Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

SGX dependency distribution in Server Machines.

Anandakumar
New Contributor II
695 Views

Hello All,

I wonder how SGX dependencies are installed in production servers. In our Data Centers we have certain rules like not to install any compilers etc.. 

But in SGX Driver installation GCC is required in both source build and using prebuilt bin installation.

Also we are facing "unknown symbol error" for minor Kernel version changes.

 

[ 9329.339509] isgx: loading out-of-tree module taints kernel.
[ 9329.339681] isgx: module verification failed: signature and/or required key missing - tainting kernel
[ 9329.339733] isgx: disagrees about version of symbol wake_up_process
[ 9329.339735] isgx: Unknown symbol wake_up_process (err -22)
[ 9329.339746] isgx: disagrees about version of symbol _dev_info
[ 9329.339748] isgx: Unknown symbol _dev_info (err -22)
[ 9329.339796] isgx: disagrees about version of symbol put_pid
[ 9329.339798] isgx: Unknown symbol put_pid (err -22)
[ 9347.586860] isgx: disagrees about version of symbol wake_up_process

 

 

We tried to install SGX 2.7 in CentOS 7.6 running on Xeon E2288 single socket processor machine. SGX 2.7 supports CentOS 7.5 and above I guess.

Recommend some procedures and correct me if I made any mistake.

0 Kudos
1 Solution
JesusG_Intel
Moderator
675 Views

Hello Anand,


If you try to install the SGX drivers from 01.org you must use gcc and other build tools. One workaround is that you can build your own kernel including the SGX driver, and then it would just be an installation package (i.e. .deb file for Ubuntu or .rpm for RHEL). You can git clone the kernel “tip” tree to be able to do this: https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/log/?h=x86/sgx

 

Unless or until the driver is signed by the distribution/kernel maintainers, you will always get the tainted kernel errors, no matter the OS distribution/version. Intel is working on getting the SGX linux driver into the kernel tree.

 

As soon as the driver gets in to the mainline Linux kernel tree and then the distributions start building/testing/signing/distributing through the normal repo channels, you’ll no longer have these types of issues.

 

Also, you should upgrade to the latest version of SGX, 2.12, since SGX v2.7 is outdated (November 2019). This may be why you are getting the unknown symbol errors.


Sincerely,

Jesus G.

Intel Customer Support


View solution in original post

2 Replies
JesusG_Intel
Moderator
684 Views

Hello Anand,


I am looking into this for you.


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
JesusG_Intel
Moderator
676 Views

Hello Anand,


If you try to install the SGX drivers from 01.org you must use gcc and other build tools. One workaround is that you can build your own kernel including the SGX driver, and then it would just be an installation package (i.e. .deb file for Ubuntu or .rpm for RHEL). You can git clone the kernel “tip” tree to be able to do this: https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/log/?h=x86/sgx

 

Unless or until the driver is signed by the distribution/kernel maintainers, you will always get the tainted kernel errors, no matter the OS distribution/version. Intel is working on getting the SGX linux driver into the kernel tree.

 

As soon as the driver gets in to the mainline Linux kernel tree and then the distributions start building/testing/signing/distributing through the normal repo channels, you’ll no longer have these types of issues.

 

Also, you should upgrade to the latest version of SGX, 2.12, since SGX v2.7 is outdated (November 2019). This may be why you are getting the unknown symbol errors.


Sincerely,

Jesus G.

Intel Customer Support


Reply