X86 cpu sgx disabled by bios linux

New here, question about Seq fault, SGX disabled by bios

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

ProxmoxBoy1

New Member

Hello all,
This is my first post here.
Iám running @home about 9 months Proxmox 7.xx
This was running ok until last 2 weeks
The vm’s and containers are running but proxmox is greyed out.
The shell is working , reboot fixes the problem for 1 or 2 days

The proxmox host
Intel nuc 8 GM ram //512 GB Disk

Vms Homeassistant 2 cpu / 4GB ram /32gb disk
Container Pihole 1Cpu / 2 GB ram /40GB disk

Recently made some tests with other VM’s import from esxi ( planning to leave esxi platform and move the other server also to Proxmox)
These vm’s are switched off

I have found some info about this on the forum so here is some additional info

root@pve:~# pveversion -v proxmox-ve: 7.1-1 (running kernel: 5.13.19-2-pve) pve-manager: 7.1-7 (running version: 7.1-7/df5740ad) pve-kernel-helper: 7.1-6 pve-kernel-5.13: 7.1-5 pve-kernel-5.13.19-2-pve: 5.13.19-4 ceph-fuse: 15.2.15-pve1 corosync: 3.1.5-pve2 criu: 3.15-1+pve-1 glusterfs-client: 9.2-1 ifupdown2: 3.1.0-1+pmx3 ksm-control-daemon: 1.4-1 libjs-extjs: 7.0.0-1 libknet1: 1.22-pve2 libproxmox-acme-perl: 1.4.0 libproxmox-backup-qemu0: 1.2.0-1 libpve-access-control: 7.1-5 libpve-apiclient-perl: 3.2-1 libpve-common-perl: 7.0-14 libpve-guest-common-perl: 4.0-3 libpve-http-server-perl: 4.0-4 libpve-storage-perl: 7.0-15 libspice-server1: 0.14.3-2.1 lvm2: 2.03.11-2.1 lxc-pve: 4.0.11-1 lxcfs: 4.0.11-pve1 novnc-pve: 1.2.0-3 proxmox-backup-client: 2.1.2-1 proxmox-backup-file-restore: 2.1.2-1 proxmox-mini-journalreader: 1.3-1 proxmox-widget-toolkit: 3.4-4 pve-cluster: 7.1-2 pve-container: 4.1-2 pve-docs: 7.1-2 pve-edk2-firmware: 3.20210831-2 pve-firewall: 4.2-5 pve-firmware: 3.3-3 pve-ha-manager: 3.3-1 pve-i18n: 2.6-2 pve-qemu-kvm: 6.1.0-3 pve-xtermjs: 4.12.0-1 qemu-server: 7.1-4 smartmontools: 7.2-1 spiceterm: 3.2-2 swtpm: 0.7.0~rc1+2 vncterm: 1.7-1 zfsutils-linux: 2.1.1-pve3

root@pve:~# dmesg --level=err,warn [ 0.000000] secureboot: Secure boot could not be determined (mode 0) [ 0.012126] secureboot: Secure boot could not be determined (mode 0) [ 0.114710] x86/cpu: SGX disabled by BIOS. [ 0.116291] MDS CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details. [ 0.116291] #3 [ 0.117236] ENERGY_PERF_BIAS: Set to 'normal', was 'performance' [ 0.331062] hpet_acpi_add: no address or irqs in _CRS [ 0.582090] platform eisa.0: EISA: Cannot allocate resource for mainboard [ 0.582091] platform eisa.0: Cannot allocate resource for EISA slot 1 [ 0.582093] platform eisa.0: Cannot allocate resource for EISA slot 2 [ 0.582094] platform eisa.0: Cannot allocate resource for EISA slot 3 [ 0.582095] platform eisa.0: Cannot allocate resource for EISA slot 4 [ 0.582096] platform eisa.0: Cannot allocate resource for EISA slot 5 [ 0.582097] platform eisa.0: Cannot allocate resource for EISA slot 6 [ 0.582098] platform eisa.0: Cannot allocate resource for EISA slot 7 [ 0.582099] platform eisa.0: Cannot allocate resource for EISA slot 8 [ 1.736122] usb: port power management may be unreliable [ 5.333909] spl: loading out-of-tree module taints kernel. [ 5.337820] znvpair: module license 'CDDL' taints kernel. [ 5.337824] Disabling lock debugging due to kernel taint [ 5.653835] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2 [ 5.808414] thermal thermal_zone2: failed to read out thermal zone (-61) [ 14.549281] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. [ 20.409702] kauditd_printk_skb: 8 callbacks suppressed [51739.677867] show_signal_msg: 8 callbacks suppressed [51739.677870]pvestatd[979]: segfault at 57e3858eae50 ip 000055e37f14814a sp 00007ffde820e150 error 4 in perl[55e37f066000+185000] [51739.677881] Code: fe ff 48 8b 4c 24 08 49 89 c4 eb a5 0f 1f 40 00 41 55 48 89 d1 49 89 f5 41 54 48 83 ec 18 4c 8b a7 08 01 00 00 4d 85 e4 74 3e 8b 04 24 48 83 87 00 01 00 00 01 48 89 87 08 01 00 00 49 c7 04 [66522.992698] perf: interrupt took too long (3320 > 3136), lowering kernel.perf_event_max_sample_rate to 60000

