Ask Sawal

Discussion Forum
Notification Icon1
Write Answer Icon
Add Question Icon

Sgx disabled by bios?

2 Answer(s) Available
Answer # 1 #

This project will no longer be maintained by Intel.

Intel has ceased development and contributions including, but not limited to, maintenance, bug fixes, new releases, or updates, to this project.

Intel no longer accepts patches to this project.

If you have an ongoing need to use this project, are interested in independently developing it, or would like to maintain patches for the open source software community, please create your own fork of this project.

This application will enable Intel SGX on Linux systems where the BIOS supports Intel SGX, but does not provide an explicit option to enable it. These systems can only enable Intel SGX via the "software enable" procedure.

This application is distributed under the BSD 3-Clause "New" or "Revised" License.

Performing the software enable procedure requires:

Build the application by running 'make'.

There are no package requirements beyond a C compiler. If you wish to use a compiler other than gcc*, edit the Makefile and change the CC variable.

There is no installer, as this is a one-time use executable. Once Intel SGX is enabled, it will stay enabled until explicitly disabled in your BIOS (if your BIOS supports this capability).

Usage is:

Running sgx_enable with no options will attempt to perform the software enabling procedure on your system. You will need write access to the EFI filesystem which typically means it must be run as root:

Once the software enabling procedure has completed successfully you will need to reboot your system for Intel SGX to be available.

The software enabling procedure is a one-time procedure. You will not need to run this application again unless you explicitly disable Intel SGX in your BIOS at a later date.

The --status option prints the status of Intel SGX on your system and does not attempt to enable it. This will also report whether or not your system supports Intel SGX and the software enable procedure.

You should not need to be root to display the enabling status of the system unless your EFI filesystem is not world-readable.

The utility will report the enabling status on your system, and the success or failure of the software enabling procedure.

Your system supports Intel SGX, and is in the "software enable" state. Rerun the utility without the --status option to enable Intel SGX.

Your system supports Intel SGX and it has already been enabled. No further action is necessary.

The software enabling procedure completed successfully. Once your system is rebooted Intel SGX will be available for use.

The software enabling procedure could not be performed because you do not have write access to the EFI filesystem. Rerun the utility as root.

Your CPU does not support Intel SGX.

Either Intel SGX is explicitly disabled in your BIOS, or your BIOS does not support Intel SGX. Reboot your system into the BIOS setup screen and look for an Intel SGX option. If you don't find any, your system may not support Intel SGX.

Contact your OEM for assistance.

A UEFI booted system is required to perform the software enabling procedure. If your system has already been built and booted in Legacy mode, you can boot a Linux Live CD in UEFI mode and perform the procedure from the Live image.

Your BIOS provides explicit options to enable or disable Intel SGX, and does not have a software enable capability. To enable Intel SGX, boot your system into the BIOS setup screen, locate the Intel SGX options and explicitly set the status to "enabled". You do not need this utility.

Contact your OEM for assistance.

The software enable procedure has already been executed. You need to reboot your system for Intel SGX to be enabled for use. You do not need to run this utility again.

Deborah Rama
Vascular Access
Answer # 2 #
  • From the System Utilities screen, select System Configuration > BIOS/Platform Configuration (RBSU) > System Options > Processor Options > Intel Software Guard Extensions (SGX) and press Enter.
  • Select a setting and press Enter. Enabled.
  • Press F10.
Ankur Banerjee