Skip to main content


Enarx requires specific hardware to run, namely a CPU with a supported Trusted Execution Environment. Currently, Enarx has support for Intel SGX and AMD SEV-SNP.

For Intel, our recommendation would be the 3rd Gen Intel Xeon Scalable Ice Lake. This article provides a comprehensive analysis of the different models. The 5318Y or 5318S provide good value.

For AMD our recommendation would be the EPYC 7003 Milan. This article offers an analysis of the different models. The 7313 seems like a good value.

Setting up an SGX machine

  • Run a recent kernel with SGX support compiled in
  • Set the SGX device node permissions
# groupadd -r sgx_prv
# cat > /etc/udev/rules.d/99-sgx.rules <<EOF
SUBSYSTEM=="misc", KERNEL=="sgx_provision", MODE="0660", GROUP="sgx_prv"
SUBSYSTEM=="misc", KERNEL=="sgx_enclave", MODE="0666"

Hardware requirements for SGX

  • Is there IPMI support on the NUC7CJYH?
    • There is a similar technology called Intel AMT (ref1, ref2) that is present on NUCs with i5 Ivy Bridge processors.
    • Running an AMT check on the NUC7CJYH produces the result Error: Management Engine refused connection. This probably means you don't have AMT
  • Are there other NUC models that support SGX2?
  • Are SGX features accessible from a VM?

Setting up an SEV-SNP machine

# dnf copr enable harald/kernel-snp 
# dnf install kernel{,-core,-modules}-5.14.0-0.rc2.28.sev.snp.part2.v5.fc34.x86_64
$ wget
$ unzip
$ sudo mv amd_sev_fam19h_model0xh_1.2A.2A.sbin /lib/firmware/amd/amd_sev_fam19h_model0xh.sbin
$ sudo chown root:root /lib/firmware/amd/amd_sev_fam19h_model0xh.sbin
  • Set SEV device node permissions
# echo 'KERNEL=="sev", MODE="0666"' > /etc/udev/rules.d/50-sev.rules
  • Increase the memlock limit for SEV keeps (need to pin a large number of pages)
# echo '* - memlock 8388608' > /etc/security/limits.d/sev.conf
  • Enable SEV
# echo 'options kvm_amd sev=1' > /etc/modprobe.d/kvm-amd.conf