Skip to main content

Reproducible Builds

Users with nix package manager installed (see should be able to just do in the checked out repository:

$ nix-shell

(on legacy, stable nix installs)


$ nix develop

Setting up an SGX machine

  • Run a recent kernel with SGX support compiled in
  • Set the SGX device node permissions
# groupadd -r sgx_prv
# cat > /etc/udev/rules.d/99-sgx.rules <<EOF
SUBSYSTEM=="misc", KERNEL=="sgx_provision", MODE="0660", GROUP="sgx_prv"
SUBSYSTEM=="misc", KERNEL=="sgx_enclave", MODE="0666"

Hardware requirements for SGX

  • Is there IPMI support on the NUC7CJYH?
    • There is a similar technology called Intel AMT (ref1, ref2) that is present on NUCs with i5 Ivy Bridge processors.
    • Running an AMT check on the NUC7CJYH produces the result Error: Management Engine refused connection. This probably means you don't have AMT
  • Are there other NUC models that support SGX2?
  • Are SGX features accessible from a VM?

Setting up an SEV-SNP machine

# dnf copr enable harald/kernel-snp 
# dnf install kernel{,-core,-modules}-5.14.0-0.rc2.28.sev.snp.part2.v5.fc34.x86_64
  • Set SEV device node permissions
# echo 'KERNEL=="sev", MODE="0666"' > /etc/udev/rules.d/50-sev.rules
  • Increase the memlock limit for SEV keeps (need to pin a large number of pages)
# echo '* - memlock 8388608' > /etc/security/limits.d/sev.conf
  • Enable SEV
# echo 'options kvm_amd sev=1' > /etc/modprobe.d/kvm-amd.conf