Community
Register Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Daniel_A_Intel1
Employee
‎02-13-2020 10:35 AM
776 Views

Intel SGX Linux Driver Cheat Sheet (/dev/sgx vs. /dev/isgx)

Intel SGX has two drivers for Linux. Here is a chart that should reduce confusion:

Linux Kernel Module   Linux Device   Comment
===================   ============   ========
intel_sgx.ko          /dev/sgx       DCAP Driver (also works with IAS)

isgx.so               /dev/isgx      IAS Driver (not DCAP aware)
  • IAS = Intel Attestation Service. The traditional, centralized server performing Intel SGX attestation
  • DCAP = Data Center Attestation Primitives. It allows attestation without using the centralized IAS server, although IAS can still be used
  • ACC = Microsoft Azure's Azure Confidential Computing. ACC uses the DCAP driver in its Linux VMs, although it can be removed and downgraded to the IAS driver.

Linux currently has not integrated the Intel SGX driver. But you can download the driver (and separately, the Intel SGX SDK) from

 https://01.org/intel-software-guard-extensions/downloads

Switching Between Drivers

If you want to switch from one to the other, make sure you run the uninstall.sh script before even thinking of unzipping/untaring the new driver files (or it will be overwritten):

sudo /opt/intel/sgxdriver/uninstall.sh # The path to uninstall.sh may differ for your system.

If the uninstall.sh script is missing, uninstall as follows:

sudo service aesmd stop
sudo rm -f $(find /lib/modules -name intel_sgx.ko)
sudo /sbin/depmod
sudo sed -i '/^intel_sgx$/d' /etc/modules
sudo rm -f /etc/sysconfig/modules/intel_sgx.modules
sudo rm -f /etc/modules-load.d/intel_sgx.conf

AESM

BTW, for Intel SGX you also need a daemon/service running, aesmd:

  • use systemctl status aesmd  # to see if aesmd is running
  • enable with sudo systemctl enable aesmd

Enabling Intel SGX

You can determine if you have Intel SGX (whether or not it is BIOS enabled) with: cpuid |grep SGX: on Linux (you may need to sudo apt install cpuid).

If you get a SGX is not enabled message in /var/log/syslog, enable SGX in the BIOS (F2 or ESC or ....).

 

 

Tags (1)
Reply
2 Replies
Holodov__Dmitry
Beginner
‎02-13-2020 11:39 AM
776 Views

Hi Daniel, when you write that the DCAP driver "also works with IAS", what exactly does that mean?  Does that mean you can give both DCAP and EPID quotes to a unified Intel web API that can verify either quote type?  (I realize you can verify DCAP quotes using information gathered from Intel APIs, but having a service that can do it would be convenient.)  Does it mean that you can generate EPID-format quotes even when using the DCAP driver?  Thanks!

0 Kudos
Reply
Daniel_A_Intel1
Employee
‎02-13-2020 12:42 PM
776 Views

What I meant is that EPID attestation can be used with DCAP drivers.

0 Kudos
Reply

For more complete information about compiler optimizations, see our Optimization Notice.