6

I'm in the unlucky situation that I need to use a CPU feature that the BIOS hasn't enabled in the ia32 feature control MSR register. The BIOS does set the lock bit so I can't set the bit myself. The BIOS (Asus UEFI BIOS) has no option to change the behavior. Question is, is there any way I can set this bit? I'm thinking if it is possible to write an UEFI extension or some program I could execute from the UEFI shell. But I'm not sure if the register is locked before this would be execute (I know very little about UEFI and its programming environment). Alternatively, is it possible to patch the BIOS update image or modify it using standard tools? Anyone who heard of success stores in this area?

The feature in question is SGX (Software Guard Extensions). The board is Asus Z170-K. Everything is in place to support SGX, except that the BIOS is unable to set this bit.

Update May 22th: I just updated the Asus Z170-K to the newly released BIOS 1803 (released 20th of May). It was a big jump in version number so I was hopeful. Sadly, SGX support still isn't there. I've now filed a new request with Asus and this time I plan not to be just brushed off. I think it is outright amateurish this is not supported from the beginning - it is part and parcel of supporting a Skylake CPU so I think all customers requiring this should try and pursue a refund (I know I'm gonna do that).

Morty
  • 1,666
  • 1
  • 12
  • 21
  • does your CPUID indicate that SGX is supported ? Can you provide exact CPU model ? Depending on mechanism that locked this bit it may be possible to enable this feature using UEFI application. I need to research your hardware to make judgement. – Piotr Król Jan 20 '16 at 12:50
  • Yes it is Asus Z170-K motherboard, Skylake 6700K CPU. I have the SR2L0 SSpec which supports SGX. Will check CPUID when I get home but there's a longer story attached to that :) Would be grateful if you could consider options for UEFI also out of interest. – Morty Jan 20 '16 at 14:15
  • A program using CPUID from within Windows 10 reports no SGX support even though it is a supported CPU. As I understand the Intel SGX documentation, even though the feature control bit isn't set, the support should still be visible via CPUID. I will try to see if this is because Windows 10 somehow could play tricks with CPUID (running everything in a hypervisor?). I'm not aware of other ways the BIOS or Windows 10 could hide SGX support via modified CPUID result but there could be MSR's etc. I'm not aware of. – Morty Jan 21 '16 at 10:18
  • Will try to run the same on Linux later today. – Morty Jan 21 '16 at 10:19
  • 1
    So result is, CPUID leaf=0x07, subleaf=0x0 reports SGX as available (EBX contains 0x29c6fbb after the call, i.e. bit 2 is set). On the other hand, the leaf 0x12 report zero. So I read the SGX documentation as meaning that the CPU supports SGX, but the BIOS has not opted in to it by setting the appropriate feature control bit. – Morty Jan 23 '16 at 09:56
  • Just for the records, the bios lock should have [workarounds](https://www.win-raid.com/t3908f16-GUIDE-Grub-Fix-Intel-FPT-Error-or-BIOS-Lock-Asus-Other-Mod-BIOS-Flash.html) – mirh Sep 17 '19 at 13:04

4 Answers4

3

Probably not feasible without modding the BIOS ROM and re-flashing it. The CPU initialization is one of the earliest parts of of boot. The lock bit would get set in either SEC or PEI phase. Any extension you write will be for the DXE phase, which occurs later.

Your best bet would be to contact Asus technical support. They may release a BIOS update to correct the issue.

If you haven't already, check for a BIOS update.

myron-semack
  • 5,876
  • 1
  • 24
  • 36
  • 2
    Thanks that's what I feared might be the case - thanks for answering. – Morty Jan 21 '16 at 12:45
  • By the way, I have already contacted Asus twice but with since like this it is hard to get through to someone who knows about these things. They say that there's no customer interest so the supporter wasn't willing to send the request to Asus HQ! But the Q170M board has this feature available in BIOS and there's absolutely no reason why to offer this on a Q170 board and not on a Z170 board. Also it is not advertised as a feature specific to Q170. I think Asus might have confused it with TXT which indeed was only supported on Q170 chipsets. – Morty Jan 23 '16 at 09:59
  • I've just finished assembling a machine based on Q170M-C/CSM and the same CPU that you have. I bought this motherboard specificity to play with SGX. Although, there is description about SGX in the user guide, the BIOS does not have such option! The BIOS is old (September build) I think. I will try to update the BIOS and see if it appears. It looks like they're still working on SGX support. – Dmitry Jan 26 '16 at 05:33
  • 1
    @Dmitry: That's very interesting - how did it turn out after the update? – Morty Feb 11 '16 at 14:39
  • 1
    I have updated it couple of times since then. The last update was 29 Dec I think. All of the updates were just optimizations and didn't add anything to the functionality. I want to contact the technical support. But I have little hope that it will help. – Dmitry Feb 12 '16 at 06:48
  • @Dmitry any luck with the bios update "Q170M-C BIOS 0705" released a couple of days ago? – Thomas Bertani Feb 21 '16 at 04:17
  • @ThomasBertani no luck :( – Dmitry Mar 02 '16 at 06:38
  • I just updated the Asus Z170-K to the newly released BIOS 1803 (released 20th of May). It was a big jump in version number so I was hopeful. Sadly, SGX support still isn't there. I've now filed a new request with Asus and this time I plan not to be just brushed off. I think it is outright amateurish this is not supported from the beginning - it is part and parcel of supporting a Skylake CPU so I think all customers requiring this should try and pursue a refund (I know I'm gonna do that). – Morty May 22 '16 at 10:52
3

