Setting up a SGX development environment
I have been using RedHat based distros, namely Fedora and Cent OS. This is a fast how-to on the installation of a SGX development environment in F29 as it took me some iterations to get everything properly setup.
- Install Driver
- Setup PSW Dependencies
- Install icls Client
- Install DAL/JHI
- Install PSW
- Install SDK
- Send certificate to (IA) Intel Attestation Service.
1. Install Driver (Kernel 4.20 - 5.0.5)
The releases page of Intel SGX at the time of writing points to Release 2.4 as the latest with explicit support for Fedora 27.
Starting with Kernel 4.20,
vm_insert_pfn transitions to
vmf_insert_pfn breaking backward compatibility. These changes did not make it into Intel SGX 2.4 therefore we must compile from source starting from this commit.
The instructions that follow are mostly copied from the github page. Just make sure you are running the latest kernel or a fixed kernel if you want to avoid bad surprises:
To check if matching kernel headers are installed:
$ ls /usr/src/kernels/$(uname -r)
To install matching headers:
$ sudo dnf install kernel-devel
After the above command, if the matching headers are still missing in /usr/src/kernels, try update kernel and reboot using commands below. Then choose updated kernel on boot menu.
$ sudo dnf install kernel $ sudo reboot
To make the driver all you need is:
$ git clone https://github.com/intel/linux-sgx-driver.git $ cd linux-sgx-driver $ make
After that it can be installed through
$ sudo make install if you don’t mind using
$ sudo mkdir -p "/lib/modules/$(uname -r)/kernel/drivers/intel/sgx" $ sudo cp isgx.ko "/lib/modules/$(uname -r)/kernel/drivers/intel/sgx" $ sudo /sbin/depmod $ sudo /sbin/modprobe isgx
/etc/modules-load.d/sgx.conf with the following contents:
This will allow the system (using systemd) to automatically load the driver at boot.
2. Install Platform Software (PSW) optional dependencies
To have everything working without errors or warnings 2 extra pieces of software must be installed: the icls client and the DAL/JHI for Intel ME support
The icls links have been taken down from the download page and there are notes of contacting firstname.lastname@example.org for a download link here but it’s been more than a week without reply from that email address, therefore here it is, extracted from an older guide.
$ sudo dnf install iclsClient-1.45.449.12-1.x86_64.rpm should do the trick.
$ sudo dnf install libuuid-devel libxml2-devel cmake pkgconfig systemd-devel
$ git clone https://github.com/intel/dynamic-application-loader-host-interface.git $ cd dynamic-application-loader-host-interface $ cmake. $ make $ sudo make install $ sudo ldconfig $ sudo systemctl enable --now jhi
$ sudo systemctl status jhi.service
Should report the service as active with everything working.
3. Install PSW and Software Development Kit (SDK)
$ sudo dnf install openssl-devel libcurl-devel protobuf-devel
$ sudo dnf groupinstall 'C Development Tools and Libraries'
$ git clone https://github.com/intel/linux-sgx.git $ cd linux-sg $ ./download_prebuilt.sh $ make sdk_install_pkg psw_install_pkg
This will create the installers in
linux/installer/bin/ after this just install the PSW and the SDK.
$ sudo ./linux/installer/bin/sgx_linux_x64_psw_*.bin $ sudo ./linux/installer/bin/sgx_linux_x64_sdk_*.bin
When asked to install the SDK in the current location answer no and specify
/opt/intel so the SDK gets installed to the same location as the PSW.
Check the aesmd service is working
$ sudo systemctl status aesmd. If you’re behind a corporate proxy make sure to define it in
/etc/aesmd.conf and restart the service.
$ source /opt/intel/sgxsdk/environment $ sudo ln -s /opt/intel/sgxsdk/environment /etc/profile.d/sgx.sh
The first command will source the environment variables for your current session and the second one will setup the environment variables on login.
This should cover the basic setup in order to start compiling and testing SGX software.