Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Cannot install SGX SDK if we set SGX to "software control" option in BIOS

Feng-Yuan_C_
Beginner
4,926 Views

Hi, 

I have one ASUS Prime Z270-A mother board with Intel Core i7-7700K CPU @4.2GHz.

SGX setting in BIOS is "software controlled". (Z270-A only supports "disable" and "software controlled", no "enable" option)

To enable SGX, it required to enable by software. However, I cannot install Intel SDK. It shows "This platform is not SGX-compatible. Please check your SGX BIOS settings. Install Will cancel". Anyone can help to check how to enable SGX without SGX SDK or how to install Intel SDK, Thanks.

Following is the log from Intel SGX Platform Capability Tool for Windows

==========================================================================================
Intel(R) SGX is currently disabled.
Contact your computer manufacturer to see if SGX is supported on your platform.

--------------------------------------------------------------------
Tue Mar 14 02:07:16 2017


CPU Brand String: "Intel(R) Core(TM) i7-7700K CPU @ 4.20GHz"
Processor signature: 0x906e9
    Processor type: 0x0
    Extended Family: 0x0
    Family: 0x6
    Extended Model: 0x9
    Model: 0xe
    Stepping: 0x9

Intel(R) SGX is currently disabled.
Contact your computer manufacturer to see if SGX is supported on your platform.

--------------------------------------------------------------------

0 Kudos
12 Replies
Prabu_R_Intel
Employee
4,926 Views

Please use the tool mentioned in the below said link for verifying whether target system support Intel SGX or not

https://software.intel.com/en-us/articles/properly-detecting-intel-software-guard-extensions-in-your-applications

Meanwhile, Intel SGX SDK doesn't need to enable "Intel SGX" in BIOS prior to it's installation.But PSW has "Intel SGX" dependency.

And also please refer the below link for the Intel SGX supported CPU:

http://ark.intel.com/

0 Kudos
Feng-Yuan_C_
Beginner
4,926 Views

Thanks.

I downloaded Intel SGX SDK and sample code, SGX Feature Detection Procedures.

After compile , "installer_check_procedure" program and execute it, it shows "This system does not support Intel?SGX". I found sgx_is_capable() return 0, not capable.

So, I tried to enable it before call sgx_is_capable by sgx_cap_enable_device(&sgx_device_status) function and it returns 0, SGX_SUCCESS. 

However, I called sgx_is_capable() again. The result is the same.

I checked my Intel CPU is "Intel(R) Core(TM) i7-7700K CPU @ 4.20GHz" and SGX setting in BIOS is "software controlled". 

Software controlled means it shall be enabled by software. I tried above, but does not work. What is the next step I can try? Please help it, Thanks.

 

 

 

0 Kudos
Prabu_R_Intel
Employee
4,926 Views


Please follow the flow chart diagram ("Intel SGX feature detection flowchart for installers.") mentioned in the already shared below
said link for detecting Intel SGX
https://software.intel.com/en-us/articles/properly-detecting-intel-software-guard-extensions-in-your-applications

This article has the detail procedure for enabling Intel SGX in the target system.

I checked in the below said link
http://ark.intel.com/

It says that "Intel(R) Core(TM) i7-7700K CPU @ 4.20GHz" CPU has Intel SGX support.

0 Kudos
Feng-Yuan_C_
Beginner
4,926 Views

 

My CPU supports SGX.

However, I cannot enable it because mother board only supports "software controlled".

I already download the sample code, https://software.intel.com/sites/default/files/managed/37/88/SGX%20Feature%20Detection%20Procedures.zip in the page you mention as below, https://software.intel.com/sites/default/files/managed/37/88/SGX%20Feature%20Detection%20Procedures.zip.

I compiled "installer_check_procedure"​ project and execute it. It already used "administrator privileges" as it mentioned.

However, the result is "This system does not support Intel®  SGX.​" message. I checked the code. The reason is sgx_is_capable() ​returns 0. (Is there any way to check why it returns 0? My cpu is SGX capable and BIOS setting is "software controlled" already.)

Anyway, there is no procedure to enable SGX first because SGX setting in BIOS is "software controlled".

Why? Following is Intel's definition for Software controlled.

Software controlled: Intel SGX can be enabled by software applications, but it is not available until this occurs (called the “software opt-in”). Enabling Intel SGX via software opt-in may require a system reboot. (at which point, Intel SGX is still disabled until it is enabled via a software application).

The procedure is kind of weird. As I mention, I cannot install PSW, but require me to enable it after install PSW.

Please help to check the procedure and provide the sample code to enable SGX if setting is "software controlled" option. Thanks.

It will be great if Intel can provide sample code to enable "software controlled" in BIOS. Thanks.

I copied the sample code as below.

===================================================================
if ( (rv= sgx_is_capable(&sgx_capable)) != SGX_SUCCESS ) {   
//why sgx enable procedure is not prior to sgx_is_capable? How to verify it if return 0? 

  switch (rv) {
  case SGX_ERROR_EFI_NOT_SUPPORTED:
   wcout << L"Cannot query EFI for Intel® SGX support."  << endl;
   break;
  case SGX_ERROR_NO_PRIVILEGE:
   wcout << L"This program requires Administrator privileges."  << endl;
   break;
  case SGX_ERROR_UNEXPECTED:
  case SGX_ERROR_INVALID_PARAMETER:
   wcout << L"An unexpected error occurred."  << endl;
  }
  return 0;
 }
 if ( sgx_capable == 0 ) {
  wcout << L"This system does not support Intel®  SGX." << endl;
  return 1;
 }

 

 

 

 

 

 

 

 

0 Kudos
Feng-Yuan_C_
Beginner
4,926 Views

Hi,

I found the error code is "SGX_DISABLED_LEGACY_OS." from sgx_cap_enable_device​ function.

