Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1448 Discussions

How to correct Critical Error for Event: SGX Application Enclave Service Manager stopped working

Anonymous
Not applicable
4,152 Views

On my OEM’s support website, I successfully installed an urgent driver update for the Intel Management Engine. The install date/time coincided with the same date and time that logged two Critical Events in Reliability Monitor and a Warning in Event Viewer.   

In Reliability Monitor, the Critical events read as: “Intel SGX Application Enclave Services Manager. The summary of these events logged as “stopped working”.

In Event Viewer, under “AESM Service>SGX/Admin, coinciding with the same date and time read as: AESMService: Platform Services initialization failed due to DAL error”.

The DAL  {Dynamic Application Loader} is installed by the Intel Management Engine installer

More recent entries in Event Viewer following the “Warning” read : (in ascending order)

AESM Service started. PSW Version: 2.7.100.2

SGX is Enabled at AESM Service startup

White List update requested

White list update request successful from Server, Version: 70

 

SYSTEM DETAILS

The system is a Dell XPS 8930 Special Edition desktop tower.  

Intel SGX is enabled in the BIOS and set to allocate 128 MB  

The CPU is an 8th gen. Intel Core i7 8700 @ 3.20 GHz, Coffee Lake chipset

Intel UHD Graphics 630 version 27.20.100.7990

The system is actively running an Nvidia GeForce GTX 1060 graphics card as the default GPU

OS: Windows 10 OS Build 19041.450 (20h1 release) May 2020 update version 2004 

In Device Manager, under “System devices” lists the 'Intel Software Guard Extensions Device' (driver 2.7.100.2 dated 3/3/2020) – the device is working properly. I was notified by Dell of this version update in March 2020. The SGX update was installed on 03/03/20 through the Dell support site. My system was an affected product under the list of impacted products as per Intel-SA-00334 found on this Intel Processors Load Value Injection Advisory

STEPS TAKEN

I contacted my OEM to inquire how to approach debugging this issue. They informed me there are no available Dell Software Guard Extensions PSW driver updates to install for my Dell XPS 8930 system.

I do not know how to ascertain whether the issue affecting the SGX App Enclave Service Manager has caused the SGX PSW to function in a non-operative state due to the result of the driver update for Intel ME.  

I hope an Intel Support expert can assist or guide me on how to approach this.

0 Kudos
1 Solution
JesusG_Intel
Moderator
4,072 Views

Hello Coffee_Lake,


You asked two questions in a two-part sentence:


The first question was:

"Could you perhaps share an explanation as to how one would verify whether or not these stacks might be installed"


I answered this by guiding you to System Information, where you verified that the DAL, SGX AESM, and ME driver were indeed installed and running.


Your second question was:

"and also what 'other' Intel software the guide is referring to that typically would have pre-installed these stacks?"


I answered this by pointing to you to the full software package for the ME stack. The Intel SGX AESM gets installed by Windows Update.


I still don't understand what you are trying to resolve. It seems that all of the components are installed and running. You received a critical event notification while the ME software was being updated, which is understandable. After the upgrade, everything was back up and running. Please explain what issue you are having with SGX.


View solution in original post

0 Kudos
9 Replies
JesusG_Intel
Moderator
4,122 Views

Hello Coffee_Lake,


It isn't clear whether you still have a problem. You wrote that these messages appeared after the initial error message:


AESM Service started. PSW Version: 2.7.100.2


SGX is Enabled at AESM Service startup


White List update requested


White list update request successful from Server, Version: 70.


These messages above make it seem like the problem has resolved itself.


0 Kudos
Anonymous
Not applicable
4,114 Views

@JesusG_Intel
To date, there hasn't been a new problem.


In your reply you said:
"These messages above make it seem like the problem has resolved itself".

