Skip to content

Machine setup

Before you can deploy an enclave to use real SGX hardware you need to configure the host system, and get access to the Intel Attestation Service. At this time the host must be Linux and requires the following steps:

  1. Installing the SGX kernel driver, which isn't yet included in upstream kernels.
  2. Installing the Intel platform services software.
  3. Follow the instructions at the IAS website to get access to the IAS servers using a whitelisted SSL key.

Note

To just develop enclaves it's sufficient to have any Linux or Windows host, as the simulation mode requires no special machine setup.

Hardware support

The machine needs support from both the CPU and firmware. At this time multi-socket boards don't support SGX. Your hardware manufacturer can tell you if your machine supports SGX, but most new computers do (one exception is anything made by Apple).

There is a community maintained list of tested/compatible hardware available on GitHub.

For some machines SGX must be explicitly enabled in the BIOS/UEFI firmware screens. For others it can be activated by any root user: the Conclave host API will try to activate it for you, if possible and if run with sufficient permissions.

Hosting providers

In the cloud Microsoft Azure offers virtual machines with SGX hardware, and rented colo hardware is often available with it too. OVH offers rentable SGX hardware, as an example of one provider.

Distribution support

The following Linux distros are formally supported by Intel:

  • Ubuntu 16.04.3 LTS Desktop 64bits
  • Ubuntu 16.04.3 LTS Server 64bits
  • Ubuntu 18.04 LTS Desktop 64bits
  • Ubuntu 18.04 LTS Server 64bits
  • Red Hat Enterprise Linux Server release 7.4 64bits
  • Red Hat Enterprise Linux Server release 8.0 64bits
  • CentOS 7.4.1708 64bits
  • SUSE Linux Enterprise Server 12 64bits

However, others will probably still work.

Install the kernel driver and system software

Installers for the system software can be obtained from Intel. We recommend reading the installation user guide. The installation process is simple. Intel provide:

  • APT repositories for Ubuntu
  • Cross-distro installer binaries for other platforms, which set up the system software and compile/install the kernel driver.

Important

The installer will need to be re-run when the kernel is upgraded.

Alternatively, you can compile the system software yourself. The kernel driver is also available on GitHub.

For SGX remote attestation to operate and machine provisioning to succeed, a small daemon called aesmd is used. This comes as part of the SGX platform services software and will be set up during the install process.

The quick summary looks like this:

  1. Download and run the driver installer binary (all distros)
  2. For Ubuntu users, as root run:
  3. For Ubuntu 16 LTS: echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu xenial main' > /etc/apt/sources.list.d/intelsgx.list
  4. For Ubuntu 18 LTS: echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' > /etc/apt/sources.list.d/intelsgx.list
  5. Add the Intel package signing key: wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add -
  6. Then run apt-get update
  7. And finally apt-get install libssl-dev libcurl4-openssl-dev libprotobuf-dev libsgx-urts libsgx-launch libsgx-epid libsgx-quote-ex
  8. For other users, use the SDK installer (which installs the platform services software as well)
  9. These steps will start the aesm_service.

Limited network connectivity

The enclave host machine needs to contact Intel's attestation servers, as part of proving to third parties that it's a genuine unrevoked CPU running in the latest known secure configuration. Therefore if the machine has limited connectivity you must use an outbound HTTP[S] proxy server.

The aesmd service has a configuration file in /etc/aesmd.conf. You may need to put your proxy settings there.

The program that uses Conclave will also need to make web requests to https://api.trustedservices.intel.com so you may need to provide Java with HTTP proxy settings as well.

Using containers

To configure Docker for use with SGX, you must pass at least these flags when creating the container:

--device=/dev/isgx -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket

Failure to do this may result in an SGX_ERROR_NO_DEVICE error when creating an enclave.

Renewing machine security

After following the above instructions, you may discover your EnclaveInstanceInfo objects report the enclave as STALE. This means the machine requires software updates. Applying all available updates and rebooting should make the security evaluation of STALE go away. See "Renewability" to learn more about this topic and what exactly is involved.