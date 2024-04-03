Modern PCs are equipped with highly capable anti-viruses, including several safety provisions to safeguard your precious data from viruses, spyware, keyloggers, and other nefarious malware. But if you want the maximum security measures, there are even more precautionary features you can look into.

One of these is Intel SGX, which is perfect for developers and organizations that need protection from security vulnerabilities in many apps and executable files. In this article, we’ll go over everything you need to know about SGX, including its pros, cons, and the procedure to enable it on your high-end processor.

Related Best Intel CPUs in 2024 If you're in the market to buy a new Intel CPU, then we have some solid recommendations for you in our collection of the best Intel CPUs.

What is Intel SGX?

The Intel Software Guard Extensions (SGX) is a feature that uses hardware-level encryption to protect your sensitive data from security breaches. SGX uses enclaves, which are trusted environments encrypted within the memory. These isolated regions are used by applications to store confidential data, and the RAM occupied by the enclave can’t be utilized by any process, application, or operating system. Since the key to decrypting the information lies with the processor, gaining unauthorized access to the data stored within an enclave is extremely difficult.

Every application developed using SGX possesses trusted and untrusted parts. When you run the app, the untrusted part creates an enclave inside the RAM. The enclave comprises the trusted part and is responsible for encrypting all the sensitive information required by the application.

Whenever the untrusted part needs to access the enclave, it calls a trusted function and switches to the enclave for execution. Once the enclave finishes processing the confidential data, the application goes back to the untrusted part. It resumes normal execution while the enclave continues to hold on to the sensitive information.

Should you use Intel SGX?

Source: Lenovo

For someone with access to Intel Xeon chips, Intel SGX is a great way to safeguard your data banks from software-related attacks. The hardware encryption facility also prevents hackers from tapping into your data even if they somehow gain access to your physical hardware, including the RAM.

That said, apps running on Software Guard Extensions can still be compromised. For example, SGX is vulnerable to side-channel attacks. Although Intel has released security advisories to fix several security breaches in the past, the ÆPIC leak vulnerability, which affects many Intel Core and Xeon Ice Lake processors, has yet to be patched. Plus, it’s still possible for malware-ridden code to cause damage if it’s run inside the enclave.

How to enable Intel SGX?

SGX was added with the 6th-generation Skylake series, though Intel deprecated this feature for all Intel Core CPUs starting with the Tiger Lake (11th gen) family. As such, you can only access SGX if you have an older Intel Core processor.

Meanwhile, SGX is more prominent on Intel Xeon E-processors released after 2019, and you can use this link to check whether your Xeon CPU supports SGX.

The exact steps to enable Intel SGX will vary depending on your CPU model. Regardless, the first step is to install the Intel SGX activation app from the Microsoft Store:

Head to this Microsoft Store link. Press the Download button and select Open Microsoft Store when prompted by your web browser. Click on the Install button. Once installed, open the Start menu and right-click on the Intel SGX app before choosing More and Run as administrator. Click on Activate to enable Intel SGX. The Activate button will be grayed out, and the app will display the Intel SGX is activated message.

Install Intel Management Engine drivers

Some processors, like the Intel Core i7-7700HQ I’ve used for this article, may require you to install the Intel Management Engine drivers.

Use this link to download the drivers. Unzip the folder and run SetupME.exe with admin privileges. Click Next on the welcome page. Accept the license agreement before hitting Next. Click on the Finish button to wrap up the installation.

Modify BIOS settings

On the other hand, certain CPUs may require you to enable Intel SGX and modify some settings in the BIOS.

Restart your system, and keep tapping delete to enter the BIOS. If you’re on a laptop, you can boot into the BIOS using the F2 key. Navigate to the Advanced tab and open Memory Configuration. Change the Memory Mirroring Possible, UMA-Based Clustering, Patrol Scrub, and Mirror Mode settings to Disabled. Set the Memory Corrected Error option to Enabled. Head back to the Advanced tab and enter Processor Configuration. Set Total Memory Encryption (TME) and Intel SGX to Enabled.

Note that some of these options may have different names depending on the brand of your laptop and BIOS.

Intel SGX: An extra layer of protection for developers

Despite its faults and the trouble you’ll need to go through to enable it, Intel SGX is a great way to enhance the security of executable files. Unfortunately, finding a processor that’s compatible with it is easier said than done. Plus, the average user is better off getting a modern CPU instead of searching for an outdated processor or an enterprise-grade Intel Xeon chip just to enable the Software Guard Extensions.