One point that I omitted in my OP was that the Intel ME driver was seen as an available Windows Update BEFORE I installed the driver from my OEM's support site. This availability was what tipped me off about an urgent update.
Going forward in the future as new Intel ME drivers become available, what would help prevent this problem from occurring again ?
I did not notice anything about the ME chipset installation package when the ME installer was unbundled that distinguished itself as being a customized DELL driver. Also, the 'Intel' ME driver that was previously seen as available in Windows Update had never yet downloaded on my system, so that couldn't have been a reason for the errors reported from a re-start after installing the driver from the OEM site.

0 Kudos
JesusG_Intel
Moderator
4,110 Views

To use Intel® SGX platform service, you need to install a full set of Intel® Management Engine (Intel® ME) software components, which includes Intel® Dynamic Application Loader Host Interface Service (Intel® DAL Host Interface Service). If you install Intel® ME driver only, Intel® SGX platform service is not available.


Typically, the Intel DAL stack and Intel ME stack are pre-installed with other Intel software on a platform. However, if you receive an error that Intel SGX platform service is unavailable, install the appropriate Intel DAL stack and/or Intel ME stack.


Unfortunately, since this is a Dell platform and Dell's drivers you must go to Dell for further diagnosis if the problem persists. I know that all the component names start with "Intel," but there is nothing Intel can do. Dell controls the platform and the drivers.


0 Kudos
Anonymous
Not applicable
4,098 Views

@JesusG_Intel 

As for the Additional Dependencies that you cited from the Intel Software Guard Extensions (Intel SGX) SDK for Windows* OS Installation Guide, I opened a ticket with Dell's internal software team. They're investigating my inquiry on whether the Dell package for the Intel Management Engine Driver includes a full set of Intel® Management Engine (Intel® ME) software components, specifically, the Intel® Dynamic Application Loader Host Interface Service (Intel® DAL Host Interface Service).

To paraphrase from the installation guide, it stated that in order to “use” Intel SGX services, the full set of Intel ME software components (which include the DAL Stack, and the Intel ME stack) must be installed. It also says that typically they (the DAL stack and ME stack) are both pre-installed with “other” Intel software on a platform. Could you perhaps share an explanation as to how one would verify whether or not these stacks might be installed, and also what “other” Intel software the guide is referring to that typically would have pre-installed these stacks?

My platform performed the Online Installation. The BIOS was configured to “enabled” for SGX. It was previously factory set as "Software Controlled". This setting change to enable SGX last year in August had prompted Windows Update to install the SGX PSW and SGX base driver automatically.  

This is basically why I changed the SGX setting in the BIOS to enabled. The Intel architecture aims to provide confidentiality to security sensitive computation and protecting against subverted or a malicious OS by leveraging Intel hardware and establishing a secure 'container' e.g., enclave. 

The Intel Software Guard Extensions(Intel SGX) SDK for Windows* OS Release Notes provides system requirement and fixes but does not offer additional information to debug problems.

As for contacting my OEM, I will tell you and I'm speaking on behalf of many users who have personal computers with various Dell models. I contacted Dell’s technical support last year in 2019 when I enabled the setting in the BIOS.  I had a paid account for technical support with their top resolution experts. Not a single person possessed enough knowledge about SGX where they were able to offer any support. They admittedly said that within Dell, training on Software Guard Extensions was non- existent.  I spoke with three technicians over the phone who referred me to Intel. Before I hear back regarding the full set of software components for the ME package, I'm not exactly going to get my hopes up high. 

0 Kudos
JesusG_Intel
Moderator
4,094 Views

Hello Coffee_lake,


Thanks for the feedback on the state of OEM knowledge on SGX support. This has always been a challenge.


Have you installed software that requires SGX?


Please note that enabling SGX does not automatically boost the security posture of your system. It is only useful if you install software that explicitly uses the technology. Windows 10 does not use SGX For example, some DVD and Blu Ray player software, such as Cyberlink's Power DVD uses SGX. Unless you plan to play Blu Ray or DVD content you probably do not need SGX at all so it is safe to disable it.


If you are really interested in what is included in the ME software package, you can find it here, https://downloadcenter.intel.com/download/28679/Intel-Management-Engine-Driver-for-Windows-8-1-and-Windows-10?product=69368. The Intel(R)_ME_SW_IG_Rev1p0.pdf in the zip file contains a list.


