Solved: SGX models that support DCAP

Wu__Wan_Jen · ‎08-26-2019

Hi, I'm recently working on a project that needs to use the DCAP service for attestation and am trying to build a FLC-enabled machine, but have had trouble obtaining suitable hardware.

According to official github readmes, DCAP only works with:

1. 8th Generation Intel(R) Core(TM) Processor or newer with Flexible Launch Control and Intel(R) AES New Instructions support*

2. Intel(R) Atom(TM) Processor with Flexible Launch Control and Intel(R) AES New Instructions support*

According to this blog "update on 3rd party attestation", currently only Xeon E processors and NUC hardware(NUC7CJYH / NUC7PJYH) support flexible launch control.

We looked through product specs(i8 and newer, Xeon E) for SGX specific information but found nothing on FLC features; furthermore, there are no mentions on the motherboard requirements for FLC-enabled machines.

We're settling on Xeon E processors but are not sure which hardware combinations satisfy our requirements.

We've been stuck on this for a while, and wonder if anyone has successfully built a FLC-enabled machine or implemented a project with DCAP functionalities?

JesusG_Intel · ‎08-20-2020

Hello Igor,

The processor core of the Xeon 2236 and 2288 do support FLC. HOWEVER, the platform and BIOS must enable it so it is not guaranteed that a system with these processors will have FLC enabled. Always check with your OEM when purchasing a platform if it supports SGX and Flexible Launch Control.

View solution in original post

Scott_R_Intel · ‎09-03-2019

Hello.

FLC support in Xeon E systems is dependent on the BIOS and firmware. The platform must have an Intel® Server Platform Services (SPS) based BIOS and firmware. You must check with your platform OEM to verify if it is SPS based or not. Also, only the top three SKU's of the Xeon E-21xx family support FLC (E-2174G, E-2176G, E-2186G) on SPS based platforms.

Regards.

Scott

Chen__Feng · ‎10-07-2019

Hi Scott,

We have a server with "Intel® Xeon® Processor E3-1270 v5". From its specs here, it is with SPS, but we bought in 2017.

So, can it be used for DCAP service?

Thanks,

Feng

guan__jixing · ‎10-11-2019

u can use cpuid to check if it supports FLC.

> cpuid -r -1

find the 0x00000007 line and content of ecx, if ecx's 2nd bit from left side is 1, it supports FLC.

吴__奇泽 · ‎05-19-2020

guan, jixing wrote:
u can use cpuid to check if it supports FLC.
> cpuid -r -1
find the 0x00000007 line and content of ecx, if ecx's 2nd bit from left side is 1, it supports FLC.

I used "cpuid -r -1" and out as this .Dose it means my computer supports FLC ?

JesusG_Intel · ‎05-19-2020

Hello 吴, 奇泽,

Yes, your processor supports FLC.

Regards,

Jesus

Intel Customer Support

IgorTurovsky · ‎08-06-2020

Hi teams, pls clarify Xeon E 2236 and Xeon E 2288 support FLC or not?

JesusG_Intel · ‎08-20-2020

Hello Igor,

The processor core of the Xeon 2236 and 2288 do support FLC. HOWEVER, the platform and BIOS must enable it so it is not guaranteed that a system with these processors will have FLC enabled. Always check with your OEM when purchasing a platform if it supports SGX and Flexible Launch Control.

Chris-mode51 · ‎08-31-2021

Hi,

Does a 10th Gen Ice Lake i3-1005G1 support FLC and DCAP even without SPS?

I appreciate SGX is no longer available in 11th gen consumer laptops but I'm considering buying a 10th gen.

If not then I think perhaps something with a Xeon E-2244G because according to this post the 2236 and 2288 are supported.

Chris-mode51 · ‎09-01-2021

Decided to buy the rather excellent HPE Microserver with a Xeon E-2224 as a dev platform:

https://buy.hpe.com/uk/en/servers/proliant-microserver/proliant-microserver/proliant-microserver/hpe...

...with the add on TPM:

https://buy.hpe.com/uk/en/options/enterprise-security-protection/security-modules/security-chips-mod...

I concluded that the 10th gen core CPUs do have SGX and probably FLC but don't have TXT (but do have a TPM) and that I most likely need a server Xeon chip for SGX DCAP.

Chris-mode51 · ‎09-06-2021

Unfortunately I've found that the HPE Microserver Gen 10 Plus doesn't have SGX enablement in the BIOS.

It is supported by the Xeon E-2224, I just can't see an HPE way to enable it.

The standard features section indicates SGX isn't supported:

https://h20195.www2.hpe.com/v2/gethtml.aspx?docname=a00073554enw

JesusG_Intel · ‎09-09-2021

Hello Chris-mode51,

You have discovered why it is so difficult to tell if a platform supports certain SGX features. The processor may support the technology but it is up to the OEM to implement the functionality in their BIOS. This article explains more:

Properly Detecting Intel® Software Guard Extensions (Intel® SGX) in Your Applications

Sincerely,
Jesus G.

Intel Customer Support

JesusG_Intel · ‎08-26-2020

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.

JesusG_Intel · ‎08-26-2020

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.