Video Series: Intel® Software Guard Extensions—Part 2: Detect & Enable

Get a list of the hardware and software prerequisites for using Intel® Software Guard Extensions, as well as instructions for setting it up.

Hi, I'm John Mechalas with Intel. In this video, we're going to discuss detecting and enabling the Intel® Software Guard Extensions, or Intel® SGX. Before an application can use Intel SGX four conditions have to be met. The CPU in that system must support the Intel SGX instructions. The system BIOS must support Intel SGX. Intel SGX must be enabled in the BIOS. And the intellect SGX [sic] platform software, or PSW, must be installed on that system.

Intel SGX was introduced with the sixth generation Intel® Core™ line of processors [sic] and the Intel® Xeon® E3 v6 server processor [sic]. There are three possible BIOS settings for Intel SGX: enabled, disabled, and a software-controlled setting. Not all BIOS manufacturers implement all three options, and some may not provide a BIOS configuration setting at all.

The enabled setting explicitly enables Intel SGX, and the disabled setting explicitly disables it. The software control option allows Intel SGX applications to have the BIOS enable it automatically the next time the system reboots. This software enable function eliminates the need for users to have to enter their BIOS set up screen, which can be a daunting and confusing task for non-technical end users. Note that Intel SGX may not be available for use by applications even if it's supported by the CPU.

Applications and application installers need to be able to detect Intel SGX availability at runtime, and take appropriate action based on the system's configuration. It is extremely important that applications be robust. Even if an application requires Intel SGX, it should exit gracefully and display a meaningful error message if it's not available. A properly written Intel SGX application must not crash solely because Intel SGX support is not present on the system where it's run.

Application installers should follow this sequence:

  1. Detect whether or not Intel SGX is supported by the CPU and BIOS.
  2. Determine whether or not the platform software package has already been installed, and install it if it hasn't.
  3. Determine whether or not Intel SGX has been enabled on the system, and attempt the software enable if it hasn't.

The applications themselves follow a slightly different sequence.

  1. Determine whether or not the platform software has been installed.
  2. Determine whether or not until SGX [sic] has been enabled, and attempt the software enable if it hasn't.

If any of these steps fail, then the system does not support Intel SGX. If the application requires Intel SGX to run, then an error should be reported to the user. Proper detection of into Intel SGX is essential in enabled applications, and the detection procedure is more complicated than simply checking for instruction support on the CPU.

To learn more about the Intel SGX feature detection procedure, and to view some sample code visit the link below. Be sure to watch the rest of this playlist to learn more about Intel SGX application development. And remember to like this video and subscribe.