For various reasons I'm trying to upgrade my system to Ubuntu 22.04 with linux kernel 5.15. My CPU does not support Flexible Launch Control according to cpuid:

Extended feature bits (EAX=07H, ECX=0H)
eax: 0 ebx: 29c67af ecx: 0 edx: bc002e00
sgx available: 1
sgx launch control: 0

So I'm trying to install the isgx driver. The driver installs just fine both from https://download.01.org/intel-sgx/ as well as if I builld the driver from source. However upon reboot the sgx device does not seem to load properly and dmesg gives me the following output:

[ 0.418012] sgx: EPC section 0x70200000-0x75f7ffff
[ 4.180975] isgx: loading out-of-tree module taints kernel.
[ 4.181011] isgx: module verification failed: signature and/or required key missing - tainting kernel
[ 4.181318] intel_sgx: Intel SGX Driver v2.11.0
[ 4.181326] UBSAN: shift-out-of-bounds in ./linux-sgx-driver/sgx_main.c:224:11
[ 4.181352] sgx_drv_probe.cold+0x1db/0x55b [isgx]
[ 4.181379] ? sgx_drv_probe+0x130/0x130 [isgx]
[ 4.181384] init_sgx_module+0x2f/0x90 [isgx]
[ 4.181450] intel_sgx INT0E0C:00: EPC bank 0x70200000-0x75f80000
[ 4.182815] intel_sgx: can not reset SGX LE public key hash MSRs
[ 4.182873] intel_sgx: second initialization call skipped`

I'm assuming the shift-out-of-bounds out of bounds issue is my problem Has any one else experienced this? Is it just not possible to run older isgx devices on the newest linux kernels?

As Linux kernel has stopped exporting asm/msr-index.h to user-land starting kernel version 4.12-rc1 , the build (branch: sgx2, commit dc5858aa1a67d80e525440968366d29e1c44b892) fails with the following error message: fatal error: asm/msr-index.h: No such file or directory

The build system configuration is as follows:

$ uname -r
4.13.0-38-generic

$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.4 LTS"

Follow the installation instruction in READM of this repo.
Azure VM, OS: Ubuntu 16.04
No /dev/isgx after installation, but /dev/sgx exists. the problem persists after restarting VM.

compiled and ran https://github.com/ayeks/SGX-hardware/blob/master/test-sgx.c , the result shows that SGX is available and supported.

moved to https://github.com/intel/linux-sgx

I'm trying to install the SGX Driver on RHEL7.4-64bit.

I first downloaded the SGX Driver installer from https://01.org/intel-software-guard-extensions/downloads, but I got the following error:

# ./sgx_linux_x64_driver_1bf506e.bin
Unpacking Intel SGX Driver ... done.
Verifying the integrity of the install package ... done.
Installing Intel SGX Driver ...
/tmp/sgx-driver-Jb6YTw ~/sgxdownloads
install -d /opt/intel/sgxdriver/package
install -d /opt/intel/sgxdriver/scripts
install package/* /opt/intel/sgxdriver/package
install scripts/* /opt/intel/sgxdriver/scripts
~/sgxdownloads
/opt/intel/sgxdriver/package ~/sgxdownloads
make -C /lib/modules/3.10.0-693.21.1.el7.x86_64/build SUBDIRS=/opt/intel/sgxdriver/package CFLAGS_MODULE="-DDEBUG -g -O0" modules
make[1]: Entering directory `/usr/src/kernels/3.10.0-693.21.1.el7.x86_64'
arch/x86/Makefile:96: stack-protector enabled but compiler support broken
arch/x86/Makefile:166: *** CONFIG_RETPOLINE=y, but not supported by the compiler. Toolchain update recommended..  Stop.
make[1]: Leaving directory `/usr/src/kernels/3.10.0-693.21.1.el7.x86_64'
make: *** [default] Error 2

Then I tried to download and build the SGX Driver directly from this Git repo, but I got the same error:

# make
make -C /lib/modules/3.10.0-693.21.1.el7.x86_64/build SUBDIRS=/root/sgxdownloads/linux-sgx-driver-master CFLAGS_MODULE="-DDEBUG -g -O0" modules
make[1]: Entering directory `/usr/src/kernels/3.10.0-693.21.1.el7.x86_64'
arch/x86/Makefile:96: stack-protector enabled but compiler support broken
arch/x86/Makefile:166: *** CONFIG_RETPOLINE=y, but not supported by the compiler. Toolchain update recommended..  Stop.
make[1]: Leaving directory `/usr/src/kernels/3.10.0-693.21.1.el7.x86_64'
make: *** [default] Error 2

After reading through the repo issues, I tried tweaking the Makefile, first by changing SUBDIRS=$(PWD) to M=$(PWD), and then by removing the -O0 option from the CFLAGS_MODULE.
Neither of those, nor both of those, improved the situation. Here's the output with both changes:

# make
make -C /lib/modules/3.10.0-693.21.1.el7.x86_64/build M=/root/sgxdownloads/linux-sgx-driver-master CFLAGS_MODULE="-DDEBUG -g" modules
make[1]: Entering directory `/usr/src/kernels/3.10.0-693.21.1.el7.x86_64'
arch/x86/Makefile:96: stack-protector enabled but compiler support broken
arch/x86/Makefile:166: *** CONFIG_RETPOLINE=y, but not supported by the compiler. Toolchain update recommended..  Stop.
make[1]: Leaving directory `/usr/src/kernels/3.10.0-693.21.1.el7.x86_64'
make: *** [default] Error 2

Can anyone show me the errors of my ways? Thanks.

