Hardware Report: Amazon C5 instances (c5.large)

Question

Hardware Report: Amazon C5 instances (c5.large)

lacabra opened this issue 6 years ago · comments

Amazon announced on 11/30/2016 the addition of Amazon EC2 C5 instances in early 2017 powered by Intel Xeon Skylake that comes with SGX capabilities. Here's the report from a c5.large running Ubuntu 16.04:

eax: 50653 ebx: 1040800 ecx: fffa3203 edx: 1f8bfbff
stepping 3
model 5
family 6
processor type 0
extended model 5
extended family 0
smx: 0

Extended feature bits (EAX=07H, ECX=0H)
eax: 0 ebx: d19f4fbb ecx: 8 edx: 0
sgx available: 0

CPUID Leaf 12H, Sub-Leaf 0 of Intel SGX Capabilities (EAX=12H,ECX=0)
eax: 2ff ebx: a80 ecx: a88 edx: 0
sgx 1 supported: 1
sgx 2 supported: 1
MaxEnclaveSize_Not64: 0
MaxEnclaveSize_64: 0

CPUID Leaf 12H, Sub-Leaf 1 of Intel SGX Capabilities (EAX=12H,ECX=1)
eax: f ebx: a00 ecx: 0 edx: 0

CPUID Leaf 12H, Sub-Leaf 2 of Intel SGX Capabilities (EAX=12H,ECX=2)
eax: 100 ebx: 240 ecx: 0 edx: 0

CPUID Leaf 12H, Sub-Leaf 3 of Intel SGX Capabilities (EAX=12H,ECX=3)
eax: 40 ebx: 3c0 ecx: 0 edx: 0

CPUID Leaf 12H, Sub-Leaf 4 of Intel SGX Capabilities (EAX=12H,ECX=4)
eax: 40 ebx: 400 ecx: 0 edx: 0

CPUID Leaf 12H, Sub-Leaf 5 of Intel SGX Capabilities (EAX=12H,ECX=5)
eax: 40 ebx: 440 ecx: 0 edx: 0

CPUID Leaf 12H, Sub-Leaf 6 of Intel SGX Capabilities (EAX=12H,ECX=6)
eax: 200 ebx: 480 ecx: 0 edx: 0

CPUID Leaf 12H, Sub-Leaf 7 of Intel SGX Capabilities (EAX=12H,ECX=7)
eax: 400 ebx: 680 ecx: 0 edx: 0

CPUID Leaf 12H, Sub-Leaf 8 of Intel SGX Capabilities (EAX=12H,ECX=8)
eax: 0 ebx: 0 ecx: 0 edx: 0

CPUID Leaf 12H, Sub-Leaf 9 of Intel SGX Capabilities (EAX=12H,ECX=9)
eax: 8 ebx: a80 ecx: 0 edx: 0

Because of the fact that is cloud infrastructure, getting access to tweak the BIOS seems highly unlikely. I tried installing the linux-sgx-driver, which did install but remains unused, and installed linux-sgx SDK & PSW, and the SampleEnclave code returns Intel SGX is not supported by this processor., which I believe is not technically true (instead of saying that SGX needs to get enabled through the BIOS).

Any ideas for things I could try or investigate further?

Thanks for the awesome work on this repo, BTW. Much appreciated!

lacabra · Answer 1 · Fri Apr 06 2018 11:27:31 GMT+0800 (China Standard Time)

Does anyone have suggestions around the possibility of modifying the BIOS and enabling SGX from the command line on Linux? My initial research shows that this is highly unlikely, and even if at all possible, the cloud providers would disallow it for security reasons. Would love to hear anyone's experience on this front.

Rolando Martins · Answer 2 · Thu Apr 12 2018 02:31:39 GMT+0800 (China Standard Time)

I think the only provider that grants access to SGX is Azure:
https://azure.microsoft.com/en-us/blog/introducing-azure-confidential-computing/
Hope it helps!

lacabra · Answer 3 · Thu Apr 12 2018 02:50:04 GMT+0800 (China Standard Time)

Thanks @rolandomar. There is this post from Feb. 2018 that suggests Azure may have shut down that program :(

Lars Lühr · Answer 4 · Sat Apr 14 2018 00:50:58 GMT+0800 (China Standard Time)

Hey Victor,

thanks a lot for investigating the SGX capabilities in AWS and Google! I can remember the official cloud vendor statements when I started working on SGX. However it is somehow sad that the technology isn't yet official supported. So the last hope for SGX in cloud environments is IBM bluemix and their cloud data guard. Try to sign up here.

I will update the index readme of this repo with this information.

Best regards
Lars

lacabra · Answer 5 · Sat Apr 14 2018 03:40:07 GMT+0800 (China Standard Time)

I signed up with them several days ago, and I'm in conversations with them. I haven't had a chance to post my hardware report on them yet. I'll do that next...

Lars Lühr · Answer 6 · Sat May 19 2018 13:11:51 GMT+0800 (China Standard Time)

Thanks a lot for your input! I will close this AWS issue. If there is a new development regarding SGX on AWS feel free to reopen it.

lacabra · Answer 7 · Wed Nov 07 2018 00:13:29 GMT+0800 (China Standard Time)

A quick update on this issue: I talked to Google Cloud engineers some time ago, and they confirmed that they currently do not support SGX, and they have not immediate plans to support it, so we'll have to look elsewhere for cloud SGX infrastructure.

hkpt16384 · Answer 8 · Wed Feb 20 2019 22:24:44 GMT+0800 (China Standard Time)

Can you comment on the following Google announcement (dated May 03,2018) on Asylo? (Gemalto claims to be using it as well):
[https://cloud.google.com/blog/products/gcp/introducing-asylo-an-open-source-framework-for-confidential-computing]

lacabra · Answer 9 · Thu Feb 21 2019 03:28:34 GMT+0800 (China Standard Time)

@hkpt16384: Asylo is a software framework to develop enclave applications across different hardware infrastructure, and it's open source, you can find it here: https://github.com/google/asylo

But asylo is a piece of software, it is unrelated to Google providing cloud infrastructure that supports hardware enclaves.