# Verify your SGX setup

# Background

To ensure the entire network runs on SGX nodes, we use a process called registration. This process, performed by each node runner, involves authenticating the local enclave with Intel Attestation Services and on-chain.

This process verifies that the local node is running a genuine enclave and that it is patched and not vulnerable to any known exploits. This means that you may be running SGX-enabled hardware but might be missing microcode or firmware, affecting SGX-security.

For this reason, we recommend checking the result of the attestation process ahead of time, which can tell you if an update is required.

Note: for the incentivized testnet we are going to run with more relaxed requirements than mainnet - be aware that your incentivized testnet setup may not work on mainnet if you do not verify it

# Instructions

These instructions refer to an installation using:

See SGX installation instructions here

Other driver/OS combinations are not guaranteed to work with these instructions. Let us know on chat.scrt.network if you intend to run on a different setup.

# 1. Download the test package

wget https://github.com/scrtlabs/SecretNetwork/releases/download/v1.0.0/secretnetwork_1.0.0_amd64.deb

# 2. Unpack

# This will install secretd

sudo dpkg -i secretnetwork_1.0.0_amd64.deb

# 3. Initialize the enclave

Create the .sgx_secrets directory if it doesn't already exist

mkdir .sgx_secrets

Then initialize the enclave

SCRT_ENCLAVE_DIR=/usr/lib secretd init-enclave

(or SCRT_ENCLAVE_DIR=/usr/lib secretd init-enclave | grep -Po 'isvEnclaveQuoteStatus":".+?"')

This step, if successful, will create an output similar to this -


(or isvEnclaveQuoteStatus":"SW_HARDENING_NEEDED")

Where the important fields are isvEnclaveQuoteStatus and advisoryIDs. This is are fields that mark the trust level of our platform. The acceptable values for the isvEnclaveQuoteStatus field are:

  • OK

With the following value accepted for testnet only:


For the status CONFIGURATION_AND_SW_HARDENING_NEEDED we perform a deeper inspection of the exact vulnerabilities that remain. The acceptable values for mainnet are:

  • "INTEL-SA-00334"
  • "INTEL-SA-00219"

Consult with the Intel API for more on these values.

If you do not see such an output, look for a file called attestation_cert.der which should have been created in your $HOME directory. You can then use the command secretd parse <path/to/attestation_cert.der> to check the result a successful result should be a 64 byte hex string (e.g. 0x9efe0dc689447514d6514c05d1161cea15c461c62e6d72a2efabcc6b85ed953b.

# 4. What to do if this didn't work?

  1. Running secretd init-enclave should have created a file called attestation_cert.der. This file contains the attestation report from above.
  2. Contact us on the proper channels on chat.scrt.network
  3. The details we will need to investigate will include:
    • Hardware specs
    • SGX PSW/driver versions
    • BIOS versions
    • The file attestation_cert.der

# 5. Troubleshooting

# Output is:

secretd init-enclave
2020-07-12 13:21:31,864 ERROR [go_cosmwasm] Error :(
ERROR: failed to initialize enclave: Error calling the VM: SGX_ERROR_ENCLAVE_FILE_ACCESS

Make sure you have the environment variable SCRT_ENCLAVE_DIR=/usr/lib set before you run secretd.

# Output is:

secretd init-enclave
ERROR  [wasmi_runtime_enclave::crypto::key_manager] Error sealing registration key
ERROR  [wasmi_runtime_enclave::registration::offchain] Failed to create registration key
2020-07-12 13:37:26,690 ERROR [go_cosmwasm] Error :(
ERROR: failed to initialize enclave: Error calling the VM: SGX_ERROR_UNEXPECTED

Make sure the directory ~/.sgx_secrets/ is created. If that still doesn't work, try to create /root/.sgx_secrets

# Output is:

secretd init-enclave
ERROR  [wasmi_runtime_enclave::registration::attestation] Error in create_attestation_report: SGX_ERROR_SERVICE_UNAVAILABLE
ERROR  [wasmi_runtime_enclave::registration::offchain] Error in create_attestation_certificate: SGX_ERROR_SERVICE_UNAVAILABLE
ERROR: failed to create attestation report: Error calling the VM: SGX_ERROR_SERVICE_UNAVAILABLE

Make sure the aesmd-service is running systemctl status aesmd.service

# Output is:

secretd init-enclave
Creating new enclave registration key
2021-07-27 02:37:24,017 INFO  [cosmwasm_sgx_vm::seed] Initializing enclave..
2021-07-27 02:37:25,962 INFO  [cosmwasm_sgx_vm::seed] Initialized enclave successfully!
ERROR  [wasmi_runtime_enclave::registration::cert] Platform is updated but requires further BIOS configuration
ERROR  [wasmi_runtime_enclave::registration::cert] The following vulnerabilities must be mitigated: ["INTEL-SA-00161", "You must disable hyperthreading in the BIOS", "INTEL-SA-00289", "You must disable overclocking/undervolting in the BIOS"]
Platform status is SW_HARDENING_AND_CONFIGURATION_NEEDED. This means is updated but requires further BIOS configuration

Please disable hyperthreading and overclocking/undervolting (Turboboost) in your BIOS.

# I'm seeing CONFIGURATION_AND_SW_HARDENING_NEEDED in the isvEnclaveQuoteStatus field, but with more advisories than what is allowed

This could mean a number of different things related to the configuration of the machine. Most common are:

  • ["INTEL-SA-00161", "INTEL-SA-00233"] - Hyper-threading must be disabled in the BIOS
  • ["INTEL-SA-00289"] - Overclocking/undervolting must be disabled by the BIOS (sometimes known as Turboboost)
  • ["INTEL-SA-00219"] - Integrated graphics should be disabled in the BIOS - we recommend performing this step if you can, though it isn't required

If you are still having trouble getting rid of INTEL-SA-00219 and INTEL-SA-00289, here are some possible settings to look for outside of the CPU settings:

  • Primary Display = 'PCI Express'
  • IGPU Multi-Monitor = Disabled
  • Onboard VGA = Disabled


Most likely you tried reinstalling the driver and rerunning the enclave - restarting should solve the problem