: Intel PCS server returns error(404). 2024-12-10 07:38:09.631 [error]: Intel PCS server returns error. Error code : 404 2024-12-10 07:38:09.632 [error]: Error: No cache data for this platform.

I encountered the same issue while conducting another experiment to access PCCS, and I am quite unsure about the cause. Could you please explain what might be causing the "No cache data" error?

Re: Why is "Software Guard Extensions supported = false"?

rrsakura — Thu, 12 Dec 2024 08:38:48 GMT

By the way, my PCCS service is running in a container using the intel/pccs image. I have looked at some past solutions for the same issue, which mention that PCCS cannot be started in a virtual machine. Does this also mean it cannot be started in a container?

Re: Why is "Software Guard Extensions supported = false"?

Scott_R_Intel — Wed, 18 Dec 2024 16:35:59 GMT

Can you please run the following and provide the output? Thanks.

(for Ubuntu)

sudo apt install msr-tools ; sudo modprobe msr cpuid -1 -r -l 1 sudo rdmsr 0x00000017 -f 52:50