hidden text to trigger early load of fonts ПродукцияПродукцияПродукцияПродукция Các sản phẩmCác sản phẩmCác sản phẩmCác sản phẩm المنتجاتالمنتجاتالمنتجاتالمنتجات מוצריםמוצריםמוצריםמוצרים
Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1514 토론

Limited platform choice when running SGX off-line with FLC

Lauritzsen__Roar
초급자
‎01-25-2021 02:48 AM
1,563 조회수
해결됨 솔루션으로 이동

Dear Intel,

For the application we are developing, we need to use SGX in a closed environment. That is, the system running the enclave will run on an air-gapped network with no connection to the internet, and as such can never run remote attestation. In this scenario it is our understanding that FLC is the only thing that can allow us to run in release mode.

However, the BIOS support needed to enable FLC is very rare, and we haven’t been able to find a platform with FLC that is suitable for us. Ideally, we want to use two COTS platforms, a very small headless machine like a NUC, and a laptop. So far we have only found one outdated NUC platform that supports FLC, and no laptop.

Does Intel have a plan to address this problem, for instance by advocating or making it easier for third party BIOS vendors (and Intel’s own NUC department) to incorporate FLC in the BIOS so that FLC support becomes more widespread, or will FLC forever be limited to specialized server platforms? Does any method exist that allows for configuring FLC without support in the BIOS?

We have looked into various ways to incorporate DCAP, but it will add a lot of extra infrastructure and make the project more expensive. We also considered running in pre-release mode and adding some security measures on our own, but now it is our understanding that pre-release runs with the debug flag on, so that is not an option.

번역
0 포인트
1 솔루션
JesusG_Intel
중재자
‎01-26-2021 11:20 AM
1,545 조회수
해결됨 솔루션으로 이동

Hello Roar,


FLC support is targeted at Xeon E series based server platforms and there are no plans to widely enable client systems with FLC. The limited client platforms you found with FLC support are meant for development purposes.


Sincerely,

Jesus G.

Intel Customer Support


원본 게시물의 솔루션 보기

번역
0 포인트
복사 링크

링크가 복사됨

3 응답
JesusG_Intel
중재자
‎01-26-2021 11:20 AM
1,546 조회수
해결됨 솔루션으로 이동

Hello Roar,


FLC support is targeted at Xeon E series based server platforms and there are no plans to widely enable client systems with FLC. The limited client platforms you found with FLC support are meant for development purposes.


Sincerely,

Jesus G.

Intel Customer Support


번역
0 포인트
복사 링크
Lauritzsen__Roar
초급자
‎01-29-2021 01:28 AM
1,531 조회수
해결됨 솔루션으로 이동
JesusG_Intel에 대한 응답

Fine, that means we don't have to spend time pursuing the FLC solution any more.

For anyone interested, the following thread and answer looks promising with respect to off-line provisioning of the vendor whitelist after acquiring a Commercial Use License Agreement:

community.intel.com/t5/Intel-Software-Guard-Extensions/Questions-about-launch-token-and-EINITTOKEN/m-p/1094877#M944

번역
JesusG_Intel에 대한 응답
0 포인트
복사 링크
JesusG_Intel
중재자
‎02-01-2021 04:03 PM
1,512 조회수
해결됨 솔루션으로 이동

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


번역
0 포인트
복사 링크
응답
Superior

커뮤니티 지원은 월요일부터 금요일까지 제공됩니다. 다른 문의 방법은 여기에서 확인할 수 있습니다.

인텔은 이 커뮤니티에서 나타날 수 있는 파일 전송을 포함하되 이에 국한되지 않는 모든 솔루션을 확인하지는 않습니다. 따라서 인텔은 수행 과정, 거래 과정 또는 교역상 사용으로 발생하는 모든 보증뿐 아니라 상품성, 특정 목적에의 적합성 및 비침해성에 대한 묵시적 보증을 포함하되 이에 국한되지 않는 모든 명시적 및 묵시적 보증을 부인합니다.

컴파일러 최적화에 대한 자세한 내용은 다음을 참조하십시오. 최적화 공지.