Solved: SGX models that support DCAP

Wu__Wan_Jen · ‎08-26-2019

Hi, I'm recently working on a project that needs to use the DCAP service for attestation and am trying to build a FLC-enabled machine, but have had trouble obtaining suitable hardware.

According to official github readmes, DCAP only works with:

1. 8th Generation Intel(R) Core(TM) Processor or newer with Flexible Launch Control and Intel(R) AES New Instructions support*

2. Intel(R) Atom(TM) Processor with Flexible Launch Control and Intel(R) AES New Instructions support*

According to this blog "update on 3rd party attestation", currently only Xeon E processors and NUC hardware(NUC7CJYH / NUC7PJYH) support flexible launch control.

We looked through product specs(i8 and newer, Xeon E) for SGX specific information but found nothing on FLC features; furthermore, there are no mentions on the motherboard requirements for FLC-enabled machines.

We're settling on Xeon E processors but are not sure which hardware combinations satisfy our requirements.

We've been stuck on this for a while, and wonder if anyone has successfully built a FLC-enabled machine or implemented a project with DCAP functionalities?

JesusG_Intel · ‎08-20-2020

Hello Igor,

The processor core of the Xeon 2236 and 2288 do support FLC. HOWEVER, the platform and BIOS must enable it so it is not guaranteed that a system with these processors will have FLC enabled. Always check with your OEM when purchasing a platform if it supports SGX and Flexible Launch Control.

View solution in original post

Scott_R_Intel · ‎09-03-2019

Hello.

FLC support in Xeon E systems is dependent on the BIOS and firmware. The platform must have an Intel® Server Platform Services (SPS) based BIOS and firmware. You must check with your platform OEM to verify if it is SPS based or not. Also, only the top three SKU's of the Xeon E-21xx family support FLC (E-2174G, E-2176G, E-2186G) on SPS based platforms.

Regards.

Scott

Chen__Feng · ‎10-07-2019

Hi Scott,

We have a server with "Intel® Xeon® Processor E3-1270 v5". From its specs here, it is with SPS, but we bought in 2017.

So, can it be used for DCAP service?

Thanks,

Feng

guan__jixing · ‎10-11-2019

u can use cpuid to check if it supports FLC.

> cpuid -r -1

find the 0x00000007 line and content of ecx, if ecx's 2nd bit from left side is 1, it supports FLC.

吴__奇泽 · ‎05-19-2020

guan, jixing wrote:
u can use cpuid to check if it supports FLC.
> cpuid -r -1
find the 0x00000007 line and content of ecx, if ecx's 2nd bit from left side is 1, it supports FLC.

I used "cpuid -r -1" and out as this .Dose it means my computer supports FLC ?

JesusG_Intel · ‎05-19-2020

Hello 吴, 奇泽,

Yes, your processor supports FLC.

Regards,

Jesus

Intel Customer Support

IgorTurovsky · ‎08-06-2020

Hi teams, pls clarify Xeon E 2236 and Xeon E 2288 support FLC or not?

JesusG_Intel · ‎08-20-2020

Hello Igor,

The processor core of the Xeon 2236 and 2288 do support FLC. HOWEVER, the platform and BIOS must enable it so it is not guaranteed that a system with these processors will have FLC enabled. Always check with your OEM when purchasing a platform if it supports SGX and Flexible Launch Control.

Chris-mode51 · ‎08-31-2021

Hi,

Does a 10th Gen Ice Lake i3-1005G1 support FLC and DCAP even without SPS?

I appreciate SGX is no longer available in 11th gen consumer laptops but I'm considering buying a 10th gen.

If not then I think perhaps something with a Xeon E-2244G because according to this post the 2236 and 2288 are supported.

Chris-mode51 · ‎09-01-2021

Decided to buy the rather excellent HPE Microserver with a Xeon E-2224 as a dev platform:

https://buy.hpe.com/uk/en/servers/proliant-microserver/proliant-microserver/proliant-microserver/hpe-proliant-microserver-gen10-plus/p/1012241014

...with the add on TPM:

https://buy.hpe.com/uk/en/options/enterprise-security-protection/security-modules/security-chips-modules/hpe-security-module-options/hpe-trusted-platform-module-2-0-gen10-option/p/864279-B21

I concluded that the 10th gen core CPUs do have SGX and probably FLC but don't have TXT (but do have a TPM) and that I most likely need a server Xeon chip for SGX DCAP.

Chris-mode51 · ‎09-06-2021

Unfortunately I've found that the HPE Microserver Gen 10 Plus doesn't have SGX enablement in the BIOS.

It is supported by the Xeon E-2224, I just can't see an HPE way to enable it.