When I doing some performance test on SGX 1, I notice my application suffer from scalability problem when doing some memory-intensive work like gc. I find it comes from waiting for enclave lock before do the fault, I wonder why does the driver need to wait the enclave lock before actually do the allocation and eldu, and if it is a necessity, can we at least do some modification to slightly release the concurrent control?

Hi, There!

We have trouble in running kernel module for SGX support.

Intel(R) Xeon(R) CPU E5-2630 v4 @ 2.20GHz (fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu cpuid_faulting pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb cat_l3 cdp_l3 intel_ppin intel_pt ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm cqm rdt_a rdseed adx smap xsaveopt cqm_llc cqm_occup_llc cqm_mbm_total cqm_mbm_local dtherm ida arat pln pts md_clear spec_ctrl intel_stibp flush_l1d)

CentOS Linux release 7.7.1908 (Core)

Linux d214.sancom.in 3.10.0 #1 SMP Thu Jun 27 15:10:55 MSK 2019 x86_64 x86_64 x86_64 GNU/Linux

Make goes perfect, but modprobe/insmod fail.

modprobe: ERROR: could not insert 'isgx': Operation not permitted

We are running it in openVZ container.

After compiling and loading the v2.5 SGX driver, I get the following message:

$ dmesg | grep sgx
[ 2.963304] intel_sgx: Intel SGX Driver v0.10
[ 2.963325] intel_sgx INT0E0C:00: EPC bank 0x70200000-0x75f80000
[ 2.972645] intel_sgx: second initialization call skipped

There is no /dev/sgx or /dev/isgx device so I can only assume the driver did not load properly. I double checked and SGX is definitely enabled in BIOS. Any guidance on how to resolve this?

This happens to be on Debian 9.9.0 with kernel version 4.9.0-9.

run ./sgx_linux_x64_driver_1.36.2.bin error:

Unpacking Intel SGX Driver ... done.
Verifying the integrity of the install package ... done.
Installing Intel SGX Driver ...
/tmp/sgx-driver-8gBXzL ~
install -d /opt/intel/sgxdriver/package
install -d /opt/intel/sgxdriver/scripts
cp -r package/* /opt/intel/sgxdriver/package
install scripts/* /opt/intel/sgxdriver/scripts
~

Kernel preparation unnecessary for this kernel.  Skipping...

Building module:
cleaning build area...
'make' KDIR=/lib/modules/5.15.0-91-generic/build....(bad exit status: 2)
ERROR (dkms apport): binary package for sgx: 1.36.2 not found
Error! Bad return status for module build on kernel: 5.15.0-91-generic (x86_64)
Consult /var/lib/dkms/sgx/1.36.2/build/make.log for more information.

================================================

make.log info:
DKMS make.log for sgx-1.36.2 for kernel 5.15.0-91-generic (x86_64)
2024年 01月 12日 星期五 14:39:41 CST
make -C /lib/modules/5.15.0-91-generic/build M=/var/lib/dkms/sgx/1.36.2/build CFLAGS_MODULE="-I/var/lib/dkms/sgx/1.36.2/build -I/var/lib/dkms/sgx/1.36.2/build/include" modules
make[1]: Entering directory '/usr/src/linux-headers-5.15.0-91-generic'
  CC [M]  /var/lib/dkms/sgx/1.36.2/build/encl.o
  CC [M]  /var/lib/dkms/sgx/1.36.2/build/main.o
/var/lib/dkms/sgx/1.36.2/build/main.c: In function ‘sgx_init’:
/var/lib/dkms/sgx/1.36.2/build/main.c:792:9: note: #pragma message: kernel version may not be supported
  792 | #pragma message "kernel version may not be supported"
      |         ^~~~~~~
  CC [M]  /var/lib/dkms/sgx/1.36.2/build/driver.o
  CC [M]  /var/lib/dkms/sgx/1.36.2/build/ioctl.o
  LD [M]  /var/lib/dkms/sgx/1.36.2/build/intel_sgx.o
  MODPOST /var/lib/dkms/sgx/1.36.2/build/Module.symvers
ERROR: modpost: "kallsyms_lookup_name" [/var/lib/dkms/sgx/1.36.2/build/intel_sgx.ko] undefined!
make[2]: *** [scripts/Makefile.modpost:133: /var/lib/dkms/sgx/1.36.2/build/Module.symvers] Error 1
make[2]: *** Deleting file '/var/lib/dkms/sgx/1.36.2/build/Module.symvers'
make[1]: *** [Makefile:1830: modules] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-5.15.0-91-generic'
make: *** [Makefile:22: default] Error 2

How to solve it??

