new hardware device from Intel called SGX

This is for discussing general topics about how to use VirtualBox.
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

new hardware device from Intel called SGX

Post by Oracleiscool »

(mod edit: originally posted in "Discuss the VirtualBox 7.0.2 release")

Hi Team,
Well I took the dive and got a Windows 11 Machine. It is at 22H2. I noticed in the UEFI there is a new hardware device from Intel called SGX that is talking to Windows. The laptop is performing well. I am not sure (nor do I want to know) what it is being used for on this device. Since I can only guess, it seems to be DRM-related as videos and audio that is secured seems to run faster.

I saw that Intel has linux drivers for the SGX device, but a lot of the code seems to be depreciated (2019). I know there are always features being added to CPU and GPU hardware sets, but this is very strange to see in the UEFI as a controllable asset (On, Off, S/W controlled). Will the setting cause issues running Windows 11 host (current version up) and Linux (possibly MX Linux with "AHS" (their advanced hardware support version) Guest?

Happy to see reports about stability in the ecosystem! Well done!
Last edited by scottgus1 on 12. Nov 2022, 17:40, edited 1 time in total.
Reason: changed topic title
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: new hardware device from Intel called SGX

Post by scottgus1 »

Broken off from "Discuss 7.0.2" since this is more about general Virtualbox rather than a particular version.

I'm not really certain what a new host PC device would do in regard to Virtualbox or a VM run by Virtualbox (unless you see this device in the VM).

One of the intents of a VM is to keep the VM OS as much disconnected from and defined by the host hardware as possible. So a host SGX, whatever that is, wouldn't appear in the VM.

Typically the only piece of host hardware that appears in a Virtualbox VM is the host CPU. Windows 11's need for a TPM has muddied this a little, as Virtualbox now offers a direct link to the host TPM as an option. Virtualbox also offers a virtualized TPM, so the host-CPU-only paradigm can continue.

Where Intel's SGX comes in will depend on what it is. Wikipedia's article says:
Intel Software Guard Extensions (SGX) is a set of security-related instruction codes that ... allow user-level and operating system code to define protected private regions of memory, called enclaves. SGX is designed to be useful for implementing secure remote computation, secure web browsing, and digital rights management (DRM). Other applications include concealment of proprietary algorithms and of encryption keys.
SGX involves encryption by the CPU of a portion of memory (the enclave). Data and code originating in the enclave are decrypted on the fly within the CPU, protecting them from being examined or read by other code
Looks like a host OS thing for host OS apps. Whether it'll interfere with Virtualbox hardening will be seen as time goes on.
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: new hardware device from Intel called SGX

Post by Oracleiscool »

Thank you @scottgus1 I just wanted to let other users know what my new HP laptop (15-dw0083) was showing in UEFI. Even though it is a certain model, there are lots of different variations in hardware combinations, and there are a whole host of new security-embedded protocols built into the CPU/GPU Intel uses that are NOT controllable in the UEFI. For those who buy a "more secure" Windows 11, be aware that updates received via Windows Update or from the manufacturer for their device may be blocked by this SGX device or Secure Boot, or Defender, who knows? I have had to turn off UEFI SGX and Secure boot twice now to accept official updates, reboot and re-activate security after install. I posted this info at the feedback hub in MS, their moderator took it off the site. Not sure why.
BillG
Volunteer
Posts: 5100
Joined: 19. Sep 2009, 04:44
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 10,7 and earlier
Location: Sydney, Australia

Re: new hardware device from Intel called SGX

Post by BillG »

Not all that new!
Intel SGX.png
Intel SGX.png (45.47 KiB) Viewed 7942 times
Bill
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: new hardware device from Intel called SGX

Post by Oracleiscool »

Hi @BillG,
Been a while. Yes, I saw that also. Maybe it is "baked" into the processor (N5030) by design? Funny though, Windows 11 runs fine with it or without it. I looked in the drive for some clue, but the folders are all locked by MS. Most seem to be for security and good-bad (white vs black list) type ops. There are some positives to letting it run as configured, but it may create problems for hardware updates from vendors other than MS. White list always scare me when I see them.
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: new hardware device from Intel called SGX

Post by Oracleiscool »

No matter what I read on the current status of (which is changing daily) security, more chip and die devices, more proprietary code, more disabling to enable, having to get the OEM to give up access to hardware via permissions, and a general lack of communication (a lot of these reading assignments are from the OEM and OS vendors) are placing people in experimental mode, and that is good for fixing problems, but starting to put a lot of stress on the ecosystem. Keep striving for perfection!
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: new hardware device from Intel called SGX

Post by Oracleiscool »

OK Here We Go,
Stock 15-dw0083wm laptop. Preload Windows 11 Home (S Mode). Got the system into regular mode (Just Home). Once that was done, got a ton of updates from HP and the main hardware vendor (Intel). Got that all installed.

Decided during holiday to try and re-format and install Ubuntu as the main OS. What a mess. Ubuntu was not happy in the hardware environment, mainly because of Intel SGX and ACPI and Virtualization devices. All the system (Ubuntu) markers were normal, but the hardware was blocking the Linux OS from using the hardware, even locking down the CPU. Tried several re-loads and turning off settings in UEFI. Nothing helped. I'll mention that the TPM was happy to add the Shim and MOK utility data, so the TPM was happy, but nothing else.

