Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Unable to install sgx DCAP driver

urnotcoward
Beginner
3,409 Views

Today, follow the official tutorial to configure sgx DCAP:

https://www.intel.com/content/www/us/en/developer/articles/guide/intel-software-guard-extensions-data-center-attestation-primitives-quick-install-guide.html

The goal is to install open enclave to develop trusted programs:

https://github.com/openenclave/openenclave/blob/master/docs/GettingStartedDocs/install_oe_sdk-Ubuntu_20.04.md

 

But the system got the following error when installing sgx dcap:

wynn@wynn-ThinkCentre-E97:~$ sudo ./sgx_linux_x64_driver_1.41.bin
Unpacking Intel SGX Driver ... done.
Verifying the integrity of the install package ... done.
Installing Intel SGX Driver ...
/tmp/sgx-driver-Zetugn /home/wynn
install -d /opt/intel/sgxdriver/package
install -d /opt/intel/sgxdriver/scripts
cp -r package/* /opt/intel/sgxdriver/package
install scripts/* /opt/intel/sgxdriver/scripts
/home/wynn

Kernel preparation unnecessary for this kernel. Skipping...

Building module:
cleaning build area...
'make' KDIR=/lib/modules/5.15.0-43-generic/build...(bad exit status: 2)
ERROR (dkms apport): binary package for sgx: 1.41 not found
Error! Bad return status for module build on kernel: 5.15.0-43-generic (x86_64)
Consult /var/lib/dkms/sgx/1.41/build/make.log for more information.

Failed to build driver. Please check if the matching kernel headers are installed.

 

In addition, I tried the 1.36 version of sgx DACP and failed.

Is it the reason that the kernel version does not conform?

 

Specifically, do I need to replace the kernel, or is there an adapted version of DCAP?

 

If the kernel needs to be replaced, what needs to be done specifically? I'm not very clear about the operation in this regard. I tried to replace it before but the system went wrong.Please give some details if possible!!!

 

Looking forward to a professional recovery, thanks!

 

0 Kudos
1 Solution
Sahira_Intel
Moderator
3,383 Views

Hi,


Please check if matching kernel headers are installed by running:

dpkg-query -s linux-headers-$(uname -r)


Then to install matching headers, run the following command:

sudo apt-get install linux-headers-$(uname -r)


Sincerely,

Sahira



View solution in original post

0 Kudos
8 Replies
Sahira_Intel
Moderator
3,384 Views

Hi,


Please check if matching kernel headers are installed by running:

dpkg-query -s linux-headers-$(uname -r)


Then to install matching headers, run the following command:

sudo apt-get install linux-headers-$(uname -r)


Sincerely,

Sahira



0 Kudos
urnotcoward
Beginner
3,265 Views

wynn@wynn-ThinkCentre-E97:~$ dpkg-query -s linux-headers-$(uname -r)
Package: linux-headers-5.15.0-43-generic
Status: install ok installed
Priority: optional
Section: devel
Installed-Size: 25605
Maintainer: Ubuntu Kernel Team <kernel-team@lists.ubuntu.com>
Architecture: amd64
Source: linux-hwe-5.15
Version: 5.15.0-43.46~20.04.1
Provides: linux-headers, linux-headers-3.0
Depends: linux-hwe-5.15-headers-5.15.0-43, libc6 (>= 2.22), libelf1 (>= 0.142), libssl1.1 (>= 1.1.0), zlib1g (>= 1:1.2.3.3)
Description: Linux kernel headers for version 5.15.0 on 64 bit x86 SMP
This package provides kernel header files for version 5.15.0 on
64 bit x86 SMP.
.
This is for sites that want the latest kernel headers. Please read
/usr/share/doc/linux-headers-5.15.0-43/debian.README.gz for details.

0 Kudos
Scott_R_Intel
Employee
3,352 Views

Hello.

 

Linux kernel versions v5.11 and newer have the SGX driver that supports DCAP built in, so you do not have to (and should not try to) manually install the DCAP driver.

 

Regards.

 

Scott  

0 Kudos
urnotcoward
Beginner
3,264 Views

Hello, 

thanks for your reply, 

I would like to check the detail with you.

