Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1494 Discussions

Why is "Software Guard Extensions supported = false"?

rrsakura
Beginner
‎12-05-2024 04:39 AM
682 Views

My CPU is an Intel® Core™ i7-10700 Processor, and it shows support for SGX:

 

Intel® Software Guard Extensions (Intel® SGX) Yes with Intel® ME.

 

I have also set SGX to Software Controlled in the BIOS and booted the BIOS in UEFI mode.

However, when I run "cpuid | grep -i sgx" in the virtual machine, the output is:

 

      SGX: Software Guard Extensions supported = false

      SGX_LC: SGX launch config supported = false

Software Guard Extensions (SGX) capability (0x12/0):

      SGX1 supported = false

      SGX2 supported = false

      SGX ENCLV E*VIRTCHILD, ESETCONTEXT = false

      SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false

 

Why are all the values showing as "false"?

0 Kudos

Link Copied

8 Replies
Scott_R_Intel
Moderator
‎12-05-2024 06:01 AM
646 Views

Hello.

 

"Software Controlled" mode means a piece of software has to write to a specific UEFI variable and reboot before SGX is actually enabled.  You should set SGX to "Enabled" in the BIOS if you want it to actually be enabled without using the aforementioned app to enable. 

0 Kudos
Copy link
rrsakura
Beginner
‎12-05-2024 05:44 PM
596 Views

Hello, after setting SGX to "Enabled" in the BIOS, I am still encountering the above situation.

Additionally, when I try to install the SGX driver "sgx_linux_x64_driver_1.41.bin", the following error appears:

Creating symlink /var/lib/dkms/sgx/1.41/source -> /usr/src/sgx-1.41

Kernel preparation unnecessary for this kernel. Skipping...

Building module:

cleaning build area...

'make' KDIR=/lib/modules/6.8.0-49-generic/build...(bad exit status: 2)

Failed to build driver.

DKMS make.log for sgx-1.41 for kernel 6.8.0-49-generic (x86_64)

Makefile:24: *** Can't install DCAP SGX driver with inkernel SGX support.  Stop.  

 Is there any solution to this?

0 Kudos
Copy link
n_scott_pearson
Super User
‎12-05-2024 05:54 PM
584 Views

There is always the possibility that the BIOS has a bug in it. Have you checked to see if there are any BIOS updates for your motherboard/system?

Hope this helps,

...S

0 Kudos
Copy link
rrsakura
Beginner
‎12-05-2024 11:16 PM
556 Views

Hello, I encountered a new issue. After configuring SGX and PCCS, when I run the command "PCKIDRetrievalTool", it reports an error:

 

Intel(R) Software Guard Extensions PCK Cert ID Retrieval Tool Version 1.22.100.3

Warning: platform manifest is not available or current platform is not multi-package platform.
the pccs_url setting coming from network_setting.conf, and the value is: https://localhost:8081/sgx/certification/v4/platforms.
the use_secure_cert setting coming from network_setting.conf, and the value is: FALSE.
the user_token setting coming from network_setting.conf, and the value is: *** (actual value hidden).
the proxy_type setting coming from network_setting.conf, and the value is: DIRECT.
Error: the input password is not correct.
pckid_retrieval.csv has been generated successfully, however the data couldn't be sent to cache server!

 

Another window running "node pccs_server.js" also reports an error:

 

