Enable Intel SGX or not
Open, Needs TriagePublic


Someone asked me if intel SGX can be enabled for the Librem, and after looking into it, I was able to enable support for it. Now the question becomes : should it be enabled for everyone by default or not ?
Are there any pros and cons to enabling it ? I think it needs to reserve some RAM (I set it to reserve 128MB) so that might be a con, but any other cons? what are the pros ?

If we don't want it enabled by default, then what solution should we use for when a user needs/wants it enabled? Option at build time ?

kakaroto created this task.Jan 29 2018, 8:17 PM

Oh yeah, here's the changes needed to enable SGX (over commit id 65d2754e1aaa4e90059b65fac3c00d847e2e465f) :

diff --git
index 1fc19a5675..cfbb0e7709 100644
--- a/src/mainboard/purism/librem_skl/variants/librem13v2/devicetree.cb
+++ b/src/mainboard/purism/librem_skl/variants/librem13v2/devicetree.cb
@@ -7,6 +7,10 @@ chip soc/intel/skylake
        register "deep_s5_enable_dc" = "0"
        register "deep_sx_config" = "DSX_EN_LAN_WAKE_PIN"

+       register "sgx_enable" = "1"
+       register "PrmrrSize" = "128 * MiB"
        # GPE configuration
        # Note that GPE events called out in ASL code rely on this
        # route. i.e. If this route changes then the affected GPE

diff --git a/src/soc/intel/skylake/romstage/romstage_fsp20.c
index d6ec41f257..e070e3247e 100644
--- a/src/soc/intel/skylake/romstage/romstage_fsp20.c
+++ b/src/soc/intel/skylake/romstage/romstage_fsp20.c
@@ -202,6 +202,7 @@ static void soc_memory_init_params(FSP_M_CONFIG
        m_cfg->DdrFreqLimit = config->DdrFreqLimit;
        m_cfg->VmxEnable = config->VmxEnable;
        m_cfg->PrmrrSize = config->PrmrrSize;
+       m_cfg->EnableSgx = config->sgx_enable;
        for (i = 0; i < ARRAY_SIZE(config->PcieRpEnable); i++) {
                if (config->PcieRpEnable[i])
                        mask |= (1<<i);
kakaroto added a comment.EditedFeb 25 2018, 2:11 AM

From customer email :

Intel SGX is a technology that provides protection of predefined secrets even in a case of system compromise by creating SGX enclaves. I currently need to run several projects that makes use of SGX on the librem and that's why I need it enabled.

From IRC :

<yummy> KaKaRoTo: on https://tracker.pureos.net/T312, it's unlikely you'd want to enable it for now, considering it's using the ME https://github.com/corna/me_cleaner/issues/100
<yummy> Qubes also had some thoughts on it https://blog.invisiblethings.org/2013/08/30/thoughts-on-intels-upcoming-software.html which went nowhere

Also worth noting an issue in coreboot with enabling SGX. I've filed the bug here : https://ticket.coreboot.org/issues/158

Add Comment