I tried to load VirtualBox (flawless) 7.0, and Windows 11 as a guest, but since the Ubuntu was messed up, there was no functional control (slow and unresponsive) of VB or Win 11. Couple of observations;

1) What ever SGX is holding in its enclaves, it effects any OS without the right "keys" (and the CPU). Obviously, linux does not have the "right stuff"

2) ACPI was whacking out in Ubuntu so bad that it was closing the PCI bus and causing the wireless and touchpad to keep re-starting and breaking. Funny, USB was OK :roll: Back to Windows 11. Sigh :cry: Funny, after a clean re-install, system is faster than it was out of the box. (Lots of system and OEM updates... 22H2)
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: new hardware device from Intel called SGX

Post by Oracleiscool »

Update:
Got in touch with OEM (HP) on the ability to load a different OS on a lower-end (cost) laptop, and they confirmed what I had already expected. This device was hardware-designed for Windows 11. Yes, you can add UEFI keys for other OS's, but the boot files for the Windows OS and the enclaves for SGX are all designed for Windows 11 only. You cannot just turn off (at least on this device by design) the security devices in UEFI/BIOS and get a successful loadout of a different OS. I did not ask about the CSM module (back to the old BIOS) to see if that would work, but I would have to guess that as long as ANY traces of an efi bootloader or partition was still up and running, it would still block the successful loading of any other OS. Maybe when the device OS is in twilight (near expiration), I will try again with Linux, but not right now. I need a fully functional machine, so it is what it is.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: new hardware device from Intel called SGX

Post by scottgus1 »

In what fashion does this influence your running Virtualbox on the laptop? Folks are running Virtualbox on Windows 11 PCs.
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: new hardware device from Intel called SGX

Post by Oracleiscool »

Sorry so long @scottgus1 to reply, been a busy month....

I have seen some hardware setups that will allow VirtualBox to run on Windows 11 (Not sure if Home or Pro), but I could not get the system to act properly.

I thought it was something I did, so I called the OEM as the machine is still under warranty from HP. They had no explanation except that their vendors only included firmware for Microsoft and the Motherboard (Intel SGX and SOC Graphics) Manufacturer. I did verify the efi partition, saw the other OS information, but nothing will run UNLESS I start the disable feature setups we have all described, then MAYBE it would all work, but I did try that (see above) and it was just not functioning. I need the machine for work, and can't afford to have it misbehave. I will wait for another device to become available so that I can play with the system, and try to get it running. Can Oracle place a certified (Microsoft) copy in the Microsoft Store? If not, why not?
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: new hardware device from Intel called SGX

Post by scottgus1 »

We have not received any info from anyone else that I remember, saying that this SGX thing interferes with Virtualbox, and a note from forum guru BillG above that seems to strongly imply it doesn't. You could be barking up the wrong tree.

What does interfere with Virtualbox is Windows host Hyper-V, and anything like WSL2 or Docker that enables Hyper-V. See HMR3Init: Attempting fall back to NEM (Hyper-V is active)
multiOS
Volunteer
Posts: 797
Joined: 14. Sep 2019, 16:51
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: WIN11,10, 7, Linux (various)
Location: United Kingdom

Re: new hardware device from Intel called SGX

Post by multiOS »

SGX is probably a complete red herring, as it is old news when it comes to Intel Core processors. Far from being 'new', it was deprecated by Intel in 2021; and was not built in to either the 11th or 12th Generation processors. Intel support for the technology has only continued in Intel Xeon Processors.

It was in place from 2015 (Series 6) to 2020 (Series 10) microprocessors without incident, so it seems unlikely to be causing significant problems for VirtualBox users now.
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: new hardware device from Intel called SGX

Post by Oracleiscool »

OK, Here we go,
HP and Intel activated Intel SGX and added IME files (Intel Management Engine) in the Windows 11 folder(s) for some purpose. It is all security related for various vendors to secure their code in the hardware layer before the OS starts (any). Since I live in the US, I have no clue as to what the purpose of the software is here, as opposed to another nations hardware. I know that we are quickly moving into a client-based computer system (they want us all in the cloud anyway) model. None of our support channels will adequately address this userspace, and seem to be given information not to discuss boot, uefi, sgx, ime, etc. That goes for all the vendors mentioned.

Since this is the ONLY thing I see as being different in the hardware that could be causing issues, and I need a bootable (not bricked) device, we will just make the final word on this as a problem for this user, and unsure how it effects others. I can't fix hard-wired security devices from the OEM. (This device was built in 2022).
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: new hardware device from Intel called SGX

Post by scottgus1 »

How do the posts by multiOS and myself above your last post help?
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: new hardware device from Intel called SGX

Post by Oracleiscool »

Hi @scottgus1,
OK, I'll admit I have no real experience with this Intel specific device(s), especially what runs it, or what it controls. I have not owned an Intel anything since 1992, because I saw so much proprietary hardware and software that it scared me to death, so I moved to ATI and AMD, and now it is 2023 and here we are again. I should have known I was going to see this again when I first unpacked the laptop and saw the intel logo. So when I am out of warranty on this device (9 months) I will try again. Right now I need the stupid thing for work, so I can't play with it.

Oh BTW, I checked the other day for graphics update, it had one from Nov 2022, but Windows 11 was blocking it from Intel, so had to "force" windows to roll back to the "new" driver, then it is now working right (and secure). Afterwards, I ran a full admin sfc scan, and it found "several" system files that did not match the system files, and it "fixed" them. Called OEM next day, they said it was maybe the feature updates that MS now loads in the op code but have not turned on yet, maybe? Ran a scan the next day, same failure, sent to MS, have not heard back, probably never will. They are in their own universe. :lol:

As a close, I checked the site, and right now I am at Windows 11 Version 22H2 (with New Feature Pack) and VB is not yet on 22H2. Got to wait. :(
Locked