Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.

SGX models that support DCAP

Wu__Wan_Jen
Beginner
2,761 Views

Hi, I'm recently working on a project that needs to use the DCAP service for attestation and am trying to build a FLC-enabled machine, but have had trouble obtaining suitable hardware.

According to official github readmes, DCAP only works with:

1. 8th Generation Intel(R) Core(TM) Processor or newer with Flexible Launch Control and Intel(R) AES New Instructions support*

2. Intel(R) Atom(TM) Processor with Flexible Launch Control and Intel(R) AES New Instructions support*

According to this blog "update on 3rd party attestation", currently only Xeon E processors and NUC hardware(NUC7CJYH / NUC7PJYH) support flexible launch control.

We looked through product specs(i8 and newer, Xeon E) for SGX specific information but found nothing on FLC features; furthermore, there are no mentions on the motherboard requirements for FLC-enabled machines.

We're settling on Xeon E processors but are not sure which hardware combinations satisfy our requirements.

We've been stuck on this for a while, and wonder if anyone has successfully built a FLC-enabled machine or implemented a project with DCAP functionalities? 

0 Kudos
1 Solution
JesusG_Intel
Moderator
2,558 Views

Hello Igor,


The processor core of the Xeon 2236 and 2288 do support FLC. HOWEVER, the platform and BIOS must enable it so it is not guaranteed that a system with these processors will have FLC enabled. Always check with your OEM when purchasing a platform if it supports SGX and Flexible Launch Control.


View solution in original post

13 Replies
Scott_R_Intel
Employee
2,761 Views

Hello.

FLC support in Xeon E systems is dependent on the BIOS and firmware.  The platform must have an Intel® Server Platform Services (SPS) based BIOS and firmware.  You must check with your platform OEM to verify if it is SPS based or not.  Also, only the top three SKU's of the Xeon E-21xx family support FLC (E-2174G, E-2176G, E-2186G) on SPS based platforms.

Regards.

Scott

Chen__Feng
Beginner
2,761 Views

Hi Scott,

 

We have a server with "Intel® Xeon® Processor E3-1270 v5". From its specs here, it is with SPS, but we bought in 2017.

So, can it be used for DCAP service?

 

Thanks,

 

Feng

guan__jixing
Novice
2,761 Views

u can use cpuid to check if it supports FLC.

> cpuid -r -1

find the 0x00000007 line and content of ecx, if ecx's 2nd bit from left side is 1, it supports FLC.

 

吴__奇泽
Beginner
2,761 Views

guan, jixing wrote:

u can use cpuid to check if it supports FLC.

> cpuid -r -1

find the 0x00000007 line and content of ecx, if ecx's 2nd bit from left side is 1, it supports FLC.

 

 I used "cpuid -r -1" and out as this .Dose it means my computer  supports FLC ?

 

 

JesusG_Intel
Moderator
2,761 Views

Hello 吴, 奇泽,

Yes, your processor supports FLC.

Regards,

Jesus

Intel Customer Support

IgorTurovsky
Employee
2,631 Views

 Hi teams, pls clarify Xeon E 2236 and Xeon E 2288 support FLC or not?

JesusG_Intel
Moderator
2,559 Views

Hello Igor,


The processor core of the Xeon 2236 and 2288 do support FLC. HOWEVER, the platform and BIOS must enable it so it is not guaranteed that a system with these processors will have FLC enabled. Always check with your OEM when purchasing a platform if it supports SGX and Flexible Launch Control.


Chris-mode51
Beginner
1,237 Views

Hi,

 

Does a 10th Gen Ice Lake i3-1005G1 support FLC and DCAP even without SPS?

 

I appreciate SGX is no longer available in 11th gen consumer laptops but I'm considering buying a 10th gen.

If not then I think perhaps something with a Xeon E-2244G because according to this post the 2236 and 2288 are supported.

Chris-mode51
Beginner
1,226 Views

Decided to buy the rather excellent HPE Microserver with a Xeon E-2224 as a dev platform:

https://buy.hpe.com/uk/en/servers/proliant-microserver/proliant-microserver/proliant-microserver/hpe...

...with the add on TPM:

https://buy.hpe.com/uk/en/options/enterprise-security-protection/security-modules/security-chips-mod...

 

I concluded that the 10th gen core CPUs do have SGX and probably FLC but don't have TXT (but do have a TPM) and that I most likely need a server Xeon chip for SGX DCAP.

 

Chris-mode51
Beginner
1,182 Views

Unfortunately I've found that the HPE Microserver Gen 10 Plus doesn't have SGX enablement in the BIOS.

It is supported by the Xeon E-2224, I just can't see an HPE way to enable it.

The standard features section indicates SGX isn't supported:

https://h20195.www2.hpe.com/v2/gethtml.aspx?docname=a00073554enw

 

JesusG_Intel
Moderator
1,138 Views

Hello Chris-mode51,

 

You have discovered why it is so difficult to tell if a platform supports certain SGX features. The processor may support the technology but it is up to the OEM to implement the functionality in their BIOS. This article explains more:

 

Properly Detecting Intel® Software Guard Extensions (Intel® SGX) in Your Applications

 

Sincerely,
Jesus G.

Intel Customer Support

JesusG_Intel
Moderator
2,544 Views

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


JesusG_Intel
Moderator
2,540 Views

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


Reply