The standard features section indicates SGX isn't supported:

https://h20195.www2.hpe.com/v2/gethtml.aspx?docname=a00073554enw

JesusG_Intel · ‎09-09-2021

Hello Chris-mode51,

You have discovered why it is so difficult to tell if a platform supports certain SGX features. The processor may support the technology but it is up to the OEM to implement the functionality in their BIOS. This article explains more:

Properly Detecting Intel® Software Guard Extensions (Intel® SGX) in Your Applications

Sincerely,
Jesus G.

Intel Customer Support

Pavel-Niedoba · ‎03-13-2023

On my Jesus

I don't have OEM. Now what? Should I ask every PC shop about every PC they have to boot it up and run some tests on them? I could figure out which processor I need, but there is absolutely no information about what main boards and bios i need.

There is only one shop, which have those processors, they can build server for me, but without return option. I don't want to spend 2000usd on hardware which may not work at all.

I already came across SGX, SGX1, SGX2, SGX_ME, SGX_SPS, FLC, SGX_LC, WTF. No way to find out what is supported. Is intel secret features so secret that you don't tell anyone?

This is intel fault, because your standard and documentation is not sufficient. For byte sake, is it so difficult to make a list of processor name and list of flags like i can see them in lscpu?

I need support SGX_LC, do I need SPS? There is no processor which does have SPS and SGX_LC. Or I can't find it.

I go redit now, they might have more relevant answers.

JesusG_Intel · ‎08-26-2020

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.

JesusG_Intel · ‎08-26-2020

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.

Chris-mode51 · ‎03-13-2023

Hi Pavel,

I'm using a rented OVH Advance-1 Gen 2 server which has a Xeon 2386G with SGX enabled.

I found that Dell and HPE do have lower end machines with SGX support though not necessarily with the lowest end option. For example try the HPE DL20. The spec indicates that SGX is supported if a Xeon is selected, so presumably that means there is an option to enable it in the BIOS whereas I found that on the HPE Microserver model there isn't.

With Dells eg. the R250 the SGX info is in the Bios and UEFI doc. For example the R250 BIOS doc states:

"Intel SGX: Enables you to set the Intel Software Guard Extension (SGX) option. To enable the Intel SGX option, processor must be SGX capable, memory population must be compatible (minimum x8 identical DIMM1 to DIMM8 per CPU socket, not support on persistent memory configuration), memory operating mode must be set at optimizer mode, memory encryption must be enabled and node interleaving must be disabled. This option is set to Off by default. When this option is to Off, BIOS disables the SGX technology. When this option is to On, BIOS enables the SGX technology"

This is the output of cpuid on the OVH server:

root@sgxdev1:/home/ubuntu# cpuid | grep -i sgx
SGX: Software Guard Extensions supported = true
SGX_LC: SGX launch config supported = true
Software Guard Extensions (SGX) capability (0x12/0):
SGX1 supported = true
SGX2 supported = true
SGX ENCLV E*VIRTCHILD, ESETCONTEXT = true
SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = true
SGX attributes: ECREATE SECS.ATTRIBUTES (0x12/1):
SGX Enclave Page Cache (EPC) enumeration (0x12/0x2):
SGX Enclave Page Cache (EPC) enumeration (0x12/0x3):
SGX: Software Guard Extensions supported = true
SGX_LC: SGX launch config supported = true
Software Guard Extensions (SGX) capability (0x12/0):

lspcu output, up to Flags:

lscpu
Architecture:            x86_64
  CPU op-mode(s):        32-bit, 64-bit
  Address sizes:         39 bits physical, 48 bits virtual
  Byte Order:            Little Endian
CPU(s):                  12
  On-line CPU(s) list:   0-11
Vendor ID:               GenuineIntel
  Model name:            Intel(R) Xeon(R) E-2386G CPU @ 3.50GHz
    CPU family:          6
    Model:               167
    Thread(s) per core:  2
    Core(s) per socket:  6
    Socket(s):           1
    Stepping:            1
    CPU max MHz:         5100.0000
    CPU min MHz:         800.0000
    BogoMIPS:            7008.00
    Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bt
                         s rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe po
                         pcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced tpr_shadow vnmi flexpriority ept vpid ept_ad
                          fsgsbase tsc_adjust sgx bmi1 avx2 smep bmi2 erms invpcid mpx avx512f avx512dq rdseed adx smap avx512ifma clflushopt intel_pt avx512cd sha_ni avx512bw avx512vl xsaveopt xsavec xgetbv1 xs
                         aves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp hwp_pkg_req avx512vbmi umip pku ospke avx512_vbmi2 gfni vaes vpclmulqdq avx512_vnni avx512_bitalg avx512_vpopcntdq rdpi
                         d sgx_lc fsrm md_clear flush_l1d arch_capabilities

If you look at the SGX driver in a 6.x kernel then SGX_LC is always needed:

if (!cpu_feature_enabled(X86_FEATURE_SGX_LC))
		return -ENODEV;

I suspect that all the Xeon E-23xx CPUs are new enough to have it. The ARK page just states SPS in the SGX line and is the same for the 2314 and 2386.