My windows version is win10 version 1703 (OS build 15058.0).

It's not legacy OS. Please help it, Thanks.

 

 

0 Kudos
jason_m_4
Beginner
4,926 Views

Hey Feng-Yuan C. I have the exact same set-up as you do. and I can not get SGX to enable either. did you find a solution to your issue?

I also have windows 10 1703

Thanks for any info you can give.

0 Kudos
Feng-Yuan_C_
Beginner
4,926 Views

I do not have solution yet. Look forward to Intel feedback.

0 Kudos
Christophe_F_
Beginner
4,926 Views

Hello,

From https://software.intel.com/en-us/node/709087 , SGX_DISABLED_LEGACY_OS means that the OS doesn't support enabling SGX through UEFI. Are you sure you haven't booted Windows through legacy boot instead of UEFI ?

Hope this helps

Feng-Yuan C. wrote:

Hi,

I found the error code is "SGX_DISABLED_LEGACY_OS." from sgx_cap_enable_device​ function.

My windows version is win10 version 1703 (OS build 15058.0).

It's not legacy OS. Please help it, Thanks.

0 Kudos
MBren7
Beginner
4,926 Views

I have an issue installing SGX PSW

System : Asus Z270F with i5-7600K processor. BIOS option for SGX set to 'controlled by software' booted UEFI

Installed version of Intel Management Engine Components : 11.6.0.1030

SGX Platform Capability Tool Result : 'Intel(R) SGX is not yet enabled, but will be enabled by any Intel SGX application'

When I attempt to install SGX PSW I get 'No components selected to install'  ..................But I'm never offered the option to select any !!

What other prerequisites are required ?

Update to this post : I ran the setup.exe buried inside Intel(R)_SGX_Windows_x64_PSW_1.7.102.37526.exe (as administrator). Now getting This platform is not SGX compatible. Please check your SGX BIOS settings. I currently have this set to 'controlled by software'

 

0 Kudos
Anusha_K_Intel
Employee
4,926 Views

Hi,

SGX is not supported in Pre-Boot Environment(UEFI/BIOS). Please refer to this query for reference

https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/684906

Go to Intel Advanced Menu ->CPU Configuration -> SW Guard Extensions (SGX). Set SW Guard Extensions (SGX) as Enabled.

0 Kudos
MBren7
Beginner
4,926 Views

 

Thanks for replying.

Where is the Intel Advanced Menu, the supplied link is dead......

OK, you mean this....

If you set Enabled for the SW Guard Extensions (SGX) option, you may need to configure Intel Advanced Menu -> CPU Configuration -> PRMRR. You can set it to 32MB, 64MB or 128MB. The default option is 128MB.

This step maybe only applicable to Intel reference BIOS and may be not applicable to OEM BIOS.

Mine is an OEM BIOS, so do not have that option, can't carry out that step ?

The case that applies to me is this, but I am unable to install SW Guard Extensions (SGX)

If you set Software Controlled for the SW Guard Extensions (SGX) option, you need to enable Intel® SGX using Intel® SGX Enabling Functions after installing Intel® SGX PSW. See Intel® SGX SDK User’s Guide for Windows* OS for more details.

...........OK, figured it out. You have to use the msi file to install PSW. 

There is an msi file in the \installs folder which successfully installs the PSW from an Admin commandline using this command : msiexec /i SGX_PSW.msi

If all you want to do is to get SGX enabled, you are there. After the next reboot, I get 'Intel(R) is currently enabled on your platform' when I run SgxPlatformCapability.exe.

No need to install the SDK.

Thanks to anyone who contributed and hope my observation helps others at their wits end with SGX.

0 Kudos
Surenthar_S_Intel
4,926 Views

Mike B. wrote:

Thanks for replying.

Where is the Intel Advanced Menu, the supplied link is dead......

OK, you mean this....

If you set Enabled for the SW Guard Extensions (SGX) option, you may need to configure Intel Advanced Menu -> CPU Configuration -> PRMRR. You can set it to 32MB, 64MB or 128MB. The default option is 128MB.

This step maybe only applicable to Intel reference BIOS and may be not applicable to OEM BIOS.

Mine is an OEM BIOS, so do not have that option, can't carry out that step ?

The case that applies to me is this, but I am unable to install SW Guard Extensions (SGX)

If you set Software Controlled for the SW Guard Extensions (SGX) option, you need to enable Intel® SGX using Intel® SGX Enabling Functions after installing Intel® SGX PSW. See Intel® SGX SDK User’s Guide for Windows* OS for more details.

...........OK, figured it out. You have to use the msi file to install PSW. 

There is an msi file in the \installs folder which successfully installs the PSW from an Admin commandline using this command : msiexec /i SGX_PSW.msi

If all you want to do is to get SGX enabled, you are there. After the next reboot, I get 'Intel(R) is currently enabled on your platform' when I run SgxPlatformCapability.exe.

No need to install the SDK.

Thanks to anyone who contributed and hope my observation helps others at their wits end with SGX.

This step maybe only applicable to Intel reference BIOS and may be not applicable to OEM BIOS. - Yes. Its applicable for Intel BIOS.

Mine is an OEM BIOS, so do not have that option, can't carry out that step ? - Not Possible. Check with your OEM Provider on how to enable SGX in your system.

No need to install the SDK. - You need to install SDK if you are developing SGX application in your system

-Surenthar

0 Kudos
Reply