[ 0.114710] x86/cpu: SGX disabled by BIOS. Could be switched on i think

[ 0.116291] MDS CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.
I don’t no what to do, maybe nothing

[51739.677870]pvestatd[979]: segfault at, now is there memory overwritten ?

Источник

SGX отключен сообщением BIOS при загрузке Ubuntu 20.04

Несколько дней назад я понял, что при загрузке Ubuntu 20.04 появляется следующее сообщение (раньше оно не появлялось):

[ 0.113770] x86/cpu: SGX disable by BIOS. 

После небольшого исследования я нашел других людей, имеющих эту «проблему». В тех случаях, когда я видел, ОС даже не загружалась после этой ошибки (кажется, потому что ОС не обнаруживает диски), но это не мой случай, мои диски определяются правильно, и Ubuntu 20.04 запускается, так как ничего не происходит.

Так что для меня это на самом деле не проблема, но я обеспокоен тем, что это может превратиться в нее. Поэтому я хочу знать, есть ли решение. Я искал в своем BIOS, но не нашел опции, позволяющей включить SGX.

Моя материнская плата и процессор: «MSI H510M Pro-E» и «Intel Core i5 10400» (я использую встроенную графику, в частности, они называются «Intel HD Graphics 630»).

2 ответа

Это начало проявляться, когда вы обновились до ядра 5.13.

SGX означает «intel Software Guard eXtensions» и представляет собой «аппаратный механизм изоляции и шифрования памяти, предоставляемый современными процессорами Intel®». В BIOS вы можете найти переключатель с 2 или 3 возможными вариантами:

• Запрещать
• Включить: все инструкции и ресурсы SGX доступны приложениям.
• Программное управление: SGX может быть включен программными приложениями по запросу.

Если опции нет, вы можете получить ее через обновление BIOS. В противном случае, если вы хотите избавиться от него, добавьте к значениям по умолчанию grub (см. Как добавить параметр загрузки ядра? о том, как добавить параметр). В этом нет необходимости, так как это безвредно, поэтому простое игнорирование также является вариантом.

Для меня это зависание на SGX было вызвано изменением конфигурации X11/Synaptics. Если вы это сделали, возможно, ваше решение состоит в том, чтобы удалить его конфигурации через корневой терминал восстановления.

/questions/409857/kak-ya-mogu-polnostyu-udalit-drajver-nvidia/742904#742904 описывает необходимый шаг. Вы также можете отменить внесенные вами изменения, что кажется гораздо более безопасным вариантом, чем полное удаление.

Я понятия не имею, почему возня с конфигурацией может иметь такие ужасные, почти неотслеживаемые последствия. Все, что я сделал, это несколько изменений, связанных со скоростью прокрутки тачпада.

