How to enable SGX in Bios?


What is SGX by Intel? How do you enable it from Bios or BIOS? Learn more about the purpose of SGX and why you’d want to activate it in the first place.

The Software Guard Extensions or SGX is a set of instruction codes related to security built into some Intel CPUs. The Intel SGX assists in preventing data corruption or protecting data integrity when being used through unique application isolation tech.

If you want to know how to enable SGX in Bios in order to protect your data when push comes to shove then continue reading below.

How to Enable SGX in BIOS

First off, activate to BIOS or Bios setup at startup. You can do this on a Windows PC by pressing your BIOS key set by your laptop or desktop manufacturer which could be F10, F2, F12, F1, or DEL.  Now do the following:

  • Go to the “System Utilities” screen.
  • Select “System Configuration”, then “BIOS/Platform Configuration (RBSU)”, then “System Options”, and then “Processor Options”.
  • Select “Intel Software Guard Extensions (SGX)” then press “Enter” on your keyboard.
  • You’ll get “Enabled”, “Disabled”, and “Software Controlled” options. If you select anything except “Disabled”, you’ll get more configuration options.
  • Save everything then restart your PC.

Read more: Intel® Software Guard Extensions—Part 2: Detect & Enable

Why Enable SGX in BIOS?

You should enable SGX in BIOS in order to make a protected memory region you can access only by certain authorized functions. Activate SGX only if you have the right Intel drivers installed unto your operating system. By default, this feature is disabled.

  • Mostly Secures Data: SGX is useful when you implement and ensure security in activities such as digital rights management (DRM), secure web browsing, and secure remote computation.
  • Privilege Levels: SGX-defined private regions of memory renders data unreadable by any process outside of these regions, including higher privilege level processes.
  • Conceal Encryption Keys and Algorithms: As a BIOS-level data protection feature by Intel, it’s also useful in concealing propriety algorithms and encryption keys.

What is SGX Anyway?

SGX is a BIOS-level Intel CPU feature that encrypts a portion of your memory, known as an enclave. This enclave is decrypted on the fly only within the Intel CPU itself. Even at that level, only for data nad code running from within this enclave.

  • Define Private Memory Regions: SGX allow user-level and OS code to define private memory regions known as enclaves. Their contents are intended to be unreadable by any process outside of the enclave or SGX itself.
  • Intel CPU Spy Protection: The CPU’s processing power helps ensure that the contents of every enclave are thusly protected from hackers spying on it. It cannot be examined by any other code or high-privilege processes.
  • Threat Level Model: The enclave’s data and code use a threat model wherein the enclave is trusted but no process outside of it can be trusted and considered hostile, including hypervisor or the operating system itself like Windows or UNIX.

Q&A

Should SGX be enabled in BIOS?

Requirements for Using Intel SGX

The BIOS must have an option to enable SGX. The Intel SGX option must be set to Enabled or Software Controlled in BIOS, depending on the system. PhoenixNAP BMC servers have this option already enabled. You must Install the Intel SGX Platform Software package.

What is Intel SGX enable?

Overview. Intel® Software Guard Extensions (SGX) is a security technology built into Intel processors that helps protect data in use via unique application isolation technology. Selected code and data are protected from modification using hardened enclaves.

Does my computer have SGX?

Find out if a specific processor supports Intel® SGX:

Go to product specifications (ARK). Enter the processor number in the search specifications box in the top-right corner. On the product specification page of the processor, click Security & Reliability and look for Intel® Software Guard Extensions (Intel® SGX).

How do I disable SGX in BIOS?

Detecting and Enabling Intel® SGX | Intel Software

Does Intel SGX affect performance?

(5) SGX imposes a heavy performance penalty upon switching between the application and the enclave, ranging from 10,000 to 18,000 cycles per call depending on the call mechanism used. This penalty affects server applications using SGX, as discussed in [3, 45].

Is Intel SGX safe?

SGX ensures that data is secure even if a computer’s operating system has been tampered with or is under attack. “For normal functioning, the SGX design allows the OS to interrupt the enclave execution through configurable hardware exceptions at any point,” the researchers outlined.

