Common SGX installation issues
You can check the SGX configuration of your system with sgx-detect
, see the
Installation guide. If there are
any issues, sgx-detect
will direct you to a specific section of this page for
troubleshooting help.
SGX CPU support
It appears your hardware does not support the SGX instruction set extension. Most Intel Core CPUs produced after 2015 have SGX support, as well as Intel Xeon E3 and Xeon E CPUs. For more details, see Intel ARK.
If you are running a virtual machine, make sure your hypervisor has SGX support.
If your CPU has SGX support according to Intel ARK but not according to this tool, your chipset might not support SGX in this configuration.
CPU configuration
To be able to use SGX, the BIOS must enable this functionality on boot. If you're trying to use SGX from a virtual machine, the hypervisor must enable SGX support for the VM.
Some UEFI firmware supports automatically configuring SGX, sgx-detect
will
prompt you if this is the case. This only works if you are booting in UEFI
mode. If your BIOS is set to “Software Controlled”, but you are not booting in
UEFI mode, you will still need to manually configure SGX in your BIOS.
Otherwise, you will need to re-configure your BIOS or hypervisor manually. This of course requires that the BIOS or hypervisor supports SGX.
CPUID misconfiguration
SGX appears to be enabled, but there is some issue with the CPU configuration.
This should never happen with any supported system and likely indicates a CPU,
BIOS or hypervisor (or sgx-detect
) bug.
Flexible launch control CPU configuration
Most Intel CPUs produced after 2018 that have SGX support also have FLC support.
To be able to use FLC, the BIOS must enable this functionality on boot. SGX works without FLC, but you won't be able to run production-mode enclaves unless they are signed by an Intel-blessed signing key.
To enable FLC, you will need to re-configure your BIOS manually. This of course requires that the BIOS supports SGX. Your BIOS may also call this feature “Unlocked” launch control.
AESM service
The Architectural Enclave Service Manager (AESM) provides a protocol to access Intel's architectural enclaves. These enclaves are necessary to launch enclaves (without hardware support for flexible launch control), and to perform EPID remote attestation.
If your platform supports FLC, then you only need to install AESM if you want to use EPID remote attestation.
Various installation methods are provided in Installation guide. If AESM is already installed,
make sure it's running properly. AESM requires Internet access to work
properly, a proxy may be configured in /etc/aesmd.conf
(Linux) or with
AESMProxyConfigure.exe
(Windows).
SGX driver
SGX requires support from the operating system to load enclaves. For this, you need to install and load the SGX driver.
Various installation methods are provided in the Installation guide. If the driver is already
installed, make sure it's loaded properly, and you have the appropriate
permissions. On Linux, additional debugging information may be available with
dmesg
or journalctl
.