Enabling Intel SGX in BIOS

Question

I want to test Intel SGX technology on my Lenovo Tower S510 10L3-000JFM. I checked via https://github.com/ayeks/SGX-hardware that my CPU Intel Core i7-6700 supports SGX but BIOS does not, or may be not enabled (in BIOS). A BIOS update can fix this. However, a recent BIOS update from Lenovo in https://pcsupport.lenovo.com/us/en/products/desktops-and-all-in-ones/lenovo-s-series-all-in-ones/s510-desktop/10kw/downloads/ds112505 does not specify that explicitly as I do not want to proceed to this risky operation without being sure.

My question is: is this BIOS update supporting Intel SGX? Or not? Any help or resources are welcomed.

Last BIOS update is on 01/09/2016 and last CPU microcode update is on 07/01/2016.

Yes of course. In the update notes https://download.lenovo.com/pccbbs/thinkcentre_bios/m0uj931usa.txt, they did not mention SGX support. so, if you know any other documentation sources, please tell me. — Oualid, Jun 27 '18 at 16:09

score 1 · Accepted Answer · answered Jul 04 '18 at 20:45

1

According to a Lenovo BIOS engineer, BIOS for this computer model does not support Intel SGX and there is no plan for the future.

answered Jul 04 '18 at 20:45

Oualid

139
9

Good - SGX was an over-complicated disaster where originally (due to key restrictions) it was only usable by large companies (for DRM schemes). There's been multiple successful attacks since, making it worthless for all practical uses (which is, any case where you can't just trust kernel in the first place). – Brendan Mar 07 '20 at 05:55
I think it's not as disastrous as you describe and attacks found in the literature exploit SGX vulnerabilities after getting "physical" access to the platform. Skeptic users have legitimate doubts to not trust kernels, VMM, ME, SMM, BIOS and more. – Oualid Mar 23 '20 at 14:09
All of the attacks I've seen are possible if kernel is the attacker (or at least, if kernel is compromised). Either you trust kernel (and have no need for SGX) or you don't trust kernel (and can't rely on SGX). – Brendan Mar 23 '20 at 16:55

score 0 · Answer 2 · answered Mar 07 '20 at 02:24

The Linux kernel does not transparently handle the Intel SGX. An application has to be written specifically for Intel SGX to use it.

If you just want to write code for Intel SGX, you can use the SIMULATION mode provided in the SGX SDK to write code and test it out. You won't be able to use Remote Attestation (and Local attestation) as it requires access to the hardware. Apart from that, everything should work fine.

Enabling Intel SGX in BIOS

2 Answers2