Unable to find sgx_envlave in /dev

[anjalirai-intel]

I have a ubuntu system version "21.10 (Impish Indri)". The machine supports SGX hardware and sgx is enabled from the bios and i am testing inkernel driver. My kernel version is 5.13

This is the output of ls /dev | grep sgx

sgx_provision
sgx_vepc

This is the output of intel@intel-HP-EliteBook-840-G5:~/linux_sgx$ cpuid | grep -i sgx

  SGX: Software Guard Extensions supported = true
       SGX_LC: SGX launch config supported      = false
    Software Guard Extensions (SGX) capability (0x12/0):
       SGX1 supported                         = true
       SGX2 supported                         = false
       SGX ENCLV E*VIRTCHILD, ESETCONTEXT     = false
       SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false
    SGX attributes (0x12/1):
       SGX: Software Guard Extensions supported = true
       SGX_LC: SGX launch config supported      = false
    Software Guard Extensions (SGX) capability (0x12/0):
       SGX1 supported                         = true
       SGX2 supported                         = false
       SGX ENCLV E*VIRTCHILD, ESETCONTEXT     = false
       SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false
    SGX attributes (0x12/1):
       SGX: Software Guard Extensions supported = true
       SGX_LC: SGX launch config supported      = false
    Software Guard Extensions (SGX) capability (0x12/0):
       SGX1 supported                         = true
       SGX2 supported                         = false
       SGX ENCLV E*VIRTCHILD, ESETCONTEXT     = false
       SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false
    SGX attributes (0x12/1):
       SGX: Software Guard Extensions supported = true
       SGX_LC: SGX launch config supported      = false
    Software Guard Extensions (SGX) capability (0x12/0):
       SGX1 supported                         = true
       SGX2 supported                         = false
       SGX ENCLV E*VIRTCHILD, ESETCONTEXT     = false
       SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false
    SGX attributes (0x12/1):
       SGX: Software Guard Extensions supported = true
       SGX_LC: SGX launch config supported      = false
    Software Guard Extensions (SGX) capability (0x12/0):
       SGX1 supported                         = true
       SGX2 supported                         = false
       SGX ENCLV E*VIRTCHILD, ESETCONTEXT     = false
       SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false
    SGX attributes (0x12/1):
       SGX: Software Guard Extensions supported = true
       SGX_LC: SGX launch config supported      = false
    Software Guard Extensions (SGX) capability (0x12/0):
       SGX1 supported                         = true
       SGX2 supported                         = false
       SGX ENCLV E*VIRTCHILD, ESETCONTEXT     = false
       SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false
    SGX attributes (0x12/1):
       SGX: Software Guard Extensions supported = true
       SGX_LC: SGX launch config supported      = false
    Software Guard Extensions (SGX) capability (0x12/0):
       SGX1 supported                         = true
       SGX2 supported                         = false
       SGX ENCLV E*VIRTCHILD, ESETCONTEXT     = false
       SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false
    SGX attributes (0x12/1):
       SGX: Software Guard Extensions supported = true
       SGX_LC: SGX launch config supported      = false
    Software Guard Extensions (SGX) capability (0x12/0):
       SGX1 supported                         = true
       SGX2 supported                         = false
       SGX ENCLV E*VIRTCHILD, ESETCONTEXT     = false
       SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false
    SGX attributes (0x12/1):

and then i referred one of the link related to the IntelSGX from intel community to try this repo
https://github.com/ayeks/SGX-hardware.git

intel@intel-HP-EliteBook-840-G5:~/linux_sgx/SGX-hardware$ ./test-sgx
eax: 806ea ebx: 5100800 ecx: 7ffafbff edx: bfebfbff
stepping 10
model 14
family 6
processor type 0
extended model 8
extended family 0
smx: 1

Extended feature bits (EAX=07H, ECX=0H)
eax: 0 ebx: 29c6fbf ecx: 0 edx: 9c002e00
sgx available: 1
sgx launch control: 0

CPUID Leaf 12H, Sub-Leaf 0 of Intel SGX Capabilities (EAX=12H,ECX=0)
eax: 1 ebx: 0 ecx: 0 edx: 241f
sgx 1 supported: 1
sgx 2 supported: 0
MaxEnclaveSize_Not64: 1f
MaxEnclaveSize_64: 24

CPUID Leaf 12H, Sub-Leaf 1 of Intel SGX Capabilities (EAX=12H,ECX=1)
eax: 36 ebx: 0 ecx: 1f edx: 0

CPUID Leaf 12H, Sub-Leaf 2 of Intel SGX Capabilities (EAX=12H,ECX=2)
eax: a0200001 ebx: 0 ecx: 5d80001 edx: 0
size of EPC section in Processor Reserved Memory, 93 M

CPUID Leaf 12H, Sub-Leaf 3 of Intel SGX Capabilities (EAX=12H,ECX=3)
eax: 0 ebx: 0 ecx: 0 edx: 0
size of EPC section in Processor Reserved Memory, 0 M

CPUID Leaf 12H, Sub-Leaf 4 of Intel SGX Capabilities (EAX=12H,ECX=4)
eax: 0 ebx: 0 ecx: 0 edx: 0
size of EPC section in Processor Reserved Memory, 0 M

CPUID Leaf 12H, Sub-Leaf 5 of Intel SGX Capabilities (EAX=12H,ECX=5)
eax: 0 ebx: 0 ecx: 0 edx: 0
size of EPC section in Processor Reserved Memory, 0 M

