Intel SGX Software Stack
The Intel SGX SDK for Linux OS software stack consists of the driver, the SDK, and the platform software.
The SDK and platform software are hosted in the Intel SGX SDK for Linux OS project (linux-sgx) on GitHub*.
Intel SGX Support in the Linux Kernel
The mainline Linux kernel has had built-in Intel SGX support since release 5.11. The in-kernel Intel SGX driver requires the platform to support and to be configured for flexible launch control (FLC). Use the mainline kernel with Intel SGX support whenever possible.
There are two other kernel space options available for special use cases:
- If your distribution kernel is older than version 5.11 or does not have the in-kernel Intel SGX support, you can use the Intel SGX DCAP driver as a temporary solution before transitioning to kernel version 5.11 or later. It provides an interface close to the mainline kernel and also requires the platform to support and to be configured for FLC.
- If you need to use a non-FLC platform, the Intel SGX for Linux OS driver project hosts an out-of-tree driver. This driver is provided to support running Intel SGX enclaves on platforms that only support legacy launch control. It may also be installed on platforms configured with FLC, but these platforms will only load production enclaves that conform to the legacy launch control policy.
Get the out-of-tree driver.
For more information, see the Intel SGX SDK for Linux OS Installation Guide.
Note Although the Intel SGX SDK and platform software are compatible with all of these drivers, the legacy non-FLC driver and the Intel SGX DCAP driver are updated only for critical security fixes. New features or functionalities implemented in the mainline kernel cannot be ported to the legacy non-FLC driver or Intel SGX DCAP driver due to limitations of being out-of-tree implementations.
For patches and ongoing development of new Intel SGX features in the Linux kernel, subscribe to the Linux SGX development mailing list.
This repository contains Intel SGX attestation support targeted for data centers, cloud services providers, and enterprises. This attestation model leverages Elliptic Curve Digital Signature algorithm (ECDSA) while the current client-based SGX attestation model is EPID based (Enhanced Privacy Identification).