Trying to compile the latest isgx module from the master branch:

$ make
make -C /lib/modules/4.14.13-300.fc27.x86_64/build SUBDIRS=/home/chris/workspace/linux-sgx-driver CFLAGS_MODULE="-DDEBUG -g -O0" modules
make[1]: Entering directory '/usr/src/kernels/4.14.13-300.fc27.x86_64'
arch/x86/Makefile:244: CONFIG_RETPOLINE=y, but not supported by the compiler. Toolchain update recommended.
  CC [M]  /home/chris/workspace/linux-sgx-driver/sgx_util.o
In file included from ./include/linux/compiler_types.h:58:0,
                 from ./include/uapi/linux/stddef.h:2,
                 from ./include/linux/stddef.h:5,
                 from ./include/uapi/linux/posix_types.h:5,
                 from ./include/uapi/linux/types.h:14,
                 from ./include/linux/types.h:6,
                 from /home/chris/workspace/linux-sgx-driver/sgx_arch.h:57,
                 from /home/chris/workspace/linux-sgx-driver/sgx_asm.h:61,
                 from /home/chris/workspace/linux-sgx-driver/sgx.h:63,
                 from /home/chris/workspace/linux-sgx-driver/sgx_util.c:61:
./arch/x86/include/asm/jump_label.h: In function ‘put_page’:
./include/linux/compiler-gcc.h:276:38: warning: asm operand 0 probably doesn’t match constraints
 #define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0)
                                      ^
./arch/x86/include/asm/jump_label.h:36:2: note: in expansion of macro ‘asm_volatile_goto’
  asm_volatile_goto("1:"
  ^~~~~~~~~~~~~~~~~
./include/linux/compiler-gcc.h:276:38: warning: asm operand 1 probably doesn’t match constraints
 #define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0)
                                      ^
./arch/x86/include/asm/jump_label.h:36:2: note: in expansion of macro ‘asm_volatile_goto’
  asm_volatile_goto("1:"
  ^~~~~~~~~~~~~~~~~
./include/linux/compiler-gcc.h:276:38: error: impossible constraint in ‘asm’
 #define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0)
                                      ^
./arch/x86/include/asm/jump_label.h:36:2: note: in expansion of macro ‘asm_volatile_goto’
  asm_volatile_goto("1:"
  ^~~~~~~~~~~~~~~~~
make[2]: *** [scripts/Makefile.build:315: /home/chris/workspace/linux-sgx-driver/sgx_util.o] Error 1
make[1]: *** [Makefile:1511: _module_/home/chris/workspace/linux-sgx-driver] Error 2
make[1]: Leaving directory '/usr/src/kernels/4.14.13-300.fc27.x86_64'
make: *** [Makefile:16: default] Error 2

I see this error on both Fedora 27 and Arch Linux.

I created this issue thinking this might be specific to the version I used and the older CentOS7.8 I'm using. Basically, after following the installation guide of version 2.8 (the latest that can run on CentOS 7) and installed all the necessary components - driver, sdk, with the supporting libraries, I get this infamous error when running one of the example.

Here are my environment details:

[root@localhost sgx-aesm-service]# uname -a
Linux localhost.localdomain 3.10.0-1160.36.2.el7.x86_64 #1 SMP Wed Jul 21 11:57:15 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

[root@localhost sgx-aesm-service]# rpm -qa | grep -i sgx
libsgx-ae-pce-2.8.100.3-1.el7.centos.x86_64
libsgx-quote-ex-2.8.100.3-1.el7.centos.x86_64
libsgx-launch-2.8.100.3-1.el7.centos.x86_64
libsgx-ae-qe3-1.4.100.3-1.el7.centos.x86_64
libsgx-ae-le-2.8.100.3-1.el7.centos.x86_64
libsgx-enclave-common-2.8.100.3-1.el7.centos.x86_64
libsgx-ae-epid-2.8.100.3-1.el7.centos.x86_64
libsgx-aesm-ecdsa-plugin-2.8.100.3-1.el7.centos.x86_64
sgx-aesm-service-2.8.100.3-1.el7.centos.x86_64
libsgx-urts-2.8.100.3-1.el7.centos.x86_64
libsgx-aesm-epid-plugin-2.8.100.3-1.el7.centos.x86_64
libsgx-aesm-quote-ex-plugin-2.8.100.3-1.el7.centos.x86_64
libsgx-uae-service-2.8.100.3-1.el7.centos.x86_64
libsgx-aesm-launch-plugin-2.8.100.3-1.el7.centos.x86_64
libsgx-epid-2.8.100.3-1.el7.centos.x86_64
libsgx-aesm-pce-plugin-2.8.100.3-1.el7.centos.x86_64

[root@localhost LocalAttestation]# systemctl status aesmd
● aesmd.service - Intel(R) Architectural Enclave Service Manager
Loaded: loaded (/usr/lib/systemd/system/aesmd.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2021-08-07 12:01:45 IST; 1h 26min ago
Main PID: 2276 (aesm_service)
CGroup: /system.slice/aesmd.service
└─2276 /opt/intel/sgx-aesm-service/aesm/aesm_service

Aug 07 12:01:40 localhost.localdomain systemd[1]: Starting Intel(R) Architectural Enclave Service Manager...
Aug 07 12:01:45 localhost.localdomain systemd[1]: Started Intel(R) Architectural Enclave Service Manager.
Aug 07 12:01:49 localhost.localdomain aesm_service[2276]: The server sock is 0x22e1a80
Aug 07 12:16:28 localhost.localdomain aesm_service[2276]: InKernel LE loaded

Downloaded the source code from https://github.com/intel/linux-sgx/tree/sgx_2.8
And ran one of the examples:
[root@localhost LocalAttestation]# ./bin/app
failed to load enclave.
[root@localhost LocalAttestation]#

To confirm, I downloaded the sgx-software-enable from https://github.com/intel/sgx-software-enable
[root@localhost sgx-software-enable]$ ./sgx_enable -s
Intel SGX is already enabled on this system
[root@localhost sgx-software-enable]$

If enclave_alloc succeeds with a virtual address in-enclave, what reasons would running EACCEPT on the address fail afterwards? I get an error message when I run eaccept on a virtual address which has been previously alloced via enclave_alloc.

