Windows 10: Which SGX setting to choose in BIOS Solved


  1. Posts : 18,863
    Win10 Pro, Win10 Pro N, Win10 Home, Win10 Pro Insider Fast Ring, Windows 8.1 Pro, Ubuntu
       31 Dec 2017 #1

    Which SGX setting to choose in BIOS


    I had noticed that even though I had Software Guard Extensions(SGX) set to "Software Controlled" in BIOS, that it wasn't showing up in Device Manager.
    Then it came to me, that on my last system build(an MSI mainboard with a 6700K) that MSI had included the driver in the downloads support for the board, and also through their MSI driver & software updater.
    ASUS though doesn't offer it.
    I suppose this is because my ASUS board is a Gaming board and my MSI was a Professional(workstation) board, and ASUS thinks that gamers have no use for this security option

    Tip   Tip
    I has able to download the driver though through the Microsoft Update Catalog: Microsoft Update Catalog
    Select:
    Intel Corporation - SoftwareComponent - 12/22/2017 12:00:00 AM - 1.9.101.41172
    Last Modified: 12/22/2017
    Size: 22.5 MB

    Use something like 7 Zip and extract all files from the .cab folder, then double click the installer.
    Click image for larger version. 

Name:	image.png 
Views:	1 
Size:	189.1 KB 
ID:	170241

    Click image for larger version. 

Name:	image.png 
Views:	2 
Size:	468.6 KB 
ID:	170242



    information   Information

    Note   Note
    SGX is only available for Intel CPUs from 7th gen Core Kaby Lake and above.

    What is SGX:
    Intel® Software Guard Extensions (Intel® SGX) is an Intel technology for application developers seeking to protect select code and data from disclosure or modification. Intel® SGX makes such protections possible through the use of enclaves. Enclaves are protected areas of execution. Application code can be put into an enclave via special instructions and software made available to developers via the Intel® SGX SDK.
    Intel® Software Guard Extensions SDK | Intel® Software


    Why is the software controlled setting better than enabled in BIOS for consumers as opposed to business:
    BIOS Support

    BIOS support is required for Intel SGX to provide the capability to enable and configure the Intel SGX feature in the system.
    The system owner must opt in to Intel SGX by enabling it via the BIOS. This requires a BIOS from the OEM that explicitly supports Intel SGX. The support provided by the BIOS can vary OEM to OEM and even across an OEM’s product lines.
    There are three possible BIOS settings.

    • Enabled
      Intel Software Guard Extensions (Intel® SGX) is enabled and available for use in applications.
    • Software Controlled
      Intel SGX can be enabled by software applications, but it is not available until this occurs (called the “software opt-in”). Enabling Intel SGX via software opt-in may require a system reboot.
    • Disabled
      Intel SGX is explicitly disabled and it cannot be enabled through software applications. This setting can only be changed in the BIOS setup screen.

    Note: Your BIOS may only have the Enabled and Disabled options, or it may not have these options if it only supports the Software Controlled option (or if it doesn’t support Intel SGX at all). Check with your device manufacturer to determine whether or not Intel SGX is supported on your system.
    When Intel SGX is set to Enabled in the BIOS, Intel SGX has been enabled, and Intel SGX instructions and resources are available to applications.
    When Intel SGX is set to Software Controlled, Intel SGX is initially disabled until it is enabled via a software application


    What is the point of the Software Controlled state?

    (When set to enabled in BIOS)Intel SGX reserves up to 128 MB of system RAM as Processor Reserved Memory (PRM), which is used to hold the Enclave Page Cache (EPC). While its exact size is determined by the BIOS settings, it is important to note that enabling Intel SGX consumes a portion of the system’s resources, effectively making them unavailable to other applications.

    (When set to Software Controlled in BIOS)The Software Controlled setting in the BIOS allows OEMs to ship systems with support for Intel SGX in a ready state, where it can be activated via software (this is the software opt-in). This is a compromise between having Intel SGX fully enabled by default and potentially consuming system resources even when no Intel SGX software is present on the system and having it turned off completely. Allowing the activation to occur via software eliminates the need for end users to boot their systems into their BIOS setup screens and manually enable Intel SGX via that interface, a potentially daunting task for nontechnical users.

    Software enabling is a one-way operation: Intel SGX cannot be disabled via software. The only ways to disable Intel SGX once it has been enabled are to do so via the BIOS:

    Explicitly set Intel SGX to Disabled if the BIOS provides this option.
    Or:
    Flash a new BIOS image to the device, which resets Intel SGX support in the BIOS to the default state (either Disabled or Software Controlled, depending on the BIOS provider).


    Properly Detecting Intel® Software Guard Extensions (Intel® SGX) in Your Applications | Intel® Software



    What does SGX do:
    Application code executing within an Intel SGX enclave:

    • Benefits from new Intel SGX instructions introduced with 7th Generation Intel® Core™ processor platforms and Intel® Xeon® processor E3 v5 for data center servers.
    • Relies on a driver from Intel or the operating system for access to Intel SGX instructions and resource management
    • Executes within the context of its parent application, thereby benefiting from the full power of the Intel® processor
    • Reduces the trusted computing base of its parent application to the smallest possible footprint
    • Remains protected even when the BIOS, VMM, operating system, and drivers are compromised, implying that an attacker with full execution control over the platform can be kept at bay
    • Benefits from memory protections that thwart memory bus snooping, memory tampering and “cold boot” attacks on images retained in RAM
    • Uses hardware-based mechanisms to respond to remote attestation challenges that validate its integrity
    • Works in concert with other enclaves owned or trusted by the parent application
    • Can be developed using standard development tools, thereby reducing the learning curve impact on application developers
    • Supports initial data center use (such as protected transport layer security (TLS) keystore management) as well as proof of concept and development work for future data center platforms and solutions. This includes encrypted database operations, trusted big data computing, network functions virtualization (NFV), and secure monitoring, blockchain, and other important data center security uses that leverage added data protection while in use.
    Intel SGX Homepage | Intel® Software




    I hope this might help other security conscious users here.
    But remember, this is only for 7th gen Intel processors and above!
    Last edited by Cliff S; 31 Dec 2017 at 04:54.
      My ComputersSystem Spec


 

Related Threads
Can I Choose Which Hotspot? in Network and Sharing
I have about 5 xfinity hotspots. Windows picks the strongest signal. Oddly tho, that 1 doesn't work very well. A slightly less strength 1 seems to always work. Is there any tool or software that would allow me to choose which xfinity hotspot i...
When my computer starts/reboots, the Num Lock is set to off whilst I like it to be set to on. Does the solution lie in the BIOS or in Windows 10?
Please, could someone help me, as Kaspersky alerts me to a warning that I need to enable virtualization. They say:- Protection against screenshots is disabled. I am not great on the technical front, and I am told I need to get into my bios to...
Solved Refused to Post after XMP Setting in BIOS in PC Custom Builds and Overclocking
Hi, Yesterday, I installed all mobo and other drivers plus various supporting software in my new build (#2 in spec with BIOS 1801). Four in the morning, all was done and I decided to end by going into BIOS to set the memory according to its 1200...
Solved AHCI setting in BIOS in Drivers and Hardware
I have a MB that lets me change the SATA Type. The options are: Native IDE RAID AHCI It is set to Native IDE now. I don’t want to run a raid configuration. What is AHCI. What does it do? Is there an advantage in switching to AHCI? Thanks
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 02:13.
Find Us