Skip to content

Installation of SGX driver

To install the SGX 2.0 driver on Linux distributions, follow the official description. Alternatively, on a modern Ubuntu system on which you have sudo access, you could execute the following:

curl -fssl https://raw.githubusercontent.com/SconeDocs/SH/master/install_sgx_driver.sh | bash

Check if the SGX driver is installed

Note that in systems in which the CPU supports SGX but the BIOS disables SGX, the driver might successfully install and load but using the SGX driver fails. Check on the host as well as inside your containers that the SGX device /dev/isgx is visible:

ls /dev/isgx >/dev/null 2>1  && echo "SGX Driver installed" || echo "SGX Driver NOT installed"

Checking availability of SGX device inside of containers

Docker does not automatically map the SGX device inside of containers. We provide, however, a patched Docker engine and a patched SGX driver that together permit to automatically map the sgx device inside of containers.

You can run the checks to see if the SGX device gets mapped automatically into a container, i.e., if you run the patched docker engine.

# preferred alternative: required for swarms to work: SGX device is available in all containers by default
docker run --rm sconecuratedimages/checksgx || echo "SGX device is not automatically mapped inside of container"

If the SGX device is not automatically mapped into the container, you can try to map the device as follows into the container:

# alternative: use --device option without --privileged flag
docker run --device=/dev/isgx --rm sconecuratedimages/checksgx || echo "--device=/dev/isgx: failed to map SGX device inside of container"

In the unlikely case that the device is not mapped in the container, you can try to see if the container must be privileged or if we might need to remap the device ids:

# last alternative: use --device option with --privileged flag
sudo docker run -v /dev/isgx:/dev/isgx --privileged  --rm sconecuratedimages/checksgx || echo "SGX device NOT available inside of container"

Use the first alternative that works in your installation to give containers access to the SGX device.

© scontain.com, Nov 2018. Questions or Suggestions?