Secretd init-enclave --reset - sw hardening needed?


I’m very confused about init-enclave sw hardening error.

Hyperthreading is switched to “Disabled” and no option available for overclocking/underclocking.

hw: Lenovo x1 extreme gen1, BIOS is patched (

“ERROR [wasmi_runtime_enclave::registration::cert] Platform is updated but requires further BIOS configuration
ERROR [wasmi_runtime_enclave::registration::cert] The following vulnerabilities must be mitigated: [“INTEL-SA-00161”, “You must disable hyperthreading in the BIOS”, “INTEL-SA-00289”, “You must disable overclocking/undervolting in the BIOS”]
Platform status is SW_HARDENING_AND_CONFIGURATION_NEEDED. This means is updated but requires further BIOS configuration”

What’s happening? Wrong kernel, wrong sgx kernel module, wrong bios, wrong intel api calls or I just missed some BIOS option?

root@x1e:~# sgx-detect --verbose
Detecting SGX, this may take a minute…
:heavy_check_mark: SGX instruction set
:heavy_check_mark: CPU support
:heavy_check_mark: CPU configuration
:heavy_check_mark: Enclave attributes
:heavy_check_mark: Enclave Page Cache
SGX features
Total EPC size: 93.5MiB
✘ Flexible launch control
:heavy_check_mark: CPU support
:heavy_check_mark: CPU configuration
✘ Able to launch production mode enclave
:heavy_check_mark: SGX system software
:heavy_check_mark: SGX kernel device (/dev/isgx)
:heavy_check_mark: libsgx_enclave_common
:heavy_check_mark: AESM service
:heavy_check_mark: Able to launch enclaves
:heavy_check_mark: Debug mode
✘ Production mode
:heavy_check_mark: Production mode (Intel whitelisted)

🕮 SGX system software > Able to launch enclaves > Production mode
The enclave could not be launched. This might indicate a problem with FLC.

debug: failed to load report enclave
debug: cause: failed to load report enclave
debug: cause: The EINITTOKEN provider didn’t provide a token
debug: cause: aesm error code GetLicensetokenError_6

More information:

You’re all set to start running SGX programs!

root@x1e:~# uname -a
Linux x1e 5.4.0-48-generic #52~18.04.1-Ubuntu SMP Thu Sep 10 12:50:22 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

any ideas?

Can you share output of: sudo dmidecode -s bios-version ?


syck@x1e:~$ sudo dmidecode -s bios-version
N2EET49W (1.31 )

It is the latest one.
You linked a security advisory that only refers to INTEL-SA-00289.
Looking at this advisory (INTEL-SA-00161) which refers to this one, your model doesn’t appear on the list. This maybe means there’s no patch released for your model yet?

Other than that, may I ask why are you trying to run a node from a laptop? If it is for dev purposes, I’d advise you to run in software mode. Easiest way will be to use our docker image