CPUID Leaf 12H, Sub-Leaf 6 of Intel SGX Capabilities (EAX=12H,ECX=6)
eax: 0 ebx: 0 ecx: 0 edx: 0
size of EPC section in Processor Reserved Memory, 0 M

CPUID Leaf 12H, Sub-Leaf 7 of Intel SGX Capabilities (EAX=12H,ECX=7)
eax: 0 ebx: 0 ecx: 0 edx: 0
size of EPC section in Processor Reserved Memory, 0 M

CPUID Leaf 12H, Sub-Leaf 8 of Intel SGX Capabilities (EAX=12H,ECX=8)
eax: 0 ebx: 0 ecx: 0 edx: 0
size of EPC section in Processor Reserved Memory, 0 M

CPUID Leaf 12H, Sub-Leaf 9 of Intel SGX Capabilities (EAX=12H,ECX=9)
eax: 0 ebx: 0 ecx: 0 edx: 0
size of EPC section in Processor Reserved Memory, 0 M

Everything seems to be fine, but i still don't see sgx_enclave inside /dev folder

Please help me setup inkernel sgx driver for my machine

[anjalirai-intel]

any comments or updates or anything to verify

[johnvenn]

looks like your system doesn't support SGX flexible launch control

SGX_LC: SGX launch config supported = false

SGX in-kernel driver requires hardware support SGX flexible launch control.

[anjalirai-intel]

What does it mean? And how it can be resolved

[johnvenn]

The feature SGX_LC is required by sgx in-kernel driver to initiate sgx driver modules, otherwise the initialization of sgx driver will be failed. You can run "dmesg | grep "sgx" " to check more details.

SGX_LC is a CPU feature that enables LE hash MSRs to be writable when running native enclaves. You need to find a hardware that supports this feature to do the in-kernel driver test.

[anjalirai-intel]

Output of dmesg | grep "sgx"
[ 0.585754] sgx: EPC section 0xa0200000-0xa5f7ffff

[johnvenn]

well, the sgx driver in linux kernel doesn't provide msg on this error in dmesg. But if SGX_LC feature is not supported, the driver init will quit. So you must have a hardware that also supports SGX_LC to do the in-kernel test.

[johnvenn]

int __init sgx_drv_init(void)
{
unsigned int eax, ebx, ecx, edx;
u64 attr_mask;
u64 xfrm_mask;
int ret;

    if (!cpu_feature_enabled(X86_FEATURE_SGX_LC))
            return -ENODEV;

[drasko]

@johnvenn I have found this thread beacuse I have a similar issue: on my Dell XPS15 machine with Debian Testing and kernel 5.18 I am getting:

drasko@Mando:~$ cpuid -1 | grep -i sgx
      SGX: Software Guard Extensions supported = true
      SGX_LC: SGX launch config supported      = false
   Software Guard Extensions (SGX) capability (0x12/0):
      SGX1 supported                           = true
      SGX2 supported                           = false
      SGX ENCLV E*VIRTCHILD, ESETCONTEXT       = false
      SGX ENCLS ETRACKC, ERDINFO, ELDBC, ELDUC = false
   SGX attributes: ECREATE SECS.ATTRIBUTES (0x12/1):
   SGX Enclave Page Cache (EPC) enumeration (0x12/0x2):
   SGX Enclave Page Cache (EPC) enumeration (0x12/0x3):

and:

drasko@Mando:~$ ls /dev/sgx*
ls: cannot access '/dev/sgx*': No such file or directory

Nodes /dev/sgx_enclave and /dev/sgx_provision are not created, although SGX support is built into the kernel:

drasko@Mando:~$ cat /boot/config-$(uname -r) | grep -i sgx
CONFIG_X86_SGX=y
# CONFIG_X86_SGX_KVM is not set

dmesg is not showing any errors:

drasko@Mando:~$ sudo dmesg | grep -i sgx
[    0.295910] sgx: EPC section 0x70200000-0x75f7ffff
[    0.296217] WARNING: CPU: 0 PID: 83 at arch/x86/kernel/cpu/sgx/main.c:446 ksgxd+0x1b3/0x1c0
[    0.296225] CPU: 0 PID: 83 Comm: ksgxd Not tainted 5.18.0-2-amd64 #1  Debian 5.18.5-1
[    0.296229] RIP: 0010:ksgxd+0x1b3/0x1c0

Why are nodes /dev/sgx_enclave and /dev/sgx_provision missing? Is this because on my CPU (Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz) SGX_LC is unavailable (although it looks like the kernel driver portion was well executed and without errors)?

If yes, should I install DCAP driver manually from here in order to work with SGX, or what is the best way to proceed?

[drasko]

Hmmm... looking at here, I would say that I can't install DCAP driver on my PC, but I must opt for the regular SGX Linux driver (the one that creates /dev/isgx.

[andyzyb]

SGX_LC: SGX launch config supported = false

As it doesn't support launch control, DCAP driver cannot be used.

[nefigtut]

JFYI: i've posted a kernel patch so a kernel notifies a user about this condition in dmesg explicitly.
it has been merged into the linux mainline:

https://lore.kernel.org/linux-sgx/20250309172215.21777-2-vdronov@redhat.com/T/#u
https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=65be5c95d08eedda570a6c888a12384c77fe7614