Confidential computing has become an essential requirement for a set of use cases where sensitive workloads need to be protected at runtime. Intel® SGX helps achieving runtime protection by employing memory isolation, via the so-called enclaves to separate workloads from each other and restrict access to those workloads, even to privileged software such as operating system and virtual machine managers.
This article aids in assisting developers and users to use Intel’s specification database website to verify Intel® SGX compatibility with a given processor, highlight memory topology, Unified Extensible Firmware Interface (UEFI) firmware settings and provide details on how to check if Intel® SGX is enabled in a running system with Linux operating system.
Processor specifications
A list of Intel® SGX capable processors is provided at https://www.intel.com/content/www/us/en/architecture-and-technology/software-guard-extensions-processors.html
Intel also provides specifications for its products via database available at https://ark.intel.com. The user interface on the website has a “Search specifications” text box that can be used to verify details of a particular model, if already known. You can use this mechanism to combine other desired features in the search parameter.
To list all models or SKUs that are compatible with a given feature, it is possible to use the “Find products by feature” button.
This will open the Advanced Search, where filters can be used as the example from the picture below to find Intel® Xeon® products that have Intel® SGX compatibility.
One example of processor that is Intel® SGX capable is the Intel® Xeon® Platinum 8470 Processor - https://ark.intel.com/content/www/us/en/ark/products/231728/intel-xeon-platinum-8470-processor-105m-cache-2-00-ghz.htmlhttps://ark.intel.com/content/www/us/en/ark/products/237555/intel-xeon-gold-6534-processor-22-5m-cache-3-90-ghz.html
Under Security & Reliability section of the product specifications page we can see that Intel® SGX is supported with Intel® SPS firmware and that we have a maximum Enclave Page Cache (EPC) size of 512 GB.
Enclave Page Cache (EPC) is a secure storage used by the processor to store pages when they are part of an executing enclave.
Memory Requirements
While searching for a compatible system, it is also important to make sure the proper memory topology is used for the system. Usually for servers, all memory slot 0 in all memory channels need to be populated to proper enable Intel® SGX.
More information available in the following support article https://www.intel.com/content/www/us/en/support/articles/000088289/software/intel-security-products.html
UEFI Settings
With proper hardware configuration, it is time to enable the Unified Extensible Firmware Interface (UEFI) settings needed by Intel® SGX.
UEFI settings may change from different system builders, so engaging with the supplier and getting the appropriate settings for their system is recommended.
The following support article highlights the settings for one of the Intel® Server System models and can be used as starting point: https://www.intel.com/content/www/us/en/support/articles/000087972/server-products/single-node-servers.html
Linux tools
The example listed in this article uses Linux based operating system. It is possible to use built-in tools within a terminal session to check for Intel® SGX capability flags:
grep --color -E "sgx" /proc/cpuinfo
A similar output should be displayed in case the system supports Intel® SGX.
Notices and Disclaimers
Intel technologies may require enabled hardware, software or service activation.
No product or component can be absolutely secure.
© Intel Corporation. Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries. Other names and brands may be claimed as the property of others.