The return code I get matches: SGX_PAGE_ATTRIBUTES_MISMATCH, how do i fix this?

I see that someone has the psuedo code for it here: https://github.com/Mic92/x86_64-linux-cheatsheats/blob/master/pages/ENCLU%5BEACCEPT%5D

How do I know what the correct EPCM page attributes are?

Description

When attempting to build the Intel SGX driver on a system with kernel version 6.5.0-1021-azure, the following error occurs:

/home/username/linux-sgx-driver/sgx_main.c: In function ‘sgx_mmap’:
/home/username/linux-sgx-driver/sgx_main.c:112:23: error: assignment of read-only member ‘vm_flags’
  112 |         vma->vm_flags |= VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP | VM_IO |
      |                       ^~
make[3]: *** [scripts/Makefile.build:251: /home/username/linux-sgx-driver/sgx_main.o] Error 1
make[2]: *** [/usr/src/linux-headers-6.5.0-1021-azure/Makefile:2039: /home/username/linux-sgx-driver] Error 2
make[1]: *** [Makefile:234: __sub-make] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-6.5.0-1021-azure'
make: *** [Makefile:16: default] Error 2

Cause

The error is caused by the code attempting to modify the vm_flags field of the vma structure directly, which is marked as read-only in recent kernel versions.

Solution

To resolve this issue, modify the sgx_main.c file to use an indirect method for modifying the vm_flags field. Here’s the corrected code snippet:

static int sgx_mmap(struct file *file, struct vm_area_struct *vma)
{
    vma->vm_ops = &sgx_vm_ops;
    unsigned long new_flags = vma->vm_flags | VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP | VM_IO | VM_DONTCOPY;
    *(unsigned long *)&vma->vm_flags = new_flags;
    return 0;
}

Steps to Reproduce

1. Clone the Intel SGX driver repository.
2. Attempt to build the driver using make on a system with kernel version 6.5.0-1021-azure.
3. Observe the compilation error related to the vm_flags field in sgx_main.c.

Expected Behavior

The driver should compile without errors.

Environment

• Kernel Version: 6.5.0-1021-azure
• GCC Version: 11.4.0
• Intel SGX Driver Version: 2.14.0

Additional Context

This issue and its solution were discussed and resolved during a development process. The fix involves using a safer approach to modify the read-only vm_flags field.

The kernel module fails it compilation due to the missing header #include "asm/msr-index.h"

Hello,

I am running a program assigning a buffer inside the enclave using malloc, at runtime. I then perform some read/write operations on the buffer. I can see performance slow down and then drop once the EPC limit is reached, with a large buffer. I understand that the EPC size is set to 128MB maximum.

1. Is there a way to turn off EPC paging in SGX, to ensure the active pages are not swapped out?

2. I was told there was no way to turn off the swap feature without changing the driver code. I am looking at sgx_page_cache.c, at a function called "sgx_swap_pages" - what must I change to turn off the swap feature?

3. If I stick to sizes small enough that I know will not trigger paging, will I be able to load the enclave, if I turn off swap?

Thank you

For a machine to offer SGX in a multiuser system, there needs to be a mechanism to ensure each user stays within their allocated amount of EPC. Are there plans for this driver to handle that, since E5 SGX is primarily for multiuser service providers?

Unable to build isgx.ko.

note: The same thing happens with master (54c9c4c).

$ make
make -C /lib/modules/5.15.5-051505-generic/build M=/home/pi/intel/linux-sgx-driver modules
make[1]: Entering directory '/usr/src/linux-headers-5.15.5-051505-generic'
  CC [M]  /home/pi/intel/linux-sgx-driver/sgx_main.o
  CC [M]  /home/pi/intel/linux-sgx-driver/sgx_page_cache.o
  CC [M]  /home/pi/intel/linux-sgx-driver/sgx_ioctl.o
  CC [M]  /home/pi/intel/linux-sgx-driver/sgx_vma.o
  CC [M]  /home/pi/intel/linux-sgx-driver/sgx_util.o
  CC [M]  /home/pi/intel/linux-sgx-driver/sgx_encl.o
  CC [M]  /home/pi/intel/linux-sgx-driver/sgx_encl2.o
  LD [M]  /home/pi/intel/linux-sgx-driver/isgx.o
  MODPOST /home/pi/intel/linux-sgx-driver/Module.symvers
  CC [M]  /home/pi/intel/linux-sgx-driver/isgx.mod.o
  LD [M]  /home/pi/intel/linux-sgx-driver/isgx.ko
  BTF [M] /home/pi/intel/linux-sgx-driver/isgx.ko
Skipping BTF generation for /home/pi/intel/linux-sgx-driver/isgx.ko due to unavailability of vmlinux
make[1]: Leaving directory '/usr/src/linux-headers-5.15.5-051505-generic'

There have been some changes over the past ~year, are you planning to do a new release?