SGX support will require much more than just setting a bit in MSR. UEFI must reserve a special memory block (Enclave Page Cache) for SGX to work properly, so if ASUS haven't supported SGX from UEFI side, you either need to implement it yourself (which will be hard even with enough experience in UEFI programming, because of required firmware binary modifications) or wait for ASUS to catch up.

CodeRush
  • 744
  • 3
  • 9
  • It's true that in addition to setting this feature flag it would also have to allocate the EPC cache. But it is definitely not MUCH more. It is just setting a couple of MSR with base address and limit to the allocated area - and that's it! So maybe 4 lines of code (assuming there's a memory allocator available in the BIOS but I would expect that to be the case). My point is, it is trivial to support it from the BIOS vendor point of view. They don't have to write nasty SMM code or implement the fature itself. It is pure enablement. – Morty Jan 21 '16 at 12:45
  • I have already contacted Asus twice but with since like this it is hard to get through to someone who knows about these things. They say that there's no customer interest so the supporter wasn't willing to send the request to Asus HQ! But the Q170M board has this feature available in BIOS and there's absolutely no reason why to offer this on a Q170 board and not on a Z170 board. Also it is not advertised as a feature specific to Q170. I think Asus might have confused it with TXT which indeed was only supported on Q170 chipsets. – Morty Jan 23 '16 at 09:59
  • Try using [UEFITool/UEFIExtract](https://github.com/LongSoft/UEFITool) to search for all writes to that specific MSR. I expect it to be a bit more code that just one bit and one memory allocation, but if not - patching that MSR writes and adding a DXE driver to allocate the EPC block should not be too hard, you are right about it in your first comment. – CodeRush Jan 23 '16 at 16:07
3

A beta BIOS version 3107 has now been released on the Asus web site. This version is the first to enable SGX (it introduces a new SGX option in the BIOS menu). I have not verified it is actually working, but at least this is progress. It seems other motherborads in the Z170-series are getting BIOS upgrades that start with "3" so that might add SGX for those as well.

Morty
  • 1,666
  • 1
  • 12
  • 21
  • I can confirm this as working - I have used the Intel SDK and have launched Enclaves on this platform with this BIOS :-) – Morty Jan 13 '17 at 19:31
1

Looks like ASUS Z170-A does not support Intel SGX. Processor is Intel Core i7 6700K. I tryed to install Intel SGX PSW, but it says that platform does not support Intel SGX. I searched for Intel SGX settings in BIOS settings and did not find such an option. Then I made BIOS update, the actual version is 1602 by this moment.. it still does not support Intel SGX. That's a great pity, that Intel does not publish a list of motherboards which support SGX.

Mikhael S
  • 11
  • 1
  • I agree it's a pity. TXT never gained traction, because it required CPU+chipset+TPM support which meant only a small subset of sold machines had it. With SGX, everything is in the CPU so it should be easier. But once again, Intel fumbled it, by not having BIOS vendors on board and by bugs in first patch of CPU's. Further, SGX looks to be a dev closed model where you need to enter a contract with Intel to do production code. Also, it will only work on Intel, not AMD, ARM etc. I'm now pessimistic about this tech outside of datacenters etc. It won't be usable with end-users at least not this gen. – Morty Feb 21 '16 at 10:37
  • @Thomas: Sadly not, I decided the UEFIExtract route would be too much work (I would have been more optimistic if I could simply have written a UEFI extension using an SDK and loaded that). Regarding my mobo, there's been no new BIOS releases in a long time, but I expect one soon for the Skylake microcode bug, but there's no particular reason to think it would add SGX. So far it seems there's not a single desktop board known to support SGX, not even Q170M (acc. to Dmitry above). – Morty Feb 21 '16 at 19:01
  • @Morty I see, that's so bad.. a couple of days ago a new bios update was release for Q170M. Potentially this could include some changes for SGX as well, however the changelog is not verbose enough, but it definitely needs to be tested. It would be nice to have a feedback by Dmitry on this, I was about to buy a Q170M for this exact reason and was wondering whether the new bios changed anything. – Thomas Bertani Feb 21 '16 at 21:24
  • @ThomasBertani I cuurently run BIOS version 0705 which is the latest version. No SGX option anywhere in BIOS menus. – Dmitry Mar 20 '16 at 02:40