Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

Limited platform choice when running SGX off-line with FLC

Lauritzsen__Roar
Beginner
‎01-25-2021 02:48 AM
800 Views
Solved Jump to solution

Dear Intel,

For the application we are developing, we need to use SGX in a closed environment. That is, the system running the enclave will run on an air-gapped network with no connection to the internet, and as such can never run remote attestation. In this scenario it is our understanding that FLC is the only thing that can allow us to run in release mode.

However, the BIOS support needed to enable FLC is very rare, and we haven’t been able to find a platform with FLC that is suitable for us. Ideally, we want to use two COTS platforms, a very small headless machine like a NUC, and a laptop. So far we have only found one outdated NUC platform that supports FLC, and no laptop.

Does Intel have a plan to address this problem, for instance by advocating or making it easier for third party BIOS vendors (and Intel’s own NUC department) to incorporate FLC in the BIOS so that FLC support becomes more widespread, or will FLC forever be limited to specialized server platforms? Does any method exist that allows for configuring FLC without support in the BIOS?

We have looked into various ways to incorporate DCAP, but it will add a lot of extra infrastructure and make the project more expensive. We also considered running in pre-release mode and adding some security measures on our own, but now it is our understanding that pre-release runs with the debug flag on, so that is not an option.

0 Kudos
1 Solution
JesusG_Intel
Moderator
‎01-26-2021 11:20 AM
782 Views
Solved Jump to solution

Hello Roar,


FLC support is targeted at Xeon E series based server platforms and there are no plans to widely enable client systems with FLC. The limited client platforms you found with FLC support are meant for development purposes.


Sincerely,

Jesus G.

Intel Customer Support


View solution in original post

0 Kudos
Copy link

Link Copied

3 Replies
JesusG_Intel
Moderator
‎01-26-2021 11:20 AM
783 Views
Solved Jump to solution

Hello Roar,


FLC support is targeted at Xeon E series based server platforms and there are no plans to widely enable client systems with FLC. The limited client platforms you found with FLC support are meant for development purposes.


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
Copy link
Lauritzsen__Roar
Beginner
‎01-29-2021 01:28 AM
768 Views
Solved Jump to solution
In response to JesusG_Intel

Fine, that means we don't have to spend time pursuing the FLC solution any more.

For anyone interested, the following thread and answer looks promising with respect to off-line provisioning of the vendor whitelist after acquiring a Commercial Use License Agreement:

community.intel.com/t5/Intel-Software-Guard-Extensions/Questions-about-launch-token-and-EINITTOKEN/m-p/1094877#M944

In response to JesusG_Intel
0 Kudos
Copy link
JesusG_Intel
Moderator
‎02-01-2021 04:03 PM
749 Views
Solved Jump to solution

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.