Unable to enable SGX using PSW + software controlled

Unable to enable SGX using PSW + software controlled

Intel has the weirdest circular logic in their install method for SGX. I have an Asus Z170 Mobo which is definitely SGX capable (others have confirmed it working). In the BIOS settings (which I recently updated), you can't enable SGX by default but you can set it to 'Software Control'. I did that and attempted to install the PSW which fails with this error:

This platform is not SGX-compatible. Please check your SGX BIOS settings. Install will cancel.


Others have suggested extracting the .msi from the PSW .exe and installing that way using msiexec - I tried this but still get the same error. The problem here is that to 1) to enable SGX, the SGX api software needs the PSW installed and that 2) the PSW needs SGX enabled in order to even allow it to be installed on the system at all. Who designed this horribly buggy workflow? Has anybody figured out a way to get this to work? Thanks in advance!



6 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.

Hi, Matthew.

I believe you can enable SGX on your machine only with the SDK installed.
For that you can use the sgx_cap_enable_device. You can check the documentation here.



Hi Rodolfo, thats exactly the problem. The SDK requires the SGX PlatformSoftware (PSW - their acronym) and the PSW simply WON'T install on a system that doesn't have SGX already enabled. From their own documentation for the SDK : 

Required Hardware: 6th generation Intel® Core™ processor (or later) based platform with Intel SGX-enabled BIOS support

and to begin developing applications : 

To develop applications enabled with Intel® Software Guard Extensions (Intel® SGX), download and install both of the following, in this order:

  1. Platform software for Intel® Software Guard Extensions for Windows* (Intel® SGX SDK for Windows*)
  2. Intel SGX SDK for Windows

So what is a consumer supposed to do who only has 'Software Control' options in the BIOS but no 'Enable' option? This seems wildly unusable.

Rodolfo is correct, sgx_cap_enable_device() does NOT require the PSW in order to work. However, it does require admin privileges in order to succeed.

On the other hand, sgx_enable_device() does NOT require admin privileges, but DOES require the PSW installed in order to work.

If your system is in "Software Control", the PSW should install, even if SGX hasn't been enabled yet. If you find that this is not the case, can you please provide the PSW version you are trying to install?

It's possible the BIOS settings aren't being reflected properly in what they are displaying. You could try the following (assuming the BIOS vendor has given you the choices):

1) Go into BIOS setup, set SGX to DISABLED

2) Reboot

3) Go into BIOS setup, set SGX back to SW Control

4) Reboot

5) Try to install PSW again.





Thanks Francisco! I went into the BIOS and disabled SGX, reset, and then went back into the BIOS and set the SGX configuration to Software Control. I also downloaded the latest version of the PSW - version When I tried to install that version of the PSW, I get : 

Fatal installation blocking issues are detected. This platform is not Intel® SGX-compatible. Please check your Intel® SGX BIOS settings. Install will cancel.

I tried with my original PSW version ( and got a similar error message. It seems clear that the PSW doesn't consider Software Enabled a valid platform for installation. As I noted above, in their own documentation it seems to require a setting of 'Enabled' to function. Is their some indication somewhere that it >should< work? All the forums seem to indicate other people have the same problems I have been having. Thanks

There are a couple of problems that you could be seeing.

Can you specify the CPU you are using?

Another possibility is that it is possible to have BIOS in a state that even though it supports UEFI the OS was installed in Legacy mode. This can be determined by writing a program that does

  const TCHAR* DUMMY_GUID = TEXT("{00000000-0000-0000-0000-000000000000}");
  GetFirmwareEnvironmentVariable(TEXT(""), DUMMY_GUID, NULL, 0);

and then inspecting GetLastError(). A value of ERROR_INVALID_FUNCTION indicates the OS isn't using UEFI. This function is described in https://msdn.microsoft.com/en-us/library/windows/desktop/ms724325(v=vs.85).aspx

A quicker way that doesn't require you to write code and will get almost the same information is running the following from PowerShell

Get-SecureBootUefi -Name SetupMode


Leave a Comment

Please sign in to add a comment. Not a member? Join today