 

my linux-headers:

wynn@wynn-ThinkCentre-E97:~$ dpkg-query -s linux-headers-$(uname -r)
Package: linux-headers-5.15.0-43-generic
Status: install ok installed
Priority: optional
Section: devel
Installed-Size: 25605
Maintainer: Ubuntu Kernel Team <kernel-team@lists.ubuntu.com>
Architecture: amd64
Source: linux-hwe-5.15
Version: 5.15.0-43.46~20.04.1
Provides: linux-headers, linux-headers-3.0
Depends: linux-hwe-5.15-headers-5.15.0-43, libc6 (>= 2.22), libelf1 (>= 0.142), libssl1.1 (>= 1.1.0), zlib1g (>= 1:1.2.3.3)
Description: Linux kernel headers for version 5.15.0 on 64 bit x86 SMP
This package provides kernel header files for version 5.15.0 on
64 bit x86 SMP.
.
This is for sites that want the latest kernel headers. Please read
/usr/share/doc/linux-headers-5.15.0-43/debian.README.gz for details.

 

wynn@wynn-ThinkCentre-E97:~$ dmesg | grep -i sgx
[ 0.353577] sgx: EPC section 0x90200000-0x95ffffff

 

Is this sgx the sgx DACP driver? What else do I need to activate and configure?

 

Sincerely,

urnotcoward

 

0 Kudos
Scott_R_Intel
Employee
3,255 Views

Yes, that is the in-kernel SGX driver that does support DCAP.  It is not to be confused with the DCAP driver that we publish on GitHub, which is a bit different.  There is nothing else you need to do or configure from the driver point of view.  You should now see the SGX device nodes available, ie:

 

ls -la /dev/sgx*
crw-rw-rw- 1 root root 10, 125 Aug 29 13:38 /dev/sgx_enclave
crw------- 1 root root 10, 126 Aug 29 13:38 /dev/sgx_provision
crw------- 1 root root 10, 124 Aug 29 13:38 /dev/sgx_vepc

 

You do now need to install the rest of the Intel SGX Platform Software (PSW) to be able to use SGX.  Please see our Linux Install Guide for more info.

 

Scott

0 Kudos
urnotcoward
Beginner
3,243 Views

hello Scott,

 

First of all, thanks for the reply!

 

According to you guide,I can see  SGX device nodes:

wynn@wynn-ThinkCentre-E97:~$ ls -la /dev/sgx*
crw-rw-rw- 1 root root 10, 125 9月 6 11:32 /dev/sgx_enclave
crw-rw---- 1 root sgx_prv 10, 126 9月 6 11:32 /dev/sgx_provision
crw------- 1 root root 10, 124 9月 6 11:32 /dev/sgx_vepc

/dev/sgx:
总用量 0
drwxr-xr-x 2 root root 80 9月 6 11:32 .
drwxr-xr-x 20 root root 4640 9月 7 17:22 ..
lrwxrwxrwx 1 root root 14 9月 6 11:32 enclave -> ../sgx_enclave
lrwxrwxrwx 1 root root 16 9月 6 11:32 provision -> ../sgx_provision

 

Next I will try to continue installing sdk and psw.

In addition, I want to make sure that the sgx driver is the same driver as your official website DACP? After installing the SGX SDK and PWS based on it, can the remote attestation function be provided normally?

 

Sincerely,

urnotcoward

0 Kudos
urnotcoward
Beginner
3,242 Views

In addition, I need not to install and configure the PCCS,  alright ?

https://www.intel.com/content/www/us/en/developer/articles/guide/intel-software-guard-extensions-data-center-attestation-primitives-quick-install-guide.html

 

I can debug the sgx project by directly installing the SDK and PSW, right?

 

 

0 Kudos
Scott_R_Intel
Employee
3,231 Views

Yes, from an API perspective, the in-kernel driver is the same as our DCAP driver on GitHub, and going forward, the in-kernel driver is/will be the more "officially" supported.  At some point in the future once enough distros have moved forward to newer kernels that have the SGX in-kernel driver, we will ultimately drop support for the GitHub DCAP driver.  Also, no newer features will be added to the DCAP driver such as Enclave Dynamic Memory Management (EDMM), which is now in the v6 rc kernel source tree and therefore will be released as part of the Linux kernel v6, but will not be added to the GitHub DCAP driver.

 

Yes, to be able to use DCAP/ECDSA based attestation, you will need to setup a local PCCS.  Again, our Linux Install Guide walks you through most/all of this, including the setup of the PCCS in an Appendix of that guide.

 

Yes, you can debug enclaves with gdb once you have the SGX SDK installed.  More info on the "Enclave Debugger" can be found in our SGX Developer  Reference.

 

Regards.

Scott

0 Kudos
Reply