Page MenuHomePureOS Tracker
Create Task
Maniphest T312

Enable Intel SGX or not
Open, WishlistPublic
Actions

Description

Someone asked me if intel SGX can be enabled for the Librem, and after looking into it, I was able to enable support for it. Now the question becomes : should it be enabled for everyone by default or not ?
Are there any pros and cons to enabling it ? I think it needs to reserve some RAM (I set it to reserve 128MB) so that might be a con, but any other cons? what are the pros ?

If we don't want it enabled by default, then what solution should we use for when a user needs/wants it enabled? Option at build time ?

Event Timeline

kakaroto added a comment.Jan 29 2018, 12:21

Oh yeah, here's the changes needed to enable SGX (over commit id 65d2754e1aaa4e90059b65fac3c00d847e2e465f) :

diff --git
a/src/mainboard/purism/librem_skl/variants/librem13v2/devicetree.cb
b/src/mainboard/purism/librem_skl/variants/librem13v2/devicetree.cb
index 1fc19a5675..cfbb0e7709 100644
--- a/src/mainboard/purism/librem_skl/variants/librem13v2/devicetree.cb
+++ b/src/mainboard/purism/librem_skl/variants/librem13v2/devicetree.cb
@@ -7,6 +7,10 @@ chip soc/intel/skylake
        register "deep_s5_enable_dc" = "0"
        register "deep_sx_config" = "DSX_EN_LAN_WAKE_PIN"

+       register "sgx_enable" = "1"
+       register "PrmrrSize" = "128 * MiB"
+
+
        # GPE configuration
        # Note that GPE events called out in ASL code rely on this
        # route. i.e. If this route changes then the affected GPE

diff --git a/src/soc/intel/skylake/romstage/romstage_fsp20.c
b/src/soc/intel/skylake/romstage/romstage_fsp20.c
index d6ec41f257..e070e3247e 100644
--- a/src/soc/intel/skylake/romstage/romstage_fsp20.c
+++ b/src/soc/intel/skylake/romstage/romstage_fsp20.c
@@ -202,6 +202,7 @@ static void soc_memory_init_params(FSP_M_CONFIG
*m_cfg,
        m_cfg->DdrFreqLimit = config->DdrFreqLimit;
        m_cfg->VmxEnable = config->VmxEnable;
        m_cfg->PrmrrSize = config->PrmrrSize;
+       m_cfg->EnableSgx = config->sgx_enable;
        for (i = 0; i < ARRAY_SIZE(config->PcieRpEnable); i++) {
                if (config->PcieRpEnable[i])
                        mask |= (1<<i);
kakaroto added a comment.EditedFeb 24 2018, 18:11

From customer email :

Intel SGX is a technology that provides protection of predefined secrets even in a case of system compromise by creating SGX enclaves. I currently need to run several projects that makes use of SGX on the librem and that's why I need it enabled.

From IRC :

<yummy> KaKaRoTo: on https://tracker.pureos.net/T312, it's unlikely you'd want to enable it for now, considering it's using the ME https://github.com/corna/me_cleaner/issues/100
<yummy> Qubes also had some thoughts on it https://blog.invisiblethings.org/2013/08/30/thoughts-on-intels-upcoming-software.html which went nowhere

Also worth noting an issue in coreboot with enabling SGX. I've filed the bug here : https://ticket.coreboot.org/issues/158

hansolo added a subscriber: hansolo.Dec 29 2018, 12:31
jonas.smedegaard triaged this task as Wishlist priority.May 27 2021, 07:22