2024-12-06 06:49:46.285 [info]: HTTPS Server is running on: https://localhost:8081
2024-12-06 06:49:55.733 [info]: Client Request-ID : 759dc7c1f52e4a0fae468a5b6d0399d3
2024-12-06 06:49:55.742 [error]: Error: Authentication failed.
    at validateUser (file:///opt/intel/pccs/middleware/auth.js:45:13)
    at Layer.handle [as handle_request] (/opt/intel/pccs/node_modules/express/lib/router/layer.js:95:5)
    at next (/opt/intel/pccs/node_modules/express/lib/router/route.js:144:13)
    at Route.dispatch (/opt/intel/pccs/node_modules/express/lib/router/route.js:114:3)
    at Layer.handle [as handle_request] (/opt/intel/pccs/node_modules/express/lib/router/layer.js:95:5)
    at /opt/intel/pccs/node_modules/express/lib/router/index.js:284:15
    at Function.process_params (/opt/intel/pccs/node_modules/express/lib/router/index.js:346:12)
    at next (/opt/intel/pccs/node_modules/express/lib/router/index.js:280:10)
    at /opt/intel/pccs/node_modules/body-parser/lib/read.js:137:5
    at AsyncResource.runInAsyncScope (node:async_hooks:203:9)
    at invokeCallback (/opt/intel/pccs/node_modules/raw-body/index.js:238:16)
    at done (/opt/intel/pccs/node_modules/raw-body/index.js:227:7)
    at IncomingMessage.onEnd (/opt/intel/pccs/node_modules/raw-body/index.js:287:7)
    at IncomingMessage.emit (node:events:525:35)
    at endReadableNT (node:internal/streams/readable:1358:12)
    at processTicksAndRejections (node:internal/process/task_queues:83:21)
2024-12-06 06:49:55.746 [info]: XXX.XXX.XXX.XXX - - [06/Dec/2024:06:49:55 +0000] "POST /sgx/certification/v4/platforms HTTP/1.1" 401 22 "-" "-"

 

Could you please clarify what the "input password" is? I have already subscribed to the Intel API keys and written the primary key into config/default.json. Where exactly should I input the password?

0 Kudos
Copy link
Scott_R_Intel
Moderator
‎12-06-2024 05:50 AM
515 Views

In the PCCS config file (/opt/intel/sgx-dcap-pccs/config/default.json), there are two fields that are passwords:  "UserTokenHash" and "AdminTokenHash".  These are asked for during the initial install/setup script of the PCCS and stored.  You can manually create password hashes to add to the config file after installation with the command line below (as found in the PCCS install script):

 

MY_PASSWORD | sha512sum | tr -d '[:space:]-'

 

Regards.

 

0 Kudos
Copy link
rrsakura
Beginner
‎12-09-2024 11:57 PM
401 Views

Thank you very much for your response.

After the password issue was resolved, a new error occurred:

 

Error: unexpected error occurred while sending data to cache server.

 

The error message from the PCCS side is:

 

2024-12-10 07:38:08.098 [info]: Client Request-ID : 2b6c52bfa29f42b3b8fe79b0f584fb41
2024-12-10 07:38:09.630 [info]: Request-ID is : 4099e5a5eceb4a25b1bceaab042360d5
2024-12-10 07:38:09.631 [debug]: Request URL https://api.trustedservices.intel.com/sgx/certification/v4/pckcerts
2024-12-10 07:38:09.631 [error]: Intel PCS server returns error(404).
2024-12-10 07:38:09.631 [error]: Intel PCS server returns error. Error code : 404
2024-12-10 07:38:09.632 [error]: Error: No cache data for this platform.

 

I encountered the same issue while conducting another experiment to access PCCS, and I am quite unsure about the cause. Could you please explain what might be causing the "No cache data" error? 
0 Kudos
Copy link
rrsakura
Beginner
‎12-12-2024 12:38 AM
288 Views

By the way, my PCCS service is running in a container using the intel/pccs image. I have looked at some past solutions for the same issue, which mention that PCCS cannot be started in a virtual machine. Does this also mean it cannot be started in a container?

0 Kudos
Copy link
Scott_R_Intel
Moderator
‎12-18-2024 08:35 AM
132 Views

Can you please run the following and provide the output?  Thanks.

(for Ubuntu)

 

sudo apt install msr-tools ; sudo modprobe msr
cpuid -1 -r -l 1
sudo rdmsr 0x00000017 -f 52:50

 

0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.