When building using the supplied Makefile on Linux 4.8, I get the following errors:

In file included from ./include/linux/compiler.h:58:0,
                 from ./arch/x86/include/asm/bitops.h:15,
                 from ./include/linux/bitops.h:36,
                 from linux-sgx-driver/isgx_user.h:18,
                 from linux-sgx-driver/isgx.h:18,
                 from linux-sgx-driver/isgx_ioctl.c:16:
./arch/x86/include/asm/jump_label.h: In function ‘isgx_ioctl_enclave_create’:
./include/linux/compiler-gcc.h:243:38: warning: asm operand 0 probably doesn’t match constraints
 #define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0)
                                      ^
./arch/x86/include/asm/jump_label.h:35:2: note: in expansion of macro ‘asm_volatile_goto’
  asm_volatile_goto("1:"
  ^
./include/linux/compiler-gcc.h:243:38: warning: asm operand 1 probably doesn’t match constraints
 #define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0)
                                      ^
./arch/x86/include/asm/jump_label.h:35:2: note: in expansion of macro ‘asm_volatile_goto’
  asm_volatile_goto("1:"
  ^
./include/linux/compiler-gcc.h:243:38: warning: asm operand 0 probably doesn’t match constraints
 #define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0)
                                      ^
./arch/x86/include/asm/jump_label.h:35:2: note: in expansion of macro ‘asm_volatile_goto’
  asm_volatile_goto("1:"
  ^
./include/linux/compiler-gcc.h:243:38: warning: asm operand 1 probably doesn’t match constraints
 #define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0)
                                      ^
./arch/x86/include/asm/jump_label.h:35:2: note: in expansion of macro ‘asm_volatile_goto’
  asm_volatile_goto("1:"
  ^
./include/linux/compiler-gcc.h:243:38: error: impossible constraint in ‘asm’
 #define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0)
                                      ^
./arch/x86/include/asm/jump_label.h:35:2: note: in expansion of macro ‘asm_volatile_goto’
  asm_volatile_goto("1:"
  ^
./include/linux/compiler-gcc.h:243:38: error: impossible constraint in ‘asm’
 #define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0)
                                      ^
./arch/x86/include/asm/jump_label.h:35:2: note: in expansion of macro ‘asm_volatile_goto’
  asm_volatile_goto("1:"
  ^

If instead of using the supplied Makefile instead I run make -C /lib/modules/$(uname -r)/build M=$PWD modules the module builds and loads fine. Also, building using the supplied Makefile for 4.7 works fine.

Linux jethroft 4.8.1-040801-generic #201610071031 SMP Fri Oct 7 14:34:10 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.2) 

Hi!

• I notice most of the repo's code are a year ago
• But the latest sgx sdk when I write this issue is published on Dec 20, 2018.

So, I wonder whther the repo's code is latest?
If not, where can I get the latest driver code??

Thanks!!!

I was building Kernel 5.12.18 on RHEL 8.0 platform. The SGX enclave failed to create by throwing Out Of Memory error.

It is run on the server and it has huge memory

Memory Details:

[SampleEnclave]$ free -h
              total        used        free      shared  buff/cache   available
Mem:          125Gi       3.0Gi       121Gi        17Mi       1.3Gi       121Gi
Swap:         4.0Gi          0B       4.0Gi

Sample Code Execution:-
[intel@intel SampleEnclave]$ ../app
-bash: ../app: No such file or directory
[intel@intel SampleEnclave]$ ./app
Error: Out of memory.
Enter a character before exit ...

Dmesg Output:-
RIP: 0010:ksgxd+0x92/0x2d0
[ 37.418648] Code: 48 89 ef e8 00 f2 ff ff 48 63 c3 48 8d 04 c0 49 8d 04 c4 48 8b 50 38 48 8d 45 38 48 39 c2 74 0c 89 de 4c 89 ef e8 5d f9 8f 00 <0f> 0b 83 c3 01 48 83 c5 48 39 1d ef fe fb 01 7f c5 e8 c8 b7 0a 00
[ 37.418649] RSP: 0018:ff86332808c03ec0 EFLAGS: 00010282
[ 37.418651] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000027
[ 37.418651] RDX: 0000000000000027 RSI: ff48646e3f7577f0 RDI: ff48646e3f7577f8
[ 37.418652] RBP: ffffffff99008d88 R08: 0000000000000000 R09: c0000000fffeffff
[ 37.418653] R10: 0000000000000001 R11: ff86332808c03cc8 R12: ffffffff99008d40
[ 37.418653] R13: ffffffff980f9670 R14: 0000000000000000 R15: ff48644f09159ec0
[ 37.418654] FS: 0000000000000000(0000) GS:ff48646e3f740000(0000) knlGS:0000000000000000
[ 37.418655] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 37.418656] CR2: 00007f9a3fbdc6d6 CR3: 0000000f87a0a003 CR4: 0000000000771ee0
[ 37.418657] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 37.418657] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 37.418658] PKRU: 55555554
[ 37.418659] Call Trace:
[ 37.418661] ? sgx_alloc_epc_page+0x140/0x140
[ 37.418663] kthread+0x11a/0x140
[ 37.418666] ? set_kthread_struct+0x40/0x40
[ 37.418668] ret_from_fork+0x1f/0x30
[ 37.418671] ---[ end trace b218459e3ab9df36 ]---

Not an very important issue, but still worth mentioning:
The tag name for the 2.14 driver release is sgx_diver_2.14 . Would make more sense if this is changed to sgx_driver_2.14 to maintain coherence with the past naming convention.

Currently mmap(addr=0, flags=MAP_FIXED) requires sysctl vm.mmap_addr_min=0 as system-wide configuration.
As MAP_FIXED is supplied, it should be honored.

