TL;DR: Do I need a motherboard with Intel AMT to use Intel SGX in hardware mode?
- I've followed the documentation (Installation Guide Linux 1.8) to try and install the driver and PSW on a machine. I only need to run client applications (with enclaves) on this machine so I didn't install the SDK.
- I was able to install the driver, which shows up loaded with lsmod, but I cannot successfully install Intel SGX PSW. I've installed all required software, but I've noticed that I cannot load the mei_me driver on the machine. The mei_me module shows up with lsmod but it is not loaded and I cannot load it. In addition, I have no /dev/mei0 device. I do have some errors showing in syslog related to MEI: "mei_me 0000:00:16.0: Device doesn't have valid ME Interface".
- Since Intel MEI is related to Intel AMT, do I need to have an Intel AMT-enabled motherboard to use SGX in hardware mode? The documentation I've seen mentions the requirement of having SGX extensions but I don't remember seeing anything about AMT. So I'm looking for some clarification here on whether having a CPU with SGX support is sufficient or if clients also need to have support for AMT.
- About the HW, the Xeon E3-1230 v5 supports SGX and vPro. The motherboard, however, doesn't appear to support Intel Active Management Technology although it has support for vPro. I got that info from here, the mobo is a Supermicro X11SSH-F.
I've been developing software in a different machine in simulation mode and I would like to test it in hardware mode, and in particular make use of remote attestation.
For use of trusted platform service(example SealedData Code sample requires trusted platform service) , mei_me driver needs to be enabled and /dev/mei0 should exist.
In your case, just installing the PSW doesn't require mei_me support. What error are you getting while installing PSW ? Also can you double check that SGX is enabled in BIOS Settings (i think its enabled, as you mentioned that driver installation is successful). Also can you redo the process of uninstalling/Installing sgx-driver sgx-psw in that order again ?
Thank you for your help Shivananda. My post isn't completely accurate, allow me to clarify.
I've managed to perform the installation of PSW but when I check its status there is an error in the logs. I can run the sample enclave successfully, but I am creating an application that performs remote attestation and that is what fails. Hence my doubt on whether I need more than just SGX to run some functionality (like remote attestation).
The error is "16385 (SGX_ERROR_SERVICE_UNAVAILABLE)" and it happens when calling sgx_create_pse_session. If I try skipping this call and go directly to sgx_ra_init then it fails with the error 16392 (SGX_ERROR_AE_SESSION_INVALID).
Attached is a log file, log-170706-1520.txt, with the statuses of (1) the JHI service after restarting this service, (2) the AESM service after restarting this service, and (3) the JHI service after the restart of AESM. Both services are showing errors, the AESMD is showing "aesm_service: [ADMIN]Platform Services initialization failed due to DAL error".
I've wondering whether this is what causing the call to sgx_create_pse_session to fail thus preventing me with advancing with the remote attestation.
- The answer to my initial question "Do I need a motherboard with Intel AMT to use Intel SGX in hardware mode?" appears to be no: my mobo doesn't seem to support AMT but I am now able to use SGX in HW mode. Although I do have the mei and mei_me modules, I still do not have the mei0 device. Not sure if it could be under a different name.
- I was able to successfully call the function sgx_ra_init. (Attempting to initiate PSE session was causing my previous errors.)
- I stopped calling sgx_create_pse_session beforehand and now I also set the pse bool, which the previous function receives as its second argument, to false.
- This allowed me to get a stable GID which the Intel AS accepts.
- I can successfully run the LocalAttestation, RemoteAttestation, and SampleEnclave samples. But the SealedData sample fails when trying to get the platform service capability (function sgx_get_ps_cap): this is according to what Shivananda said that without the PSE I cannot run this sample. My AESM service is running but is still printing error messages saying "DAL failure" which could be related. I don't think I'll need it but I still wonder why this is failing.
I have two questions:
- Question 1: Is the SigRL list returned by the IAS empty?
- My request to the debug Intel Attestation Service for the SigRL returns 200 (success), but the list appears to have size 0 bytes. I'm not sure whether this is because the list is empty or because I have a bug in my code.
- Question 2: Is the sgx_create_pse_session only necessary for SIM mode?
- In version 1.7 of the Developer Reference for Linux there is a note near this function in Page 196 saying "This API is only available in simulation mode."
- In version 1.8 of the Developer Reference for Linux (same manual but next version) this function appears in Page 201 and the note is no longer there.