Published on

Setting up a SGX development environment

Authors
  • avatar
    Name
    Jo Guerreiro
    Twitter

I have been using RedHat based distros, namely Fedora and Cent OS. This is a fast how-to on the installation of a SGX development environment in F29 as it took me some iterations to get everything properly setup.

Quick Sheet

  1. Install Driver
  2. Setup PSW Dependencies
    1. Install icls Client
    2. Install DAL/JHI
  3. Install PSW
  4. Install SDK
  5. Send certificate to (IA) Intel Attestation Service.

1. Install Driver (Kernel 4.20 - 5.0.5)

The releases page of Intel SGX at the time of writing points to Release 2.4 as the latest with explicit support for Fedora 27.

Starting with Kernel 4.20, vm_insert_pfn transitions to vmf_insert_pfn breaking backward compatibility. These changes did not make it into Intel SGX 2.4 therefore we must compile from source starting from this commit.

The instructions that follow are mostly copied from the github page. Just make sure you are running the latest kernel or a fixed kernel if you want to avoid bad surprises:

  • To check if matching kernel headers are installed:
$ ls /usr/src/kernels/$(uname -r)
  • To install matching headers:
$ sudo dnf install kernel-devel
  • After the above command, if the matching headers are still missing in /usr/src/kernels, try update kernel and reboot using commands below. Then choose updated kernel on boot menu.
$ sudo dnf install kernel
$ sudo reboot

To make the driver all you need is:

$ git clone https://github.com/intel/linux-sgx-driver.git
$ cd linux-sgx-driver
$ make

After that it can be installed through $ sudo make install if you don't mind using /etc/modules or:

$ sudo mkdir -p "/lib/modules/$(uname -r)/kernel/drivers/intel/sgx"
$ sudo cp isgx.ko "/lib/modules/$(uname -r)/kernel/drivers/intel/sgx"
$ sudo /sbin/depmod
$ sudo /sbin/modprobe isgx

Create /etc/modules-load.d/sgx.conf with the following contents:

isgx

This will allow the system (using systemd) to automatically load the driver at boot.

2. Install Platform Software (PSW) optional dependencies

To have everything working without errors or warnings 2 extra pieces of software must be installed: the icls client and the DAL/JHI for Intel ME support

The icls links have been taken down from the download page and there are notes of contacting [email protected] for a download link here but it's been more than a week without reply from that email address, therefore here it is, extracted from an older guide. A simple $ sudo dnf install iclsClient-1.45.449.12-1.x86_64.rpm should do the trick.

DAL/JHI Dependencies:

$ sudo dnf install libuuid-devel libxml2-devel cmake pkgconfig systemd-devel

DAL/JHI Install:

$ git clone https://github.com/intel/dynamic-application-loader-host-interface.git
$ cd dynamic-application-loader-host-interface
$ cmake.
$ make
$ sudo make install
$ sudo ldconfig
$ sudo systemctl enable --now jhi

$ sudo systemctl status jhi.service

Should report the service as active with everything working.

3. Install PSW and Software Development Kit (SDK)

PSW Dependencies:

$ sudo dnf install openssl-devel libcurl-devel protobuf-devel

SDK Dependencies:

$ sudo dnf groupinstall 'C Development Tools and Libraries'

$ git clone https://github.com/intel/linux-sgx.git
$ cd linux-sg
$ ./download_prebuilt.sh
$ make sdk_install_pkg psw_install_pkg

This will create the installers in linux/installer/bin/ after this just install the PSW and the SDK.

$ sudo ./linux/installer/bin/sgx_linux_x64_psw_*.bin
$ sudo ./linux/installer/bin/sgx_linux_x64_sdk_*.bin

When asked to install the SDK in the current location answer no and specify /opt/intel so the SDK gets installed to the same location as the PSW.

Check the aesmd service is working $ sudo systemctl status aesmd. If you're behind a corporate proxy make sure to define it in /etc/aesmd.conf and restart the service.

Finally:

$ source /opt/intel/sgxsdk/environment
$ sudo ln -s /opt/intel/sgxsdk/environment /etc/profile.d/sgx.sh

The first command will source the environment variables for your current session and the second one will setup the environment variables on login.

This should cover the basic setup in order to start compiling and testing SGX software.

Discuss on TwitterView on GitHub