dnoliver/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Intel SGX


Intel Software Guard Extensions
After Years Of Work With 40+ Revisions, Intel SGX Looks Like It Will Land In Linux 5.11

Documentation


Intel® 64 and IA-32 Architectures Software Developer Manuals, Volume 3D.
Intel SGX Developer Guide
Intel SGX Developer Reference
Intel SGX Installation Guide

Development Environment

On Ubuntu 20.04
Check SGX Support:
root@sgx:~# cpuid -1 | grep -i sgx
      SGX: Software Guard Extensions supported = true
      SGX_LC: SGX launch config supported      = false
   SGX capability (0x12/0):
      SGX1 supported                         = true
      SGX2 supported                         = false
   SGX attributes (0x12/1):
Install Tools:
apt-get install -y curl git tmux

# Linux Kernel 5.9 supports FSGSBASE required by Graphene SGX 
cd /tmp/
wget -c https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.9/amd64/linux-headers-5.9.0-050900_5.9.0-050900.202010112230_all.deb
wget -c https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.9/amd64/linux-headers-5.9.0-050900-generic_5.9.0-050900.202010112230_amd64.deb
wget -c https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.9/amd64/linux-image-unsigned-5.9.0-050900-generic_5.9.0-050900.202010112230_amd64.deb
wget -c https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.9/amd64/linux-modules-5.9.0-050900-generic_5.9.0-050900.202010112230_amd64.deb
dpkg -i *.deb
systemctl reboot

# Install Docker
curl -fsSL https://get.docker.com -o get-docker.sh
chmod +x get-docker.sh
./get-docker.sh
systemctl enable --now docker

# Get Intel SGX Drivers
apt-get install -y libssl-dev libcurl4-openssl-dev libprotobuf-dev
mkdir sgx-drivers
cd sgx-drivers/
curl https://download.01.org/intel-sgx/sgx-linux/2.13/distro/ubuntu20.04-server/driver_readme.txt -o driver_readme.txt
curl https://download.01.org/intel-sgx/sgx-linux/2.13/distro/ubuntu20.04-server/sgx_linux_x64_driver_1.41.bin -o sgx_linux_x64_driver_1.41.bin
curl https://download.01.org/intel-sgx/sgx-linux/2.13/distro/ubuntu20.04-server/sgx_linux_x64_driver_2.11.0_0373e2e.bin -o sgx_linux_x64_driver_2.11.0_0373e2e.bin

# DCAP Driver (Latest out of tree driver, requires Launch Config support)
apt-get install -y dkms
chmod +x sgx_linux_x64_driver_1.41.bin
./sgx_linux_x64_driver_1.41.bin

# OOT Driver (Legacy Driver, works without Launch Config support)
apt-get install -y build-essential
chmod +x sgx_linux_x64_driver_2.11.0_0373e2e.bin
./sgx_linux_x64_driver_2.11.0_0373e2e.bin

# PSW Packages
echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | tee /etc/apt/sources.list.d/intel-sgx.list
curl https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add -
apt-get update
apt-get install -y libsgx-launch libsgx-urts

# Allow process to map low portions of virtual memory, required if using OOT Driver with Graphene SGX
sysctl vm.mmap_min_addr=0
Or use Ansible: dnoliver/ansible-sgx
Software Development Kit


Intel® Software Guard Extensions SDK for Linux*


Sample Enclave Creation


Overview of Intel SGX Enclave
dnoliver/intel-sgx-enclave-example

Running on Simulator


How to Run Intel® Software Guard Extensions' Simulation Mode

Running in Virtual Machine


Setting up a Linux Hyper-V VM on Windows with SGX Support
Intel Sends Out KVM SGX Virtualization Patches For Linux
VMware vSphere Securing Virtual Machines with Intel Software Guard Extensions

OpenEnclave Initiative


openenclave/openenclave
Confidential Computing Consortium
dnoliver/oe-enclave-example

Graphene SGX


Graphene-SGX: A Practical Library OS for Unmodified Applications on SGX
Introduction to Graphene
oscarlab/graphene
dnoliver/graphene-sgx-enclave-example

Alternatives


IBM SecureBlue++ or IBM Secure Execution for Linux
AMD Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV)
ARM TrustZone with OP-TEE
Intel Trust Domain Extensions
Intel Total Memory Encryption (TME) and Intel Multi-Key Total Memory Encryption (MKTME)