Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Unable to enable SGX using PSW + software controlled

Kaplan__Matthew
Beginner
4,183 Views

Intel has the weirdest circular logic in their install method for SGX. I have an Asus Z170 Mobo which is definitely SGX capable (others have confirmed it working). In the BIOS settings (which I recently updated), you can't enable SGX by default but you can set it to 'Software Control'. I did that and attempted to install the PSW which fails with this error:

This platform is not SGX-compatible. Please check your SGX BIOS settings. Install will cancel.
 

Others have suggested extracting the .msi from the PSW .exe and installing that way using msiexec - I tried this but still get the same error. The problem here is that to 1) to enable SGX, the SGX api software needs the PSW installed and that 2) the PSW needs SGX enabled in order to even allow it to be installed on the system at all. Who designed this horribly buggy workflow? Has anybody figured out a way to get this to work? Thanks in advance!

 

 

0 Kudos
6 Replies
Rodolfo_S_
New Contributor III
4,183 Views

Hi, Matthew.

I believe you can enable SGX on your machine only with the SDK installed.
For that you can use the sgx_cap_enable_device. You can check the documentation here.

Regards,

Rodolfo

0 Kudos
Kaplan__Matthew
Beginner
4,183 Views

Hi Rodolfo, thats exactly the problem. The SDK requires the SGX PlatformSoftware (PSW - their acronym) and the PSW simply WON'T install on a system that doesn't have SGX already enabled. From their own documentation for the SDK : 

Required Hardware: 6th generation Intel® Core™ processor (or later) based platform with Intel SGX-enabled BIOS support

and to begin developing applications : 

To develop applications enabled with Intel® Software Guard Extensions (Intel® SGX), download and install both of the following, in this order:

  1. Platform software for Intel® Software Guard Extensions for Windows* (Intel® SGX SDK for Windows*)
  2. Intel SGX SDK for Windows

So what is a consumer supposed to do who only has 'Software Control' options in the BIOS but no 'Enable' option? This seems wildly unusable.

0 Kudos
Francisco_C_Intel
4,183 Views

Rodolfo is correct, sgx_cap_enable_device() does NOT require the PSW in order to work. However, it does require admin privileges in order to succeed.

On the other hand, sgx_enable_device() does NOT require admin privileges, but DOES require the PSW installed in order to work.

If your system is in "Software Control", the PSW should install, even if SGX hasn't been enabled yet. If you find that this is not the case, can you please provide the PSW version you are trying to install?

It's possible the BIOS settings aren't being reflected properly in what they are displaying. You could try the following (assuming the BIOS vendor has given you the choices):

1) Go into BIOS setup, set SGX to DISABLED

2) Reboot

3) Go into BIOS setup, set SGX back to SW Control

4) Reboot

5) Try to install PSW again.

Thanks,

Francisco

 

 

0 Kudos
Kaplan__Matthew
Beginner
4,183 Views

Thanks Francisco! I went into the BIOS and disabled SGX, reset, and then went back into the BIOS and set the SGX configuration to Software Control. I also downloaded the latest version of the PSW - version 1.9.100.41172. When I tried to install that version of the PSW, I get : 

Fatal installation blocking issues are detected. This platform is not Intel® SGX-compatible. Please check your Intel® SGX BIOS settings. Install will cancel.

I tried with my original PSW version (1.7.102.37526) and got a similar error message. It seems clear that the PSW doesn't consider Software Enabled a valid platform for installation. As I noted above, in their own documentation it seems to require a setting of 'Enabled' to function. Is their some indication somewhere that it >should< work? All the forums seem to indicate other people have the same problems I have been having. Thanks

0 Kudos
Francisco_C_Intel
4,183 Views

There are a couple of problems that you could be seeing.

Can you specify the CPU you are using?

Another possibility is that it is possible to have BIOS in a state that even though it supports UEFI the OS was installed in Legacy mode. This can be determined by writing a program that does

  const TCHAR* DUMMY_GUID = TEXT("{00000000-0000-0000-0000-000000000000}");
  GetFirmwareEnvironmentVariable(TEXT(""), DUMMY_GUID, NULL, 0);

and then inspecting GetLastError(). A value of ERROR_INVALID_FUNCTION indicates the OS isn't using UEFI. This function is described in https://msdn.microsoft.com/en-us/library/windows/desktop/ms724325(v=vs.85).aspx

A quicker way that doesn't require you to write code and will get almost the same information is running the following from PowerShell

Get-SecureBootUefi -Name SetupMode

Thanks,
Francisco

0 Kudos
L__Sam
Beginner
4,183 Views

In case somebody comes across this thread, I stumbled on a method that appears to have worked for me.

Download and run Cyberlink UHD BD-Advisor. https://www.cyberlink.com/prog/bd-support/diagnosis.do
You'll have to provide an email, but you shouldn't need to create an account or anything.

Basically, playback of UHD discs on a PC requires SGX, and this tool helps you figure out if your machine has all of the requirements for doing so. Handily, it also appears to be able to install/enable SGX.

Once you've got the tool running, run the test for UltraHD Blu-ray compatibility. It'll prompt for admin privileges, so just hit 'yes'. Once the scan is complete, you'll see a list of all the "pass" and "not available" results. One of the items at the top will be for Intel SGX. Presumably, the test for SGX will show "not available" this time around. If you click on the "not available" result for SGX, or the little information icon to the right, you should get a pop-up asking you if you want it to install SGX for you. Hit "install", and then reboot your computer.

After doing this, SGX showed up in device manager (under the "Software Components" category), and running the Cyberlink tool again resulted in a "pass" result for the SGX test.

Reply