Источник

Arch Linux

I’m encountering two kernel (syslog «error»/level 3) messages that are spammed into getty and logged to the systemd journal on every boot:

archlinux kernel: x86/cpu: SGX disabled by BIOS. kernel: intel-spi 0000:00:1f.5: invalid resource

The address next to intel-spi in the logs stays the same across reboots. I do not have access to the BIOS on this remote machine.
I do not care about Intel SGX, however none of the related kernel modules I found online can be found:

$ lsmod | grep -i sgx $ modinfo intel_sgx modinfo: ERROR: Module intel_sgx not found. $ modinfo isgx modinfo: ERROR: Module isgx not found. $ modinfo Csgx modinfo: ERROR: Module Csgx not found. $ modinfo sgx modinfo: ERROR: Module sgx not found.

I have blacklisted all of the possible module names listed above anyway. Will this break anything?
From what I understand, SPI would allow applications to update the BIOS firmware (f.e. with fwupd or gnome-firmware?), which I would be interested in. How can I get it to work/fix the cryptic reported error message? I was not able to find anything helpful myself (other than suggestions of disabling it).

#2 2021-08-30 15:31:43

Re: Kernel reports 2 intel module error messages on every boot

If it’s a one off message I’d say you shouldn’t care too much, and chances of breaking something are much higher than simply resisting the urge of caring about the message. As you’ve noticed it’s not any of these kernel modules and blacklisting them will not have any effect since they do not exist. It’s not a module but a processor feature that is disabled in your BIOS and the kernel informs you of this fact, should this maybe not be a level 3 message? Possibly. Is it likely to have a lasting negative effect? Unlikely.

I’d assume it’s likely that both of the underlying features here are disabled in your BIOS and you wont get around getting access to it at least once if you actually want to make use of the SPI relevant parts.

Last edited by V1del (2021-08-30 15:37:19)

#3 2021-08-30 23:05:48

Re: Kernel reports 2 intel module error messages on every boot

I too have been seeing the SGX disabled message recently in my logs, this post spurred me to do some digging.

Going through my journal, it looks like it started for me on 2021-07-20, which when I checked my pacman logs, is when I upgraded linux from 5.12.15 to 5.13.4.

As I could find no setting in my BIOS that was related to these Software Guard Extensions, I did some cursory google-fu about the SGX message and found this interesting link. It purports to explain how to enable this via «software opt-in», see quote from page below for reference:

Intel® Software Guard Extensions (SGX) is a hardware-based isolation and memory encryption mechanism provided by modern Intel® CPUs. Normally, it is disabled in the BIOS by the manufacture of your motherboard. In order to use it, the SGX option in the BIOS must be set to Enable or Software Controlled.

By setting the option to Enable, all of the SGX instructions and resources are available to applications, making it easy to deploy SGX related program on your machine. However, in some motherboards, the only available options in the BIOS are Software Controlled and Disable. According to the official document of Intel, Software Controlled indicates that Intel SGX can be enabled by software applications, but it is not available until this occurs (called the “software opt-in”).

The only other link I found that was semi relevant for me was a Dell support forum post with no replies. I am using a precision 5510, not 3510, but same era model cpu. Again I don’t see any options in my BIOS about SGX.

I don’t have any messages related to intel-spi. But interestingly, I was unable to use fwupdmgr to update to the latest BIOS recently. It saw I had an available upgrade and downloaded it, but once downloaded told me I didn’t have any available devices?

Last edited by CarbonChauvinist (2021-08-30 23:06:50)

«the wind-blown way, wanna win? don’t play»

Источник

Thread: SGX disabled by BIOS

First Cup of Ubuntu

SGX disabled by BIOS

I installed dual OS: Ubuntu & Win 11. It normally works until one day, when I tried to enter ubuntu it shows me this error message:

In Advance Tab, I only see:

Ubuntu Member

Re: SGX disabled by BIOS

Ubuntu addict and loving it

Re: SGX disabled by BIOS

Originally Posted by davyyg

I installed dual OS: Ubuntu & Win 11. It normally works until one day, when I tried to enter ubuntu it shows me this error message:
SGX disabled by BIOS.

I do not think that this is an error message, probably just providing information.

It refers to Software Guard Extensions — a set of security-related instruction codes that are built into some Intel central processing units.

You should have the option to enable/disable this in UEFI settings (security tab?)
On my PC, It has been disabled for more than 3 years without presenting any problem.
The message appears for less than one second and I always ignore it.

Enterprise/business users may find it beneficial if each PC is used by more than one employee.
For home users, generally not essential.

Источник