/opt/intel/sgxdriver/package/sgx_encl2.c: In function ‘sgx_encl_augment’:
/opt/intel/sgxdriver/package/sgx_encl2.c:172:8: error: implicit declaration of function ‘vm_insert_pfn’; did you mean ‘vmf_insert_pfn’? [-Werror=implicit-function-declaration]
  ret = vm_insert_pfn(vma, encl_page->addr, PFN_DOWN(epc_page->pa));
        ^~~~~~~~~~~~~
        vmf_insert_pfn

same with sgx_encl.c and sgx_util.c.

running sgx_linux_x64_driver_778dd1f.bin

run sudo /sbin/modprobe isgx error
modprobe: ERROR: could not insert 'isgx': Operation not permitted
Can anyone help me with this? Why am I getting this error and how to proceed

Also after sudo apt-get install linux-headers-$(uname -r) I get the following error

**Reading package lists... Done
Building dependency tree
Reading state information... Done
linux-headers-5.0.0-27-generic is already the newest version (5.0.0-27.28).
0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
Setting up intel-sgx-dkms (1.9-2) ...
Removing old intel-sgx-1.9 DKMS files...

Deleting module version: 1.9
completely from the DKMS tree.

Done.
Loading new intel-sgx-1.9 DKMS files...
Building for 5.0.0-27-generic
Building initial module for 5.0.0-27-generic
ERROR: Cannot create report: [Errno 17] File exists: '/var/crash/intel-sgx-dkms.0.crash'
Error! Bad return status for module build on kernel: 5.0.0-27-generic (x86_64)
Consult /var/lib/dkms/intel-sgx/1.9/build/make.log for more information.
dpkg: error processing package intel-sgx-dkms (--configure):
installed intel-sgx-dkms package post-installation script subprocess returned error exit status 10
Errors were encountered while processing:
intel-sgx-dkms
E: Sub-process /usr/bin/dpkg returned an error code (1)**

How do I fix this and proceed

Hello, I have ubuntu 21.10 and my hardware supports FLC. Based on these assumption, I should already have the SGX driver installed in my laptop, right? This is the output of ls -ltr /dev/*sgx*:

crw------- 1 root root    10, 124 Sep 14 15:37 /dev/sgx_vepc
crw-rw---- 1 root sgx_prv 10, 126 Sep 14 15:37 /dev/sgx_provision
crw-rw---- 1 root sgx     10, 125 Sep 14 15:37 /dev/sgx_enclave

/dev/sgx:
total 0
lrwxrwxrwx 1 root root 16 Sep 14 15:37 provision -> ../sgx_provision
lrwxrwxrwx 1 root root 14 Sep 14 15:37 enclave -> ../sgx_enclave

However the driver is not in kernel modules, since it doesn't show any output if I type lsmod | grep sgx
How can I enable the module? Where is the sgx.ko file? I didn't download the driver because the community suggested me to not do it because I could have conflicts between driver versions.
Thanks in advance

When reading the sgx_ioctl function code I noticed that the size of the receiving buffer is hardcoded:

_IOC_SIZE can return up to _IOC_SIZEMASK bytes (== 8191) and is user-controlled (but currently the switch right before will filter it).

This seems like a ticking bomb to me, it's very easy to accidentally turn it into a buffer overflow when changing this code (e.g. by adding more fields to the input structs or changing the switch statement). Such an overflow would be detected in newest kernels by the hardened copy_from_user, but I think it's still better to change the code and stay on the safe side.

If you think it's worth fixing I can create a pull request.

Hi, when I clone this repo I cant found the isgx.ko file

Latest Linux kernel with ASAN detects illegal shift here

instead of (1 << i) it should have been (1ULL << i)

About 0.1% of the time, we get an add page failure while loading our 15MiB enclave.
Instrumenting the driver, I found that sgx_page_alloc(0) fails here https://github.com/01org/linux-sgx-driver/blob/master/sgx_ioctl.c#L413
Which, digging further I found is due to signal_pending sending back ERR_PTR(-ERESTARTSYS). Could this be a bug in the driver since it's returned as -EINVAL at https://github.com/01org/linux-sgx-driver/blob/master/sgx_ioctl.c#L700 ?

As the title suggests, in the sgx_main.c file, there's a setting for the vm_flags variable. The kernel has already made modifications to the attributes of this variable by adding 'const' and provided an interface for configuration.
the kernel commit：torvalds/linux@bc292ab

intel的官网现在甚至不支持win的SGX SDK的下载，我去年十月份的时候还可以下载。你有什么比较好的解决办法吗。还有就是我现在电脑上有之前下载的SDK，但是点击安装的时候会自动闪退，我另一个电脑反而可以安装成功。不知道你有没有什么好的建议。

Opening this issue here because I think it could possibly be an issue with this driver rather than the aesmd daemon. (Relevant issue for that is here: intel/linux-sgx#671)

Through strace I can see all the operations happening successfully. The enclave is created, pages are loaded, it is only at INIT (ioctl operation 0x2) when the driver reports that the enclave does not exist. sgx_encl_find in the driver is what is actually returning ENOENT.

Logs from both the aesmd service and strace are attached. There are no relevant lines in dmesg. I can reproduce the issue on both my systems with Intel CPUs. Interestingly, on the system I have that supports FLC (so I can use the DCAP driver), that DOES work.

journalctl.log
trace.log

Hi.

