测试方法参考官方文档
cpuid --one-cpu | grep -i sgx
SGX: Software Guard Extensions supported = true
SGX_LC: SGX launch config supported = true
Software Guard Extensions (SGX) capability (0x12/0):
SGX1 supported = false
SGX2 supported = false
SGX ENCLV E*VIRTCHILD, ESETCONTEXT = false
SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false
SGX attributes (0x12/1):
SGX EPC enumeration (0x12/n):
SGX_LC: SGX launch config supported = true
,则支持DCAP(数据中心标记基元,即远程认证服务)功能。FLC 即 Flexible Launch Control。SGX1 supported = false
表示SGX还未开启,或者未开启成功。test-sgx.c
测试是否支持SGXgcc
sudo dnf -y install clang
test-sgx.c
:$ gcc test-sgx.c -o test-sgx
$ ./test-sgx
eax: 606a6 ebx: 4400800 ecx: 7ffefbf7 edx: bfebfbff
stepping 6
model 10
family 6
processor type 0
extended model 6
extended family 0
smx: 1
Extended feature bits (EAX=07H, ECX=0H)
eax: 2 ebx: f3bfb7ef ecx: 40417f5e edx: bc040412
sgx available: 1
sgx launch control: 1
CPUID Leaf 12H, Sub-Leaf 0 of Intel SGX Capabilities (EAX=12H,ECX=0)
eax: 0 ebx: 0 ecx: 0 edx: 0
sgx 1 supported: 0
sgx 2 supported: 0
MaxEnclaveSize_Not64: 0
MaxEnclaveSize_64: 0
CPUID Leaf 12H, Sub-Leaf 1 of Intel SGX Capabilities (EAX=12H,ECX=1)
eax: 0 ebx: 0 ecx: 0 edx: 0
CPUID Leaf 12H, Sub-Leaf 2 of Intel SGX Capabilities (EAX=12H,ECX=2)
eax: 0 ebx: 0 ecx: 0 edx: 0
size of EPC section in Processor Reserved Memory, 0 M
CPUID Leaf 12H, Sub-Leaf 3 of Intel SGX Capabilities (EAX=12H,ECX=3)
eax: 0 ebx: 0 ecx: 0 edx: 0
size of EPC section in Processor Reserved Memory, 0 M
CPUID Leaf 12H, Sub-Leaf 4 of Intel SGX Capabilities (EAX=12H,ECX=4)
eax: 0 ebx: 0 ecx: 0 edx: 0
size of EPC section in Processor Reserved Memory, 0 M
CPUID Leaf 12H, Sub-Leaf 5 of Intel SGX Capabilities (EAX=12H,ECX=5)
eax: 0 ebx: 0 ecx: 0 edx: 0
size of EPC section in Processor Reserved Memory, 0 M
CPUID Leaf 12H, Sub-Leaf 6 of Intel SGX Capabilities (EAX=12H,ECX=6)
eax: 0 ebx: 0 ecx: 0 edx: 0
size of EPC section in Processor Reserved Memory, 0 M
CPUID Leaf 12H, Sub-Leaf 7 of Intel SGX Capabilities (EAX=12H,ECX=7)
eax: 0 ebx: 0 ecx: 0 edx: 0
size of EPC section in Processor Reserved Memory, 0 M
CPUID Leaf 12H, Sub-Leaf 8 of Intel SGX Capabilities (EAX=12H,ECX=8)
eax: 0 ebx: 0 ecx: 0 edx: 0
size of EPC section in Processor Reserved Memory, 0 M
CPUID Leaf 12H, Sub-Leaf 9 of Intel SGX Capabilities (EAX=12H,ECX=9)
eax: 0 ebx: 0 ecx: 0 edx: 0
size of EPC section in Processor Reserved Memory, 0 M
sgx launch control: 1
由于实验中使用的型号是TH-D2113 Gold 5318Y
,实现SGX需要支持SPS(Server Platform Services,英特尔® SPS)才行。
Intel® Software Guard Extensions (Intel® SGX) Yes with Intel® SPS
不知道如何验证,应该是需要装相关的SPS驱动。
首先检查BIOS是以UEFI模式启动的,不能以legacy模式启动,因为:
不同的BIOS操作不同,示例如下:
BIOS下enable SGX【System Configuration】 → BIOS/Platform Configuration (RBSU) → System Options → Processor Options → Intel Software Guard Extensions (SGX)】→ 启动。
如果在BIOS中没有设置SGX的地方,且芯片是支持SGX的,可以升级BIOS版本或者找服务器售后了解情况。
如果SGX在BIOS中提示“软件控制”,则可以使用下面的软起动方法启动SGX。具体说明可以参考这儿
软启动代码参考:github.com/intel/sgx-software-enable
由于本服务器不支持软件启动,所以无法展示启动情况。
sudo apt install -y clang
$ make
$ sudo ./sgx_enable
Intel SGX is explicitly disabled, and your BIOS does not
support the "software enable" option. Check your BIOS for an
explicit option to enable Intel SGX.
git clone https://github.com/ethernity-cloud/mvp-pox-node.git
cd mvp-pox-node
cd mvp-pox-node
./utils/linux/test-sgx
如果输出下面类似的结果表示已经开启成功:
...