You can find some of the components in your system by opening System Information then check:


Services

Intel® Dynamic Application Loader Host Interface Service

Intel SGX AESM

 

System Drivers

meix64 - Intel Management Engine Interface


OEMs install lots of Intel software, too much to list here, in chipset software packages.


0 Kudos
Anonymous
Not applicable
4,076 Views

@JesusG_Intel 

Thank you for responding back.

I've been aware for some time that SGX is only useful with software that explicitly uses the technology and doesn't "boost" security on my system. 

The unzipped ME software from the download center lists the folders - Cons  and Corp that include ME  setup  (ME_SW_MSI),  MEI Setup (MEI-Only Installer MSI) , and various Windows driver packages. 

How do Windows inf, cat drivers and dll libraries help with verifying if Intel® DAL Host Interface Service is installed or missing on my system?   I'm not seeing the entire picture how those files read  from the unzipped folder are a way for verifying that I have DAL stack.  I'm not seeing the correlation.

As for Services,  the dynamic Application Loader Host Interface Service and  SGX AESM are both running

In Device Manager>System devices, the MEIx64 driver for the Intel ME Interface is installed . It corresponds to the version I recently installed from Dell's site.                     

0 Kudos
JesusG_Intel
Moderator
4,073 Views

Hello Coffee_Lake,


You asked two questions in a two-part sentence:


The first question was:

"Could you perhaps share an explanation as to how one would verify whether or not these stacks might be installed"


I answered this by guiding you to System Information, where you verified that the DAL, SGX AESM, and ME driver were indeed installed and running.


Your second question was:

"and also what 'other' Intel software the guide is referring to that typically would have pre-installed these stacks?"


I answered this by pointing to you to the full software package for the ME stack. The Intel SGX AESM gets installed by Windows Update.


I still don't understand what you are trying to resolve. It seems that all of the components are installed and running. You received a critical event notification while the ME software was being updated, which is understandable. After the upgrade, everything was back up and running. Please explain what issue you are having with SGX.


0 Kudos
Anonymous
Not applicable
4,060 Views

 

@JesusG_Intel 

I apologize for my mistake or if I added more confusion in regard to the inquires.

Regarding the first inquiry. I in fact did indeed verify in services that he Dynamic Application Loader Host Interface Service is running. So that was the main issue I overlooked and was the key underlaying question in my last reply.

Secondly, there was confusion that stemmed from the full software package for the full ME software stack you pointed me to from Intel's download center. As you mentioned way back in your first post :
"this is a Dell platform and for Dell's drivers you must go to Dell for further diagnosis".

It was that statement and my presumption I based my question on as to why you pointed me to bundled setup files and Windows drivers from Intel's download center for the full software ME Interface when you had stated earlier to go to Dell on the ME interface driver diagnosis for my Dell platform.
There is no need to answer that rhetorical question.

Lastly, what the issue that I was having a question on that pertained to SGX was  where I could verifiy DAL was installed? As you replied earlier by citing the Intel Software Guard Extensions (Intel SGX) SDK for Windows* OS Installation Guide:
"To use Intel® SGX platform service, you need to install a full set of Intel® Management Engine (Intel® ME) software components, which includes Intel® Dynamic Application Loader Host Interface Service (Intel® DAL Host Interface Service)".
That question has been answered and been verified in Services that it is running so the question is no longer of importance.

I wasn't trying to beat a dead horse, but as you well know, the Intel Management engine is basically a black box. All that the public understands about it basically is it is a parallel operating system running on an isolated chip with access to the PC’s hardware. Beyond that, the precise software that runs inside the Intel Management Engine is unknown..

After updating the ME, SGX Application Enclave Service Manager stopped working. Yes I have updated the ME Interface before and this critical error never happened before. Hence, the reason for the high level of concern.

0 Kudos
JesusG_Intel
Moderator
4,023 Views

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


0 Kudos
Reply