I use the SGX drivers on many Intel NUCs, some of them commute with me and thus have to be shut down/restarted.

I noticed that I often lose /dev/isgx upon restart.

Right now I solve this using Scone's one-liner (which is basically a wrapper for what's inside this repo's README):

curl -fssl https://raw.githubusercontent.com/SconeDocs/SH/master/install_sgx_driver.sh | bash

But this is clearly not a long-term solution.

So my question is the following: is the SGX driver made to persist across reboots or are these symptoms normal?

My setup:

OS: Ubuntu 20.04.3 LTS x86_64
Host: NUC7i7BNH J31153-311 
Kernel: 5.4.0-88-generic 
CPU: Intel i7-7567U (4) @ 4.000GHz 

SGX driver version: master branch from this repo.

Even though the README states it very clearly:

IMPORTANT:

Starting from 5/10/2019, the master branch (which supports only SGX 1.5-based features) is deprecated and is not supported anymore. Please use the sgx2 branch; it is a super set of the master branch.

some people will still miss this and think there is no active development on this repository anymore.

Therefore, I suggest you switch GitHub's default to branch to sgx2 to avoid this.

When trying to insert the isgx module into the Linux kernel 4.4.0-92 the following error message is shown

$ sudo /sbin/modprobe -v isgx
insmod /lib/modules/4.4.0-92-generic/kernel/drivers/intel/sgx/isgx.ko 
modprobe: ERROR: could not insert 'isgx': Exec format error

I am using Ubuntu 16.04 LTS 64-bit on an Intel Core i5-6440HQ CPU and updated to kernel version 4.4.0-92 (from the Ubuntu repositories) a few days ago. When booting into the kernel version 4.4.0-79, the module is inserted from /etc/modules and usable without any problems.

sudo apt-get install linux-headers-$(uname -r) part does not work for me. I am using WSL Ubuntu 18.04, it was a fresh installation.

Error:
E: Unable to locate package linux-headers-4.4.0-19041-Microsoft E: Couldn't find any package by glob 'linux-headers-4.4.0-19041-Microsoft' E: Couldn't find any package by regex 'linux-headers-4.4.0-19041-Microsoft'

I've been trying to run the build in a fedora virtual machine hosted by ubuntu and meet the following error:

modprobe: ERROR: could not insert 'isgx': Exec format error

My guess was that there was an error while cross-compiling, then found this issue. Is this the right place? Can anyone assist me?

This was mentioned in intel/linux-sgx#36.

I don't know where I can push AESM Service's problem, but this emergency and embarrassing

<ps.sgx.trustedservices.intel.com> can't access from China, now, I believe it affact all SGX apps

I have installed SGX SDK version 2.8, SGX PSW and SGX DRIVER version 2.6 downloaded by this site and installed them using this guide and then when I run SampleEnclave project I am able to build it but when I execute

./app

I got the following error:

Info: Please make sure SGX module is enabled in the BIOS, and install SGX driver afterwards.
Error: Invalid SGX device.
Enter a character before exit ...

And that is super strange since I have controled several times the BIOS and SGX is enabled. I do not know what is going wrong. Any suggestions?

On an SGX2/EDMM system, it appears that it's not possible to get
SIGSEGV/SIGBUS signals for multiple faults on the same enclave page,
unless you do an EACCEPT on the page and then remove the page from
the enclave. When the first page fault happens, my application
gets a SIGSEGV, which I can forward to the enclave and handle
inside of the enclave. Subsequent faults to the same page
inside the enclave seem to be swallowed by the kernel, and I don't
get a SIGSEGV delivered.

My application wants to repeatedly fault on this page. It never
wants to add a mapping. This works exactly as I expect on
a non-EDMM system. Repeated accesses to the unmapped page result
in a user-level SIGSEGV (or SIGBUS) for each access. These
faults can be handled by my program.

If I EACCEPT the page and then remove the page from the enclave
(via ioctl(SGX_IOC_ENCLAVE_TRIM)), then I can get one more
page fault on the address, but I have to do the EACCEPT/ioctl
every time I get a page fault. This is both slow and has incorrect
semantics. The page will be briefly accessible, which I don't want.
I could have multiple threads intentionally faulting on the same
address simultaneously. One thread might not fault while the page
is briefly mapped in the address space.

I don't see a way to indicate to the driver that i don't want this
page to be populated on fault. Maybe I'm missing something. For our
purposes, some page faults should result in pages being added to
the enclave, but some should not. Only the enclave knows which faults
are one type or the other. It would be better for us if we had
a way to turn off automatic page provisioning and only add pages
to the enclave when the driver has been specifically requested to,
presumably through an mmap or ioctl call.

Alternatively, is there some way I can reject the page from being
added to the enclave? I tried just calling ioct(SGX_IOC_ENCLAVE_TRIM)
on the page, but this seems to fail unless I've done an EACCEPT()
on the page first.

make -C /lib/modules/4.15.0-29-generic/build SUBDIRS=/home/sgx/linux-sgx-driver modules
make[1]: Entering directory '/usr/src/linux-headers-4.15.0-29-generic'
CC [M] /home/sgx/linux-sgx-driver/sgx_main.o
cc1: error: code model kernel does not support PIC mode
scripts/Makefile.build:332: recipe for target '/home/sgx/linux-sgx-driver/sgx_main.o' failed
make[2]: *** [/home/sgx/linux-sgx-driver/sgx_main.o] Error 1
Makefile:1552: recipe for target 'module/home/sgx/linux-sgx-driver' failed
make[1]: *** [module/home/sgx/linux-sgx-driver] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-29-generic'
Makefile:15: recipe for target 'default' failed
make: *** [default] Error 2

gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)

Hi, I have a problem to install isgx module.

