Getting Started With SGX: Preparing Your Environment

Introduction

In 2015 Intel released Software Guard Extensions. This introduces a new set of instruction codes for Intel CPUs that offer new security options in the way of a hardware enclave. This is just one interpretation, with most popular CPU vendors now offering support. While there’s plenty of speculation (pun absolutely intended) around the security of these hardware enclaves, they are conceptually an important step forward in secure computing. Even though SGX is 6 years old, it still feels like a new idea when you peel back the covers and try to use it. The documentation is sparse, and installing the drivers and toolkits requires more effort than you would expect out of a 6 year old project. Since I have been exploring SGX recently, I thought it would be helpful to write about the process in hopes that others could benefit from a collected set of recent documents.

This post will focus on installing the SGX driver, SDK, and PSW on Ubuntu 20.04. Support for SGX can be found for major Linux distributions as well as Windows.

Does your Computer Support SGX?

Before we get started, it’s good to understand if your processor supports SGX. If your CPU does not support SGX, you can still compile and run SGX programs in simulation mode, which provides enough support to write and test programs that utilize the SGX instruction set. If you lack support, you can skip the driver and PSW installation sections.

First let’s install cpuid and see if there’s support available:

$ cpuid -1 | grep -i sgx
      SGX: Software Guard Extensions supported = true
      SGX_LC: SGX launch config supported      = true
   Software Guard Extensions (SGX) capability (0x12/0):
      SGX1 supported                         = true
      SGX2 supported                         = false
      SGX ENCLV E*VIRTCHILD, ESETCONTEXT     = false
      SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false
   SGX attributes (0x12/1):

This will provide a lot of information that isn’t easy to interpret without additional understanding. If you have the rust toolchain installed, there’s a much more user friendly program you can install:

$ rustup toolchain install nightly
$ rustup target add x86_64-fortanix-unknown-sgx --toolchain nightly
$ cargo install sgxs-tools
$ sgx-detect
Detecting SGX, this may take a minute...
✔  SGX instruction set
  ✔  CPU support
  ✔  CPU configuration
  ✔  Enclave attributes
  ✔  Enclave Page Cache
  SGX features
    ✘  SGX2  ✘  EXINFO  ✘  ENCLV  ✘  OVERSUB  ✘  KSS
    Total EPC size: 93.5MiB
✘  Flexible launch control
  ✔  CPU support
  ? CPU configuration
  ✘  Able to launch production mode enclave
✔  SGX system software
  ✔  SGX kernel device (/dev/isgx)
  ✔  libsgx_enclave_common
  ✔  AESM service
  ✔  Able to launch enclaves
    ✔  Debug mode
    ✘  Production mode
    ✔  Production mode (Intel whitelisted)

The rest of the output will provide more information about what actions (if any) need to be taken to enable SGX. While a lot of processors now support SGX, it is typically disabled in BIOS. If you see messages referring to enabling support, you will need to reboot and enable before you can run in hardware mode.

Installing the Driver

We will need three pieces to complete the SGX setup puzzle. First is the driver. This is the fastest and most straightforward step. We will need to install compiler tools and the linux kernel headers before proceeding:

$ sudo apt install build-essential linux-headers-$(uname -r)
$ git clone https://github.com/intel/linux-sgx-driver
$ cd linux-sgx-driver

From inside the driver repo, we can build the kernel module by running make. Once built, we need to copy it into the place where Ubuntu stores kernel modules, and instruct the kernel to load it.


$ make
$ sudo mkdir -p "/lib/modules/"`uname -r`"/kernel/drivers/intel/sgx"
$ sudo cp isgx.ko "/lib/modules/"`uname -r`"/kernel/drivers/intel/sgx"
$ sudo sh -c "cat /etc/modules | grep -Fxq isgx || echo isgx >> /etc/modules"
$ sudo /sbin/depmod
$ sudo /sbin/modprobe isgx

Once complete you will be able to search for isgx in your loaded modules:

$ lsmod | grep sgx
isgx                   53248  2

Installing the SDK

The SDK and PSW have longer and more involved build processes. Compilation will take some time, even on well equipped computers. Before we clone the repository there are a some tools we need to install:

$ sudo apt-get install build-essential ocaml ocamlbuild automake autoconf libtool wget python-is-python3 libssl-dev git cmake perl
$ git clone https://github.com/intel/linux-sgx

At the time of writing this article, I was unable to get through the installation process on the master branch because the prebuilt binary downloads pulled in by make preparation failed. Changing to the sgx_2.13 branch fixed this.

