Hardware Report: IBM Cloud

[lacabra]

IBM Cloud Data Guard provides cloud computing infrastructure with support for Intel's SGX. Through IBM Cloud one can contract a single processor bare metal server with SGX support, with the following minimum configuration for $276/month (as of May 2018):

• Processor XEON - E3-1270-v6 Quad Core
• 8 GB RAM
• HD 1TB SATA
• 500 GB public bandwidth
• 100 Mbps Public & Private Network Uplinks
• OS: Ubuntu Linux 16.04 LTS Xenial Xerus (64 bit)

Here's the report from an instance with the above specifications:

eax: 906e9 ebx: 7100800 ecx: 7ffafbff edx: bfebfbff
stepping 9
model 14
family 6
processor type 0
extended model 9
extended family 0
smx: 1

Extended feature bits (EAX=07H, ECX=0H)
eax: 0 ebx: 29c6fbf ecx: 0 edx: 0
sgx available: 1

CPUID Leaf 12H, Sub-Leaf 0 of Intel SGX Capabilities (EAX=12H,ECX=0)
eax: 1 ebx: 0 ecx: 0 edx: 241f
sgx 1 supported: 1
sgx 2 supported: 0
MaxEnclaveSize_Not64: 1f
MaxEnclaveSize_64: 24

CPUID Leaf 12H, Sub-Leaf 1 of Intel SGX Capabilities (EAX=12H,ECX=1)
eax: 36 ebx: 0 ecx: 1f edx: 0

CPUID Leaf 12H, Sub-Leaf 2 of Intel SGX Capabilities (EAX=12H,ECX=2)
eax: 80200001 ebx: 0 ecx: 5d80001 edx: 0

CPUID Leaf 12H, Sub-Leaf 3 of Intel SGX Capabilities (EAX=12H,ECX=3)
eax: 0 ebx: 0 ecx: 0 edx: 0

CPUID Leaf 12H, Sub-Leaf 4 of Intel SGX Capabilities (EAX=12H,ECX=4)
eax: 0 ebx: 0 ecx: 0 edx: 0

CPUID Leaf 12H, Sub-Leaf 5 of Intel SGX Capabilities (EAX=12H,ECX=5)
eax: 0 ebx: 0 ecx: 0 edx: 0

CPUID Leaf 12H, Sub-Leaf 6 of Intel SGX Capabilities (EAX=12H,ECX=6)
eax: 0 ebx: 0 ecx: 0 edx: 0

CPUID Leaf 12H, Sub-Leaf 7 of Intel SGX Capabilities (EAX=12H,ECX=7)
eax: 0 ebx: 0 ecx: 0 edx: 0

CPUID Leaf 12H, Sub-Leaf 8 of Intel SGX Capabilities (EAX=12H,ECX=8)
eax: 0 ebx: 0 ecx: 0 edx: 0

CPUID Leaf 12H, Sub-Leaf 9 of Intel SGX Capabilities (EAX=12H,ECX=9)
eax: 0 ebx: 0 ecx: 0 edx: 0

SGX capabilities are fully functional and I was able to install sgx-linux-driver, and the sgx-linux SDK, and run code inside the enclave. As mentioned in this README, this processor is part of the Xeon E3 family, which means that the Trusted Platform Service Functions (monotonic counters, trusted time) are not available. Otherwise it works as expected.

Issue referenced in #37.

[ayeks]

Thanks for the report! So you are able to execute SGX enclaves on the IBM Cloud Data Guard but the following sgx_tservice functions are not available:

    sgx_create_pse_session
    sgx_close_pse_session
    sgx_get_ps_sec_prop
    sgx_get_trusted_time
    sgx_create_monotonic_counter_ex
    sgx_create_monotonic_counter
    sgx_destroy_monotonic_counter
    sgx_increment_monotonic_counter
    sgx_read_monotonic_counter

Source

[ayeks]

Thanks a lot for your work! I will close the issue for now. Feel free to reopen it if you want to discuss SGX on IBM with the community.

[lacabra]

@ayeks: To your comment above, that is correct: I am able to execute SGX enclaves without the functions that you outline in your comment. And while not ideal, you can circumvent these, so you can arguably have fully capable SGX instances: you should be able to open a TLS connection to an NTP server you trust from within the enclave to obtain a source of trusted time. If you think of trusted monotonic counter as an instance of trusted time, you could get both using the same mechanism (these are suggestions from an Intel SGX architect).

[ayeks]

@lacabra Thank you for the clarification! That makes total sense. I will comment that workaround in the documentation.