Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

Calling any SGX function results hangs prior to Windows logon. Works after.

Jan_P_
Beginner
‎03-12-2018 05:58 AM
1,017 Views

Hello,

when testing our SGX based solution I came across 1 Lenovo machine (Think Pad Carbon x1 5th Generation Serial number PF0ZHP95 Type 20HR002MGE BIOS Version: N1MET42W 1.27, Windows 10 1709 Build 16299.251, Fully updated SGX drivers) that unlike others exhibits the below behavior. 

BIOS SGX setting is set to ENABLED. The UMDF device driver of our product hangs upon any sgx call until it times out and system continues with starting the OS. After logon the device can be successfully started. When the BIOS setting is set to DISABLED and then on next boot to ENABLED again this issue does not happen and UMDF driver starts fine.

There is also a fingerprint reader using SGX that works fine. (Disabling the fingerpint device makes no difference though)

Is there a way to generate a better diagnostic messages? Or is there a know issue with OEM vendors switching SGX on? 

 

Any help is much appreciated,

Jan

 

 

 

0 Kudos

Link Copied

5 Replies
Francisco_C_Intel
Employee
‎03-13-2018 01:18 PM
1,017 Views

What is the version of SGX that is installed?

> The UMDF device driver of our product hangs upon any sgx call
There are a few possibilities here. The following may help debug:

1) Call sgx_destroy_enclave(0). The call will fail because 0 is an invalid enclave id, but it should return right away. There should be no interactions with the AESM.

2) Call sgx_enable_device(). This call will use the AESM (but not the network).

Some of the other APIs may end up using the network. Depending on your system and network proxy settings, these may timeout.

Which call(s) is timing out?

And to confirm, after you reboot then there is no issue?

Thanks,

Francisco

 

0 Kudos
Copy link
Jan_P_
Beginner
‎03-19-2018 08:42 AM
1,017 Views

Hi Francisco,

I try namely sgx_enable_device or sgx_create_enclave. Both calls hang for cca 20 - 30 seconds and then the process that calls them is killed by OS and boot continues.

The hang happens after every hard-reboot with one exception - when I disable and enable SGX in BIOS it will not happen. But the next time if I am not doing disable/enable it for sure hangs. As I mentioned there is another SW using SGX (fingerprint reader). Disabling the fingerprint device in device manager did no difference. And aparently the fingerprint reader is not hanging.

Thx,

JAn

0 Kudos
Copy link
Francisco_C_Intel
Employee
‎03-20-2018 07:54 AM
1,017 Views

It's possible your device service is trying to call the AESM service before the AESM service is ready to start and is timing out talking to the AESM. On that same system, the fingerprint-related service seems to have no issues starting up though, which seems odd.

Does the service for your device need to start before someone logs in?

Does the service for your device have the ability to claim it depends on RPC?

Are you able to provide a poc/sample of your software (you can just code enough for the service to start and call sgx_enable_device()) ?

Thanks,

Francisco

0 Kudos
Copy link
Jan_P_
Beginner
‎03-22-2018 04:42 AM
1,017 Views

Hi Francisco,

I have put the link of the product installer + readme on how to install below. It is a small project that installs a virtual reader driver that inside itself emulates a smart card. The smart card security chip part is completely shielded from outside by running inside an SGX enclave.

The product runs fine on all SGX capable computers we tested so far (4-5 units), but has an issue on the machine I described in my previous posts. Needles to say that this machine particularly belongs to our CEO :-)

Thanks for your help and cooperation,

Jan 

 https://drive.google.com/drive/folders/1p5_hMtnQ8mq8znEIYwC-pdHnQ2-FMaqB?usp=sharing

0 Kudos
Copy link
Webb__David
Beginner
‎12-20-2018 09:42 AM
1,017 Views

Hello Fransisco C, we have just experienced the same issue with the latest PSW.....did you get to a resolution on this case?  Thanks

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.