Intel’s Software Guard Extensions (SGX) is their latest attempt to enable secure remote computation, or the execution of trusted code on a remote computer owned and controlled by someone else. Call it cloud if you will.
Everything you want to know about SGX is in Intel SGX Explained, 100+-page from MIT. See also Joanna Rutkowska’s 2013 discussions (pt. 1 , pt. 2), and Frank McKeen’s Stanford talk (he’s one of the SGX architects at Intel).
SGX has been in the air for years, but it’s only been in Intel chips for a few months with the Skylake microarchitecture, and usable to developers (partially) thanks to Intel’s SGX SDK. So I wanted to try SGX out.
My first task was to find a laptop that supports SGX. You obviously need a CPU with the Skylake microarchitecture, and that supports SGX instructions, as this Core i5-6200U. But it’s not sufficient, you also need drivers enabling the OS to use SGX. Drivers are either chipset drivers or included in the BIOS, depending on the model. You’ll find a partial list of supported notebooks on https://github.com/ayeks/SGX-hardware along with a simple C program that uses the CPUID instruction to test for SGX support on your system (you don’t need the SGX SDK to run it).
A supported notebook not in the above list is HP’s Star Wars Special Edition Laptop (model 15-an051dx, Core i7-6500U).
So I went to the closest electronic shop, and after checking that the BIOS allowed me to enable SGX, I purchased one of the models supposed to support SGX, an HP ENVY notebook:
After the basic setup of Windows 10, I installed Visual Studio 2012 Professional, the required IDE to develop SGX-based applications at the moment (as per Intel). The trial period runs for 30 days, then you need to get a license :-/
Then I installed the SGX SDK, which enables the development of SGX enclaves within Visual Studio 2012.
However, I did not install “Intel® Parallel Studio XE Professional Edition for Windows Version 2013”, which Intel claims to be required. This probably eases the development of SGX-based programs, but at $700 a license I skipped it and could still build SGX programs.
I also did not install HP’s drivers for SGX. Instead, you need to install Intel’s SGX Platform Software. Without it, your SGX programs will build but the enclave creation will fail.
Once you’ve done all this, you can test for SGX support by querying for CPUID information using the test-sgx.c program. You’ll need to tweak it to compile under VS2012, which won’t support the
asm volatile inline assembly. So I just replaced the following lines
asm volatile("cpuid" : "=a" (*eax), "=b" (*ebx), "=c" (*ecx), "=d" (*edx) : "0" (*eax), "2" (*ecx));
uint32_t regs; __cpuidex((int *)regs, (int)*eax, (int)*ecx) *eax = regs; *ebx = regs; *ecx = regs; *edx = regs;
The output should then look like
You’re now ready to go.
To make sure that it all worked before coding my own enclaves, I tested Joseph Birr-Pixton’s experimental password hash SGX program, sgx-pwenclave. It takes less than a minute to load the project in VS, build and run it.
Now you can make your own SGX-based projects, have fun!
You can also check if the device has support for SGX with the SGX API:
int SGXEnabled = 0;
sgx_status_t status = sgx_is_capable(&SGXEnabled);
if(status != SGX_SUCCESS)
//failed to check for sgx support
if(SGXEnabled == 1)
//sgx is activated
//sgx is not activated