My host machine spec is
cpu : i7-6700 , mainboard : X11SSZ-QF (supporting SGX)
And I try to run sgx application through ubuntu 16.06 LTS with virtualbox.

I put commands for installing sgx driver isgx
But the output of command manprobe is following

And the output of dmesg after that command is

I found the reason of that situation that boot_cpu_has(X86_FEATURE_SGX) returns false.

I do not know why that function does not return well:(
I already set sgx bios setting to be enabled

When I try to call enclave_alloc by calling dl_open on libsgx_enclave_common.so.1, I get this error.

[error_driver2api sgx_enclave_common.cpp:266] Enclave not authorized to run, .e.g. provisioning enclave hosted in app without access rights to /dev/sgx_provision. You need add the user id to group sgx_prv or run the app as root.

How would I fix this?

With SGX enabled in the BIOS, but without support for FLC (Flexible Launch Control), I am trying to install the driver (for linux-sgx 2.14) on Ubuntu 20.04, with linux kernel 5.15, and the installation hangs after the lines:

Skipping BTF generation for /opt/intel/sgxdriver/package/isgx.ko due to unavailability of vmlinux
make[1]: Leaving directory '/usr/src/linux-headers-5.15-051500-generic'

If I interrupt the installation then the /opt/intel/sgxdriver is removed.

Meanwhile the installation is hanging the content of /opt/intel/sgxdriver is:

$ tree /opt/intel/sgxdriver/
/opt/intel/sgxdriver/
├── package
│   ├── isgx.ko
│   ├── isgx.mod
│   ├── isgx.mod.c
│   ├── isgx.mod.o
│   ├── isgx.o
│   ├── Makefile
│   ├── modules.order
│   ├── Module.symvers
│   ├── sgx_arch.h
│   ├── sgx_asm.h
│   ├── sgx_encl2.c
│   ├── sgx_encl2.o
│   ├── sgx_encl.c
│   ├── sgx_encl.o
│   ├── sgx.h
│   ├── sgx_ioctl.c
│   ├── sgx_ioctl.o
│   ├── sgx_main.c
│   ├── sgx_main.o
│   ├── sgx_page_cache.c
│   ├── sgx_page_cache.o
│   ├── sgx_user.h
│   ├── sgx_util.c
│   ├── sgx_util.o
│   ├── sgx_vma.c
│   └── sgx_vma.o
└── scripts
    ├── installConfig
    └── install.sh

2 directories, 28 files

Here's the complete output:

$ sudo ./sgx_linux_x64_driver_2.11.0_2d2b795.bin 
Unpacking Intel SGX Driver ... done.
Verifying the integrity of the install package ... done.
Installing Intel SGX Driver ...
/tmp/sgx-driver-rQ6iEY /home/sylvain/Downloads
install -d /opt/intel/sgxdriver/package
install -d /opt/intel/sgxdriver/scripts
install package/* /opt/intel/sgxdriver/package
install scripts/* /opt/intel/sgxdriver/scripts
/home/sylvain/Downloads
/opt/intel/sgxdriver/package /home/sylvain/Downloads
make -C /lib/modules/5.15-051500-generic/build M=/opt/intel/sgxdriver/package modules
make[1]: Entering directory '/usr/src/linux-headers-5.15-051500-generic'
  CC [M]  /opt/intel/sgxdriver/package/sgx_main.o
  CC [M]  /opt/intel/sgxdriver/package/sgx_page_cache.o
  CC [M]  /opt/intel/sgxdriver/package/sgx_ioctl.o
  CC [M]  /opt/intel/sgxdriver/package/sgx_vma.o
  CC [M]  /opt/intel/sgxdriver/package/sgx_util.o
  CC [M]  /opt/intel/sgxdriver/package/sgx_encl.o
  CC [M]  /opt/intel/sgxdriver/package/sgx_encl2.o
  LD [M]  /opt/intel/sgxdriver/package/isgx.o
  MODPOST /opt/intel/sgxdriver/package/Module.symvers
  CC [M]  /opt/intel/sgxdriver/package/isgx.mod.o
  LD [M]  /opt/intel/sgxdriver/package/isgx.ko
  BTF [M] /opt/intel/sgxdriver/package/isgx.ko
Skipping BTF generation for /opt/intel/sgxdriver/package/isgx.ko due to unavailability of vmlinux
make[1]: Leaving directory '/usr/src/linux-headers-5.15-051500-generic'

# hanging here

Or, alternatively, the installation completes, but the isgx device does not appear under /dev/isgx.

https://github.com/01org/linux-sgx-driver/blob/master/isgx_ioctl.c#L235

if ((secs->xfrm & BIT(3)) != (secs->xfrm & BIT(4)))
return -EINVAL;

Only if BIT(3) and BIT(4) are both 0 at the same time, this expression is TRUE. If any one bit of BIT 3 and BIT 4 is 1, validate_secs will return -EINVAL.

I guess the real purpose is bit 3 and bit 4 must have the same value, both 0 or both 1?

Should like this:

if (((secs->xfrm >> 3) & 1) != ((secs->xfrm >> 4) & 1))
return -EINVAL;