Extended feature bits (EAX=07H, ECX=0H)
eax: 2 ebx: f3bfb7ef ecx: 40417f5e edx: bc040412
sgx available: 1
sgx launch control: 1
CPUID Leaf 12H, Sub-Leaf 0 of Intel SGX Capabilities (EAX=12H,ECX=0)
eax: 403 ebx: 1 ecx: 0 edx: 381f
sgx 1 supported: 1
sgx 2 supported: 1
MaxEnclaveSize_Not64: 1f
MaxEnclaveSize_64: 38
MaxEnclaveSize_64 (MB): 0
...
如果sgx 1 supported
不为1
,至少MaxEnclaveSize_64
是大于0
的。
下面的方法是在FLC + Intel® AES New Instructions 平台上进行安装的步骤。如果是老版本的机器,请参考老版本的安装步骤。
参考:Linux kernel drivers介绍
/dev/sgx_enclave
和 /dev/sgx_provision
访问。SGXDataCenterAttestationPrimitives
编译安装SGX驱动Ubuntu* 16.04 LTS Desktop 64bits - minimal kernel 4.15
Ubuntu* 16.04 LTS Server 64bits - minimal kernel 4.15
Ubuntu* 18.04 LTS Desktop 64bits
Ubuntu* 18.04 LTS Server 64bits
Ubuntu* 20.04 LTS Server 64bits
Red Hat Enterprise Linux Server 8 (RHEL 8) 64bits
CentOS 8 64bits
第八代Intel® Core™处理器或更新版本,具有灵活启动控制和Intel® AES新指令支持。
cpuid -1 | grep -i sgx
// 如果输出中包含下面信息表示CPU支持FLC
SGX_LC: SGX launch config supported = true
....
SGX1 Supported = true // SGX1必须为true表示SGX开启成功
SGX2 Supported = true
或者使用测试程序:SGX Hardware Github
git clone https://github.com/ayeks/SGX-hardware.git
gcc test-sgx.c -o test-sgx
./test-sgx
// 如果输出如下信息表示CPU支持FLC
sgx launch control: 1
更多的FLC测试信息见官方文档《Which Platforms Support Intel® Software Guard Extensions (Intel® SGX) SGX2?》
// 头文件检查:执行下面文件,如果有输出表示已经安装
dpkg-query -s linux-headers-$(uname -r)
// 如果没有安装头文件,则使用下面命令进行安装
sudo apt-get install linux-headers-$(uname -r)
SGXDataCenterAttestationPrimitives
支持Windows和Linux驱动编译安装。git clone https://github.com/intel/SGXDataCenterAttestationPrimitives.git
cd SGXDataCenterAttestationPrimitives/driver/linux/
sudo apt-get install -y dkms
cat dkms.conf
// 输出以下信息
PACKAGE_NAME="sgx"
PACKAGE_VERSION="1.41"
BUILT_MODULE_NAME[0]="intel_sgx"
DEST_MODULE_LOCATION[0]="/kernel/drivers/intel/sgx"
AUTOINSTALL="yes"
MAKE[0]="'make' KDIR=/lib/modules/${kernelver}/build"
其中PACKAGE_VERSION
为第5-6步中的
值,比如1.41
。
export version=
sudo mkdir /usr/src/sgx-$version/
make clean
sudo cp ./* /usr/src/sgx-$version/ -r
sudo dkms add -m sgx -v $version
sudo dkms build -m sgx -v $version
sudo dkms install -m sgx -v $version
sudo /sbin/modprobe intel_sgx
如果此步骤出现如下问题:
// 查看安装情况
$ dkms status
sgx, 1.41, 5.4.0-150-generic, x86_64: installed
问题原因是SGX虽然在BIOS开启了,但是并未启动成功
SGX1 Supported = false
SGX1 Supported = false
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-QWDY1FLH-1687162973885)(https://note.youdao.com/yws/res/80448/WEBRESOURCEe35d46a560328736926178b221e3499e)]
解决方法:使用BIOS中SGX选项【SGX Factory Reset】选项将SGX空间清空(不同BIOS操作不相同),然后即可正常打开SGX。
udev
规则和 sgx_prv
组以正确设置 /dev/sgx/enclave
和 /dev/sgx/provision
节点的权限,更多背景信息见启动带有配置位设置的 enclave一文。sudo cp 10-sgx.rules /etc/udev/rules.d
sudo groupadd sgx_prv
sudo udevadm trigger
sudo /sbin/modprobe -r intel_sgx
sudo dkms remove -m sgx -v $version --all
sudo rm -rf /usr/src/sgx-$version
sudo dracut --force # only needed on RHEL/CentOS 8
Ubuntu* 18.04 LTS Desktop 64bits
Ubuntu* 18.04 LTS Server 64bits
Ubuntu* 20.04 LTS Desktop 64bits
Ubuntu* 20.04 LTS Server 64bits
Ubuntu* 22.04 LTS Server 64bits
Red Hat Enterprise Linux Server release 8.6 64bits
CentOS Stream 8 64bits
CentOS 8.3 64bits
SUSE Linux Enterprise Server 15.4 64bits
Anolis OS 8.6 64bits
Debian 10 64bits
其他操作系统安装步骤参考:安装sgx驱动以及相关服务
// 驱动环境
sudo apt-get install build-essential ocaml ocamlbuild automake autoconf libtool wget python-is-python3 libssl-dev git cmake perl -y
