Join our public slack channel for support, discussions and more...
Contents

Common SGX installation issues

You can check the SGX configuration of your system with sgx-detect, see the Installation guide. If there are any issues, sgx-detect will direct you to a specific section of this page for troubleshooting help.

SGX CPU support

It appears your hardware does not support the SGX instruction set extension. Most Intel Core CPUs produced after 2015 have SGX support, as well as Intel Xeon E3 and Xeon E CPUs. For more details, see Intel ARK.

If you are running a virtual machine, make sure your hypervisor has SGX support.

If your CPU has SGX support according to Intel ARK but not according to this tool, your chipset might not support SGX in this configuration.

CPU configuration

To be able to use SGX, the BIOS must enable this functionality on boot. If you're trying to use SGX from a virtual machine, the hypervisor must enable SGX support for the VM.

Some UEFI firmware supports automatically configuring SGX, sgx-detect will prompt you if this is the case. This only works if you are booting in UEFI mode. If your BIOS is set to “Software Controlled” but you are not booting in UEFI mode, you will still need to manually configure SGX in your BIOS.

Otherwise, you will need to re-configure your BIOS or hypervisor manually. This of course requires that the BIOS or hypervisor supports SGX.

CPUID misconfiguration

SGX appears to be enabled, but there is some issue with the CPU configuration. This should never happen with any supported system and likely indicates a CPU, BIOS or hypervisor (or sgx-detect) bug.

Flexible launch control CPU configuration

Most Intel CPUs produced after 2018 that have SGX support also have FLC support.

To be able to use FLC, the BIOS must enable this functionality on boot. SGX works without FLC, but you won't be able to run production-mode enclaves unless they are signed by an Intel-blessed signing key.

To enable FLC, you will need to re-configure your BIOS manually. This of course requires that the BIOS supports SGX. Your BIOS may also call this feature “Unlocked” launch control.

AESM service

The Architectural Enclave Service Manager (AESM) provides a protocol to access Intel's architectural enclaves. These enclaves are necessary to launch enclaves (without hardware support for flexible launch control), and to perform EPID remote attestation.

If your platform supports FLC, then you only need to install AESM if you want to use EPID remote attestation.

Various installation methods are provided in Installation guide. If AESM is already installed, make sure it's running properly. AESM requires Internet access to work properly, a proxy may be configured in /etc/aesmd.conf (Linux) or with AESMProxyConfigure.exe (Windows).

SGX driver

SGX requires support from the operating system to load enclaves. For this, you need to install and load the SGX driver.

Various installation methods are provided in Installation guide. If the driver is already installed, make sure it's loaded properly and you have the appropriate permissions. On Linux, additional debugging information may be available with dmesg or journalctl.

Contents