SGX Linux-Compatible Hardware

SGX Linux-Compatible Hardware

[Dave Hansen]

As everyone probably knows, the upstream kernel SGX support refuses to
run on some SGX hardware.  Linux requires that the Launch Control MSRs
be writable, which is sometimes known as "Flexible Launch Control"
support.  If those MSRs are not writable, Linux will ignore the presence
of otherwise SGX-capable hardware.

It can be somewhat challenging to find hardware which works.  For
instance I've got a i7-8086K which has all of the processor support
required for SGX, but the system firmware still opts to lock the Launch
Control MSRs.

I wanted to report that an Intel NUC7CJYH successfully runs enclaves on
Linux out of the box.  The Intel hardware compatibility list[1] is a bit
scary, so I've also included a link to the exact memory that I got.
16GB of RAM seems to work just fine despite what the Intel Ark pages on
the CPU says[2].

One little annoyance is that although it came with an A/C adapter, it
didn't come with a power cord.  There's a link to one of those below too.

> https://www.newegg.com/intel-boxnuc7cjyh/p/1VK-004K-001W5
> https://www.newegg.com/g-skill-16gb-260-pin-ddr4-so-dimm/p/N82E16820232154?Item=N82E16820232154
> https://www.newegg.com/startech-3-ft-black-standard-power-cord/p/N82E16812400031

1. https://compatibleproducts.intel.com/ProductDetails?EPMID=126135
2.
https://ark.intel.com/content/www/us/en/ark/products/128992/intel-celeron-j4005-processor-4m-cache-up-to-2-70-ghz.html

Re: SGX Linux-Compatible Hardware

[Joman Chu]

On Mon, Mar 8, 2021 at 8:04 PM Dave Hansen <dave@sr71.net> wrote:
>
> It can be somewhat challenging to find hardware which works.  For
> instance I've got a i7-8086K which has all of the processor support
> required for SGX, but the system firmware still opts to lock the Launch
> Control MSRs.

In my experience there isn’t much hardware that supports Flexible
Launch Control (FLC). The Intel blog post from 2018 that announces FLC
lists two NUCs (NUC7CJYH and NUC7PJYH) and the Xeon E processors.[1]

The feature also requires BIOS enablement so you might have to confirm
with an OEM. Last time I researched this in July 2020, Dell and
Supermicro had single-processor platforms that claimed to support it,
but I never followed through with actual hardware.

My apologies if you got this message twice, had an email client issue.

[1]: https://software.intel.com/content/www/us/en/develop/blogs/an-update-on-3rd-party-attestation.html

Re: SGX Linux-Compatible Hardware

[乾越]

https://github.com/ayeks/SGX-hardware provides a nice tool to check the
sgx capability. It
reported 2 SGX2 platforms with FLC support.

Jia

On 2021/3/9 上午9:04, Dave Hansen wrote:
> As everyone probably knows, the upstream kernel SGX support refuses to
> run on some SGX hardware.  Linux requires that the Launch Control MSRs
> be writable, which is sometimes known as "Flexible Launch Control"
> support.  If those MSRs are not writable, Linux will ignore the presence
> of otherwise SGX-capable hardware.
>
> It can be somewhat challenging to find hardware which works.  For
> instance I've got a i7-8086K which has all of the processor support
> required for SGX, but the system firmware still opts to lock the Launch
> Control MSRs.
>
> I wanted to report that an Intel NUC7CJYH successfully runs enclaves on
> Linux out of the box.  The Intel hardware compatibility list[1] is a bit
> scary, so I've also included a link to the exact memory that I got.
> 16GB of RAM seems to work just fine despite what the Intel Ark pages on
> the CPU says[2].
>
> One little annoyance is that although it came with an A/C adapter, it
> didn't come with a power cord.  There's a link to one of those below too.
>
>> https://www.newegg.com/intel-boxnuc7cjyh/p/1VK-004K-001W5
>> https://www.newegg.com/g-skill-16gb-260-pin-ddr4-so-dimm/p/N82E16820232154?Item=N82E16820232154
>> https://www.newegg.com/startech-3-ft-black-standard-power-cord/p/N82E16812400031
> 1. https://compatibleproducts.intel.com/ProductDetails?EPMID=126135
> 2.
> https://ark.intel.com/content/www/us/en/ark/products/128992/intel-celeron-j4005-processor-4m-cache-up-to-2-70-ghz.html

Re: SGX Linux-Compatible Hardware

[乾越]

On 2021/3/9 上午9:04, Dave Hansen wrote:
> As everyone probably knows, the upstream kernel SGX support refuses to
> run on some SGX hardware.  Linux requires that the Launch Control MSRs
> be writable, which is sometimes known as "Flexible Launch Control"
> support.  If those MSRs are not writable, Linux will ignore the presence
> of otherwise SGX-capable hardware.
>
> It can be somewhat challenging to find hardware which works.  For
> instance I've got a i7-8086K which has all of the processor support
> required for SGX, but the system firmware still opts to lock the Launch
> Control MSRs.

Yes. I understand the necessairty of the removal of no-flc support
occurred in v25, but actually there
are still non-trivial number of systems without FLC support.

This page contains the information about the supports for no-FLC machines:
https://github.com/alibaba/inclavare-containers/tree/master/hack/no-sgx-flc

Someone may still need it.

Cheers,
Jia


>
> I wanted to report that an Intel NUC7CJYH successfully runs enclaves on
> Linux out of the box.  The Intel hardware compatibility list[1] is a bit
> scary, so I've also included a link to the exact memory that I got.
> 16GB of RAM seems to work just fine despite what the Intel Ark pages on
> the CPU says[2].
>
> One little annoyance is that although it came with an A/C adapter, it
> didn't come with a power cord.  There's a link to one of those below too.
>
>> https://www.newegg.com/intel-boxnuc7cjyh/p/1VK-004K-001W5
>> https://www.newegg.com/g-skill-16gb-260-pin-ddr4-so-dimm/p/N82E16820232154?Item=N82E16820232154
>> https://www.newegg.com/startech-3-ft-black-standard-power-cord/p/N82E16812400031
> 1. https://compatibleproducts.intel.com/ProductDetails?EPMID=126135
> 2.
> https://ark.intel.com/content/www/us/en/ark/products/128992/intel-celeron-j4005-processor-4m-cache-up-to-2-70-ghz.html