// PSW 环境
sudo apt-get install libssl-dev libcurl4-openssl-dev protobuf-compiler libprotobuf-dev debhelper cmake reprepro unzip pkgconf libboost-dev libboost-system-dev libboost-thread-dev lsb-release libsystemd0 -y
git clone https://github.com/intel/linux-sgx.git
cd linux-sgx
sudo sed -i '$a\export SGX_LINUX_PATH=' /etc/profile
source /etc/profile
make preparation
提示:
make preparation
将执行脚本download_prebuilt.sh
来下载预构建的二进制文件。 可能需要为脚本使用的wget
工具设置https
代理(比如export https_proxy=http://test-proxy:test-port
)或者将https://github.com
替换为https://gitclone.com/github.com
。sh
文件没有权限,执行find ./ -type f | grep \\.sh$ | xargs chmod +x
将所有sh
文件增加操作权限。external/toolset/{current_distr}
复制到/usr/local/bin
,并确保它们有执行权限:// 由于我的操作系统是ubuntu20.04,所以current_distr值为ubuntu20.04
sudo cp external/toolset/{current_distr}/* /usr/local/bin
which ar as ld objcopy objdump ranlib
具体的编译方法见Build the Intel® SGX SDK and Intel® SGX SDK Installer
find ./ -type f | grep \\.sh$ | xargs chmod +x
find ./ -type f | grep configure$ | xargs chmod +x
// do not use `make sdk`,如果执行`make sdk`后面的安装会失败
make sdk_install_pkg
// 提示如下信息表是编译成功
...
scripts/
scripts/install.sh
scripts/installConfig
Generated sdk installer: ./linux/installer/bin/sgx_linux_x64_sdk_2.19.100.3.bin
sudo apt-get install build-essential python-is-python3
cd linux/installer/bin
./sgx_linux_x64_sdk_${version}.bin
安装成功之后提示【Please set the environment variables with below command:】,执行提示的命令,且每次编译的时候都需要执行下面的source命令
source SGX_LINUX_PATH/linux/installer/bin/sgxsdk/environment
如果不想每次都执行source
命令,则可以将environment
文件中内容复制到/etc/profile
文件中。
$ cat /etc/profile
...
export SGX_SDK=/home/private/codes/tee/linux-sgx/linux/installer/bin/sgxsdk
export PATH=$PATH:$SGX_SDK/bin:$SGX_SDK/bin/x64
export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:$SGX_SDK/pkgconfig
if [ -z "$LD_LIBRARY_PATH" ]; then
export LD_LIBRARY_PATH=$SGX_SDK/sdk_libs
else
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$SGX_SDK/sdk_libs
fi
暂未安装 PSW,所以只能先测试Simulation 模式,参考:Requires libsgx_urts.so to run in SGX hardware mode
cd SGX_LINUX_PATH/SampleCode/LocalAttestation
make SGX_MODE=SIM
cd bin
./app
// 输出结果表示安装成功
succeed to load enclaves.
succeed to establish secure channel.
Succeed to exchange secure message...
Succeed to close Session...
注意:在 Ubuntu 22.04 或任何带有 systemd v248 或更高版本的发行版上,/dev/sgx_enclave
只能由组“sgx”中的用户访问。
sudo groupadd sgx
sudo usermod -a -G sgx
// 查看是否添加成功
groups
编译详情参考:Build the Intel® SGX PSW and Intel® SGX PSW Installer
cd $SGX_LINUX_PATH
make psw_install_pkg
// 出现如下信息代表安装成功
scripts/
scripts/install.sh
scripts/installConfig
Generated psw installer: ./linux/installer/bin/sgx_linux_x64_psw_2.19.100.3.bin
sudo apt-get install libssl-dev libcurl4-openssl-dev libprotobuf-dev
sudo ./linux/installer/bin/sgx_linux_x64_psw_2.19.100.3.bin
cd $SGX_LINUX_PATH
source linux/installer/bin/sgxsdk/environment
cd SampleCode/LocalAttestation/
// 安装PSW之后就可以直接使用硬件环境进行编译了
$ make
....
CC <= EnclaveInitiator_u.c
CC <= EnclaveResponder_u.c
CXX <= App.cpp
CC <= UntrustedEnclaveMessageExchange.cpp
GEN => app
make[1]: Leaving directory '/home/private/codes/tee/linux-sgx/SampleCode/LocalAttestation/App'
The project has been built in hardware debug mode.
$ cd bin/
$ ./app
succeed to load enclaves.
succeed to establish secure channel.
Succeed to exchange secure message...
Succeed to close Session...
SGXDataCenterAttestationPrimitives
源码