Which SGX setting to choose in BIOS


  1. Posts : 27,165
    Win11 Pro, Win10 Pro N, Win10 Home, Windows 8.1 Pro, Ubuntu
       #1

    Which SGX setting to choose in BIOS


    I had noticed that even though I had Software Guard Extensions(SGX) set to "Software Controlled" in BIOS, that it wasn't showing up in Device Manager.
    Then it came to me, that on my last system build(an MSI mainboard with a 6700K) that MSI had included the driver in the downloads support for the board, and also through their MSI driver & software updater.
    ASUS though doesn't offer it.
    I suppose this is because my ASUS board is a Gaming board and my MSI was a Professional(workstation) board, and ASUS thinks that gamers have no use for this security option

    Tip   Tip
    I has able to download the driver though through the Microsoft Update Catalog: Microsoft Update Catalog
    Select:
    Intel Corporation - SoftwareComponent - 12/22/2017 12:00:00 AM - 1.9.101.41172
    Last Modified: 12/22/2017
    Size: 22.5 MB

    Use something like 7 Zip and extract all files from the .cab folder, then double click the installer.
    Which SGX setting to choose in BIOS-image.png

    Which SGX setting to choose in BIOS-image.png



    information   Information

    Note   Note
    SGX is only available for Intel CPUs from 7th gen Core Kaby Lake and above.

    What is SGX:
    Intel® Software Guard Extensions (Intel® SGX) is an Intel technology for application developers seeking to protect select code and data from disclosure or modification. Intel® SGX makes such protections possible through the use of enclaves. Enclaves are protected areas of execution. Application code can be put into an enclave via special instructions and software made available to developers via the Intel® SGX SDK.
    Intel® Software Guard Extensions SDK | Intel® Software


    Why is the software controlled setting better than enabled in BIOS for consumers as opposed to business:
    BIOS Support

    BIOS support is required for Intel SGX to provide the capability to enable and configure the Intel SGX feature in the system.
    The system owner must opt in to Intel SGX by enabling it via the BIOS. This requires a BIOS from the OEM that explicitly supports Intel SGX. The support provided by the BIOS can vary OEM to OEM and even across an OEM’s product lines.
    There are three possible BIOS settings.

    • Enabled
      Intel Software Guard Extensions (Intel® SGX) is enabled and available for use in applications.
    • Software Controlled
      Intel SGX can be enabled by software applications, but it is not available until this occurs (called the “software opt-in”). Enabling Intel SGX via software opt-in may require a system reboot.
    • Disabled
      Intel SGX is explicitly disabled and it cannot be enabled through software applications. This setting can only be changed in the BIOS setup screen.

    Note: Your BIOS may only have the Enabled and Disabled options, or it may not have these options if it only supports the Software Controlled option (or if it doesn’t support Intel SGX at all). Check with your device manufacturer to determine whether or not Intel SGX is supported on your system.
    When Intel SGX is set to Enabled in the BIOS, Intel SGX has been enabled, and Intel SGX instructions and resources are available to applications.
    When Intel SGX is set to Software Controlled, Intel SGX is initially disabled until it is enabled via a software application


    What is the point of the Software Controlled state?

    (When set to enabled in BIOS)Intel SGX reserves up to 128 MB of system RAM as Processor Reserved Memory (PRM), which is used to hold the Enclave Page Cache (EPC). While its exact size is determined by the BIOS settings, it is important to note that enabling Intel SGX consumes a portion of the system’s resources, effectively making them unavailable to other applications.

    (When set to Software Controlled in BIOS)The Software Controlled setting in the BIOS allows OEMs to ship systems with support for Intel SGX in a ready state, where it can be activated via software (this is the software opt-in). This is a compromise between having Intel SGX fully enabled by default and potentially consuming system resources even when no Intel SGX software is present on the system and having it turned off completely. Allowing the activation to occur via software eliminates the need for end users to boot their systems into their BIOS setup screens and manually enable Intel SGX via that interface, a potentially daunting task for nontechnical users.

    Software enabling is a one-way operation: Intel SGX cannot be disabled via software. The only ways to disable Intel SGX once it has been enabled are to do so via the BIOS:

    Explicitly set Intel SGX to Disabled if the BIOS provides this option.
    Or:
    Flash a new BIOS image to the device, which resets Intel SGX support in the BIOS to the default state (either Disabled or Software Controlled, depending on the BIOS provider).


    Properly Detecting Intel® Software Guard Extensions (Intel® SGX) in Your Applications | Intel® Software



    What does SGX do:
    Application code executing within an Intel SGX enclave:

    • Benefits from new Intel SGX instructions introduced with 7th Generation Intel® Core™ processor platforms and Intel® Xeon® processor E3 v5 for data center servers.
    • Relies on a driver from Intel or the operating system for access to Intel SGX instructions and resource management
    • Executes within the context of its parent application, thereby benefiting from the full power of the Intel® processor
    • Reduces the trusted computing base of its parent application to the smallest possible footprint
    • Remains protected even when the BIOS, VMM, operating system, and drivers are compromised, implying that an attacker with full execution control over the platform can be kept at bay
    • Benefits from memory protections that thwart memory bus snooping, memory tampering and “cold boot” attacks on images retained in RAM
    • Uses hardware-based mechanisms to respond to remote attestation challenges that validate its integrity
    • Works in concert with other enclaves owned or trusted by the parent application
    • Can be developed using standard development tools, thereby reducing the learning curve impact on application developers
    • Supports initial data center use (such as protected transport layer security (TLS) keystore management) as well as proof of concept and development work for future data center platforms and solutions. This includes encrypted database operations, trusted big data computing, network functions virtualization (NFV), and secure monitoring, blockchain, and other important data center security uses that leverage added data protection while in use.
    Intel SGX Homepage | Intel® Software




    I hope this might help other security conscious users here.
    But remember, this is only for 7th gen Intel processors and above!
    Last edited by Cliff S; 31 Dec 2017 at 04:54.
      My Computers


  2. Posts : 181
    Windows 10 Pro x64
       #2

    Just wanted to add that on my gaming laptop ASUS GL703GS (BIOS 309) SGX was unavailable, and BIOS was locked (= didn't have any control option for SGX):



    ... but I solved the problem using Cyberlink Ultra-HD Blu-Ray Advisor
    After the UHD check it asked me to automatically download and install Intel SGX, so did I and it worked: SGX enabled now
    Hope this can be useful for other users too.

    Laptop ASUS GL703GS (BIOS 309)
    CPU i7-8750H (iGPU disabled, so I can't see 4K UHD BDR with DRM unfortunately )
    GTX 1070 8GB (vbios 86.04.7c.00.24, Samsung VRAM)
    Windows 10 Pro 1903
    Desktop res: 1080p (1920x1080)
    Screen mode: 144Hz + g-sync
    USB Blu-Ray 4K drive: Verbatim 43888 (Pioneer BDR-UD04)
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 03:05.
Find Us




Windows 10 Forums