What is SGX control?

Intel® SGX allows user-level code to allocate private regions of memory, called enclaves, which are designed to be protected from processes running at higher privilege levels. Only Intel® SGX offers such a granular level of control and protection.

What is SGX used for?

SGX is designed to be useful for implementing secure remote computation, secure web browsing, and digital rights management (DRM). Other applications include concealment of proprietary algorithms and of encryption keys.

Is SGX a TPM?

The TPM merely tells you if your firmware or boot process has changed, and nothing more, whereas SGX is instead used to protect sensitive or confidential processes from the host. One similarity TPM and SGX have is that they both cannot be spoofed, allowing a system to know that it is talking to the real deal.

Does AMD support Intel SGX?

Intel SGX does not exist on AMD platforms. AMD has their own version of it but PowerDVD does not support it. It is easier and cheaper to rip and play, or to get a standalone player.

Does Intel still support SGX?

The Intel SGX feature has been removed from Intel 11th generation (or newer) CPUs, and support for SGX may be removed at some point on the new versions of Intel drivers or utility programs (e.g., the Intel SGX and Intel Management Engine driver and firmware).

What is Intel BIOS Guard support?

Intel BIOS Guard protects the BIOS flash from modification without platform manufacturer authorization, which helps defend the platform against low-level DOS (denial of service) attacks, and restores BIOS to a known good state after an attack.

What is enclave memory size?

Enclave Memory Size. This option sets SGX Enclave Reserve Memory Size. Click one of the following options: 32 MB. 64 MB.

How do I disable Intel software guard extensions?

Software enabling is a one-way operation: Intel SGX cannot be disabled via software. The only ways to disable Intel SGX once it has been enabled are to do so via the BIOS: Explicitly set Intel SGX to Disabled if the BIOS provides this option.

What is Lenovo SGX?

Intel Software Guard Extensions (Intel SGX) is an extension to the Intel processor architecture that provides new CPU instructions and platform enhancements to allows applications to create private areas to protect sensitive information.

What happens if I disable SGX?

If you plan to use Intel SGX to help secure your applications and sensitive data, disablement should be completely avoided, as disablement offers no application or data protection whatsoever. You won’t even be able to install the Intel SGX Platform Software if SGX is disabled.

What is enclave page cache EPC?

Enclave Page Cache (EPC)

This is achieved by having the EPC split into 4 KB pages that can be assigned to different enclaves. The EPC uses the same page size as the architecture’s address translation feature. The EPC is managed by the same system software that manages the rest of the computer’s physical memory.

What is SGX enclave size?

The size of the SGX enclave is fixed but is different depending on the processor model. Sizes range from 8 GB to 512 GB per processor. For a 2-socket ThinkSystem server, if enough DDR memory is installed, the system BIOS can reserve between 16GB and 1TB based on processor model installed.

Is secure enclave a TPM?

A TPM is not a “secure enclave.” It is a smart card bonded to the motherboard, used for platform attestation, and some basic encryption. It provides no enclave to speak of.

Final Thoughts

It’s fascinating how Intel’s SGX offers most any machine running on Intel CPU an extra level of encryption protection from within the BIOS level such that your data in its defined enclaves cannot be touched by even the operating system itself.

Even if you plan to use “Software Controlled” instead of “Enabled”, set SGX to “Enabled” first until completing the necessary steps in the OS to get the Intel drivers installed and working. Only set SGX to “Software Controlled” after you’ve configured the Intel drivers needed to work with SGX.

References:

  1. UEFI System Utilities and Shell Command Mobile Help for HPE ProLiant m510, m710x, and m710x-L Server Blades in HPE Edgeline Systems“, TechLibrary.hpe.com, Retrieved May 12, 2022
  2. Software Guard Extensions“, Wikipedia, Retrieved May 12, 2022

Andy Avery

I really enjoy helping people with their tech problems to make life easier, ​and that’s what I’ve been doing professionally for the past decade.

Recent Posts