(Created page with "= SGX guidance = This page provides guidance on using SGX in the context of Fedora == Software installation == Until the packages are a standard part of Fedora, they are available from Copr. A minimal setup of a machine with SGX would involve the `sgx-pckid-tool` and `sgx-mpa`. The latter is mandatory on multi-socket machines, and a functional no-op on single-socket machines, so it is easiest to simply always install it. $ dnf copr enable berrange/sgx-ng $ dnf in...") |
|||
| Line 25: | Line 25: | ||
== Firmware configuration == | == Firmware configuration == | ||
Machines will typically ship with SGX support disabled in the firmware, so while the software can be installed immediately, it won't be usable until SGX is enabled in the firmware. | Machines will typically ship with SGX support disabled in the firmware, so while the software can be installed immediately, it won't be usable until SGX is enabled in the firmware. Determine whether SGX is enabled on the machine by looking for the existence of the '''/dev/sgx_enclave''' device node. If missing, proceed with '''Enabling SGX''', otherwise (optionally) proceed with ''Re-initializing SGX''' | ||
=== | === Enabling SGX === | ||
Enabling SGX is a multi-step process requiring reboots. Cold boot the machine, | Enabling SGX is a multi-step process requiring reboots. Cold boot the machine, and hit the magic key needed to enter the firmware menu, or use an integrated mgmt service such as iDrac if available. | ||
Two settings must be toggled first, before other settings will become available: | Two settings must be toggled first, before other settings will become available: | ||
| Line 42: | Line 42: | ||
# Under the "'''Process Settings'''" menu (or similar) change the "'''SGX'''" option to "'''On'''" | # Under the "'''Process Settings'''" menu (or similar) change the "'''SGX'''" option to "'''On'''" | ||
'''Note:''' if "'''SGX'''" option only offers "'''Off'''" as a choice this indicates that either the hardware is not | '''Note:''' if "'''SGX'''" option only offers "'''Off'''" as a choice this indicates that either the current hardware is not a compatible configuration, or another firmware setting is in an incompatible state. For example, SGX may require specific DIMM slot population. Consult your hardware vendor's documentation for further guidance. | ||
=== Re-provisioning | === Re-provisioning SGX === | ||
If | If a machine has previously been used with SGX enabled, a reset is recommended in the firmware for the new owner to take ownership of the platform. | ||
Revision as of 10:59, 8 November 2024
SGX guidance
This page provides guidance on using SGX in the context of Fedora
Software installation
Until the packages are a standard part of Fedora, they are available from Copr. A minimal setup of a machine with SGX would involve the sgx-pckid-tool and sgx-mpa. The latter is mandatory on multi-socket machines, and a functional no-op on single-socket machines, so it is easiest to simply always install it.
$ dnf copr enable berrange/sgx-ng $ dnf install sgx-pckid-tool sgx-mpa
Host configuration
On a multiple socket machine, it is necessary to configure an API key to access the "Intel SGX and Intel TDX Registration Service". Each physical socket has its own identity, and the API service is used to allocate an identity that associates the distinct sockets. This combined identity is what's then used by SGX in any quotes. Visit the aforementioned site, register a free account, record the API key that is associated with it, and store that on the local machine.
$ vi /etc/mpa_registration.conf ...fill the 'subscription key' field...
It is now possible to reboot the machine and provided SGX is enabled in the EFI firmware, and the host has network access, registration will automatically take place automatically on boot, via mpa_registration.service.
NB, registration is a one time operation, so on subsequent boots mpa_registration.service will be a no-op.
If taking over ownership of an existing machine, it is required to force an SGX reset in the firmware, to permit re-registration creating a new machine identity.
Firmware configuration
Machines will typically ship with SGX support disabled in the firmware, so while the software can be installed immediately, it won't be usable until SGX is enabled in the firmware. Determine whether SGX is enabled on the machine by looking for the existence of the /dev/sgx_enclave' device node. If missing, proceed with Enabling SGX, otherwise (optionally) proceed with Re-initializing SGX
Enabling SGX
Enabling SGX is a multi-step process requiring reboots. Cold boot the machine, and hit the magic key needed to enter the firmware menu, or use an integrated mgmt service such as iDrac if available.
Two settings must be toggled first, before other settings will become available:
- Under the "System Security" menu (or similar) change the "Memory Encryption" option to "Multiple Keys"
- Under the "Processor Settings" menu (or similar) change the "CPU Physical Address Limit" option to "Disabled"
With this changes made, select "Apply and reboot".
When the machine resets, once again enter the firmware menus.
- Under the "Process Settings" menu (or similar) change the "SGX" option to "On"
Note: if "SGX" option only offers "Off" as a choice this indicates that either the current hardware is not a compatible configuration, or another firmware setting is in an incompatible state. For example, SGX may require specific DIMM slot population. Consult your hardware vendor's documentation for further guidance.
Re-provisioning SGX
If a machine has previously been used with SGX enabled, a reset is recommended in the firmware for the new owner to take ownership of the platform.