when testing our SGX based solution I came across 1 Lenovo machine (Think Pad Carbon x1 5th Generation Serial number PF0ZHP95 Type 20HR002MGE BIOS Version: N1MET42W 1.27, Windows 10 1709 Build 16299.251, Fully updated SGX drivers) that unlike others exhibits the below behavior.
BIOS SGX setting is set to ENABLED. The UMDF device driver of our product hangs upon any sgx call until it times out and system continues with starting the OS. After logon the device can be successfully started. When the BIOS setting is set to DISABLED and then on next boot to ENABLED again this issue does not happen and UMDF driver starts fine.
There is also a fingerprint reader using SGX that works fine. (Disabling the fingerpint device makes no difference though)
Is there a way to generate a better diagnostic messages? Or is there a know issue with OEM vendors switching SGX on?
Any help is much appreciated,
What is the version of SGX that is installed?
> The UMDF device driver of our product hangs upon any sgx call
There are a few possibilities here. The following may help debug:
1) Call sgx_destroy_enclave(0). The call will fail because 0 is an invalid enclave id, but it should return right away. There should be no interactions with the AESM.
2) Call sgx_enable_device(). This call will use the AESM (but not the network).
Some of the other APIs may end up using the network. Depending on your system and network proxy settings, these may timeout.
Which call(s) is timing out?
And to confirm, after you reboot then there is no issue?
I try namely sgx_enable_device or sgx_create_enclave. Both calls hang for cca 20 - 30 seconds and then the process that calls them is killed by OS and boot continues.
The hang happens after every hard-reboot with one exception - when I disable and enable SGX in BIOS it will not happen. But the next time if I am not doing disable/enable it for sure hangs. As I mentioned there is another SW using SGX (fingerprint reader). Disabling the fingerprint device in device manager did no difference. And aparently the fingerprint reader is not hanging.
It's possible your device service is trying to call the AESM service before the AESM service is ready to start and is timing out talking to the AESM. On that same system, the fingerprint-related service seems to have no issues starting up though, which seems odd.
Does the service for your device need to start before someone logs in?
Does the service for your device have the ability to claim it depends on RPC?
Are you able to provide a poc/sample of your software (you can just code enough for the service to start and call sgx_enable_device()) ?
I have put the link of the product installer + readme on how to install below. It is a small project that installs a virtual reader driver that inside itself emulates a smart card. The smart card security chip part is completely shielded from outside by running inside an SGX enclave.
The product runs fine on all SGX capable computers we tested so far (4-5 units), but has an issue on the machine I described in my previous posts. Needles to say that this machine particularly belongs to our CEO :-)
Thanks for your help and cooperation,