Is there a way to enable SGX from Endeavour OS?

General system Kernel, boot, graphics & hardware
1

Reading about SGX, I discovered it can be enabled from UEFI; in the case the UEFI interface doesn’t expose a setting for that, it’s still possible to enable it via software (as long as the factory setting, which would not be visible from UEFI, is when enabled from software).

I found lIntel(R) Software Guard Extensions Software Enabling Application for Linux, but it supports only three Linux distributions (and not all their releases).

Is there software for Endeavour OS that enables SGX?
Alternatively, on a computer where Windows is also installed, would enabling SGX from Windows be sufficient to enable it for Linux?

2

My guess is that it should not make any difference since it is after all a setting in the the UEFI/BIOS.

3

Yes, but one of the UEFI settings for SGX is Software Controlled, which would allow software to enable it. That could also be the settings used on my computer, even if that setting isn’t shown in the UEFI interface.
I guess a value must be set in some place, to know SGX has been enabled from software. I am hoping that value is stored in a place that also Linux could access. (I know, it seems silly; maybe it’s also a vain hope.)

4

My thinking was if you enable it, let’s say from Windows using an adequate software, the setting would still remain enabled afterwards when you boot into your Linux box as well. I might be wrong though.

5

There should be a setting for it in UEFI bios settings. It is more than likely hidden in an advanced sub menu somewhere under advanced cpu settings.

6

The only CPU settings I could find (in Advanced/CPU settings) are:

  • Thermal Monitor
  • Execute Disable Bit
  • Intel Virtualization Technology
  • Boot performance mode
  • Intel(R) Speedstep™
  • Turbo Mode
  • CPU C states

That page shows also what is supported.

  • :x: Hyper Threading
  • :white_check_mark: Intel VT-x
  • :x: Intel SMX
  • :white_check_mark: 64-bit
  • :white_check_mark: EIST
  • :white_check_mark: CPU C3, C6, C7, and C8 states
  • :x: CPU C9 and C10 states
  • :x: L4 Cache

That’s all I found about the CPU. I checked all the pages, just in case the setting could be placed in a different page, but I have not seen SGX nor Guard mentioned.

On the Intel site, I found that the Intel Core i5-6400 processor (the one on my computer) supports SGX with ME. Probably that explains why I won’t be able to enable SGX on my computer.

7

What is your motherboard?

8

I hope I got the right information. inxi -M --dmidecode shows this.

Machine:
  Type: Desktop Mobo: ASUSTeK model: M32CD_A_F_K20CD_K31CD v: Rev 1.xx
    UEFI: American Megatrends v: 1102 rev: 5.11 date: 04/12/2018

That is the same information sudo dmesg | grep DMI: shows.

9

Yes the CPU supports it. No info that shows any settings in the Bios on that particular board.

Edit: You have an older motherboard. I do see sgx modules package in the AUR but i have no experience or info about it. Not sure any of this would be of any benefit. :man_shrugging:

https://aur.archlinux.org/packages/linux-sgx-driver-dkms-git

10

@kiamlaluno
Just wondering if you installed this package? On my Intel motherboard it has a setting for SGX and is set to software controlled right now or i can enable/disable it.

Edit: https://www.intel.com/content/www/us/en/developer/articles/technical/properly-detecting-intel-software-guard-extensions-in-your-applications.html

11

I have two M32CD_A_F_K20CD_K31CD computers. In one I still have Windows 10 installed, while in the other one I installed EOS.

My problem is that the UEFI doesn’t have any setting for SGX, which could either mean it’s set to Software Controlled or Disabled.

My original question should have been answered by your previous comment.
I will check what reported in that article to understand if SGX is completely disabled from UEFI, or it simply needs an application to call sgx_enable_device()/sgx_cap_enable_device(). If it doesn’t work from Windows, chances are that in my case it’s completely disabled.

Thank you again for your help!

12

The first thing is knowing that the cpu supports it and yours does according to the specs. The Intel page tells how to test it.

13

I take that the DKMS driver is still necessary, on Linux side, isn’t it?

14

I don’t have a lot of experience with SGX so just trying to give what info i see. It’s a dkms package so i would assume so.

15

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.