$ git checkout sgx_2.13
$ make preparation
$ sudo cp external/toolset/ubuntu20.04/{as,ld,ld.gold,objdump} /usr/local/bin
$ make sdk
$ make sdk_install_pkg
$ sudo mkdir /opt/intel
$ cd linux/installer/bin

Next, run the installer. When prompted, you may choose your desired path, but I found the least amount of friction by changing the target to /opt/intel/.

$ sudo ./sgx_linux_x64_sdk_2.13.100.4.bin
$ source /opt/intel/sgxsdk/environment

Souring the environment will ensure you have all the requisite flags for compiling the sample code and the PSW. We can now test one of the provided sample applications in simulation mode to ensure we have properly installed the SDK.

$ cd SampleCode/LocalAttestation
$ make SGX_MODE=SIM
$ cd bin
$ ./app
./app
succeed to load enclaves.
succeed to establish secure channel.
Succeed to exchange secure message...
Succeed to close Session...

At this point the SDK installation is complete. You are ready to start writing SGX capable applications. If your hardware supports SGX, you can proceed to the next steps and complete the PSW setup.

Installing the Platform Software (PSW)

Before we install the platform software, we need to install some additional packages:

$ sudo apt-get install libssl-dev libcurl4-openssl-dev protobuf-compiler libprotobuf-dev debhelper cmake reprepro unzip

With these packages available we can head back to the root of the linux-sgx project and run the following:

$ make psw
$ cd psw/ae/le
$ make

If you get compilation errors, make sure you have the sgx sdk environment sourced and try again. The PSW provides a series of packages that can be installed via apt. To do this first build the package, and then the local debian repository:

$ make deb_psw_pkg
$ make deb_local_repo

You will need to add this new repository to your apt sources. You can either edit /etc/apt/sources.list directly, or add an entry into /etc/apt/sources.list.d. Add the following to that file:

deb [trusted=yes arch=amd64] file:<path to linux-sgx>/linux/installer/deb/sgx_debian_local_repo focal main

We can now update apt and install the newly built packages:

$ sudo apt update
$ sudo apt install libsgx-launch libsgx-urts libsgx-epid libsgx-quote-ex libsgx-dcap-ql

The last thing to do is start the aesmd service. This will act as the gatekeeper for providing access to your enclaves. You can enable it permanently or just start it when necessary. Make sure to check the status of the service and ensure you don’t see any errors.

$ sudo systemctl start aesmd
$ sudo systemctl status aesmd
● aesmd.service - Intel(R) Architectural Enclave Service Manager
     Loaded: loaded (/lib/systemd/system/aesmd.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2021-04-12 02:47:23 CDT; 5h 25min ago
    Process: 1027 ExecStartPre=/opt/intel/sgx-aesm-service/aesm/linksgx.sh (code=exited, status=0/SUCCESS)
    Process: 1091 ExecStartPre=/bin/mkdir -p /var/run/aesmd/ (code=exited, status=0/SUCCESS)
    Process: 1093 ExecStartPre=/bin/chown -R aesmd:aesmd /var/run/aesmd/ (code=exited, status=0/SUCCESS)
    Process: 1094 ExecStartPre=/bin/chmod 0755 /var/run/aesmd/ (code=exited, status=0/SUCCESS)
    Process: 1095 ExecStartPre=/bin/chown -R aesmd:aesmd /var/opt/aesmd/ (code=exited, status=0/SUCCESS)
    Process: 1110 ExecStartPre=/bin/chmod 0750 /var/opt/aesmd/ (code=exited, status=0/SUCCESS)
    Process: 1111 ExecStart=/opt/intel/sgx-aesm-service/aesm/aesm_service (code=exited, status=0/SUCCESS)
   Main PID: 1162 (aesm_service)
      Tasks: 4 (limit: 76885)
     Memory: 13.2M
     CGroup: /system.slice/aesmd.service
             └─1162 /opt/intel/sgx-aesm-service/aesm/aesm_service

Executing Against the Hardware (If Supported)

We should now be able to recompile the sample code provided in the sdk in hardware mode. This will execute the real instructions against your machine and verify you are capable of running SGX software:

$ cd <path/to/linux-sgx>/SampleCode/LocalAttestation
$ make clean
$ make
$ cd bin
$ ./app
succeed to load enclaves.
succeed to establish secure channel.
Succeed to exchange secure message...
Succeed to close Session...

Wrap-Up

Unfortunately setting up SGX is a non-trivial task. It takes enough time and cognitive overhead that it deserves its own post before we start diving into writing SGX backed applications. If you run into issues installing, be sure to consult the README files in the repositories mentioned above. There are a lot of options not covered here and some may be necessary for your environment.

comments powered by Disqus