- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am developing a SGX-based solution, using a cloud vendor to deliver a SGX-capable machine. This machine has the driver, PSW & SDK installed and correct support for SGX1&SGX2 as per output from both cpuid | grep -i sgx and https://github.com/ayeks/SGX-hardware . The machine works a following CPU:
kss@fluency:~/linux-sgx$ cat /proc/cpuinfo | grep 'name'| uniq
model name : Intel(R) Xeon(R) Silver 4314 CPU @ 2.40GHz
The https://github.com/intel/linux-sgx/tree/master/SampleCode/SampleEnclave works correctly in a HW mode. However, when performing an EPID Remote Attestation, an IAS server returns SGX_ERROR_UNRECOGNIZED_PLATFORM error. Same error is also being returned when a local Enclave quote is requested.
This came as a surprise, however surely enough, there is a little note in https://github.com/intel/linux-sgx/blob/master/README.md :
Note: Ice Lake Xeon-SP (and the future Xeon-SP platforms) doesn't support EPID attestation.
This note seems to explain root of the issue, although it is directly contradicting output from both cpuid | grep -i sgx and https://github.com/ayeks/SGX-hardware .
Performing an attestation is crucial to the solution I'm developing. ECDSA attestation could be an option (Ice Lake Xeons seem to support it) but it seems to be significantly more complex to develop. I am hoping to get a quick win with an EPID attestation instead.
Therefore the question is: what is the full list of CPUs supporting SGX2 and EPID attestation ? I would like to provide my cloud provider an exhaustive list like this, so that it's easier for him to provide a correct CPU.
Kind regards,
Kris
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Kris,
The SGX_ERROR_UNRECOGNIZED_PLATFORM error observed could be due to Intel EPID Provisioning failed. It is due to the platform was not recognized by the back-end server.
This article Which Platforms Support Intel Software Guard Extensions (Intel SGX) SGX2? can guide you on which CPUs support SGX2.
As for EPID support, all consumer CPUs and all Xeon E-xxxx CPUs that support SGX support EPID. However, our newest 3rd Generation Intel® Xeon® Scalable Processors (codename Ice Lake Server) and all future Scalables only support DCAP (no EPID support).
Regards,
Ken
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Kris,
The SGX_ERROR_UNRECOGNIZED_PLATFORM error observed could be due to Intel EPID Provisioning failed. It is due to the platform was not recognized by the back-end server.
This article Which Platforms Support Intel Software Guard Extensions (Intel SGX) SGX2? can guide you on which CPUs support SGX2.
As for EPID support, all consumer CPUs and all Xeon E-xxxx CPUs that support SGX support EPID. However, our newest 3rd Generation Intel® Xeon® Scalable Processors (codename Ice Lake Server) and all future Scalables only support DCAP (no EPID support).
Regards,
Ken
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for an answer.
May I ask what is the reasoning behind removing EPID support in all new SP processors? Is EPID Attestation expected to be discontinued in the future?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Kris,
Data center customers and the ecosystem have moved toward ECDSA-based attestation, away from EPID, because it affords them more control, relying less on Intel infrastructure. Regarding the future of EPID attestation support, we cannot comment on future roadmaps.
Regards,
Ken
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page