Intel Software Guard Extensions (SGX) is an extension of the Intel instruction set architecture designed to provide an application centric trusted execution environment called an enclave. Enclaves operate within a physical memory region called an Enclave Page Cache (EPC). The EPC is configured as part of the

Processor Reserved Memory (PRM) which is protected by architectural pair of registers. The System BIOS is required to reserve the PRM as a contiguous region of the system memory in the Processor Reserved Memory Range Register (PRMRR).

If the platform contains a Feature Byte BO_SGX (= dQ) in the SMBIOS Type 11 data buffer, the BIOS shall NOT implement the support for the Intel SGX and instead configure it to properly disable all capability and resource allocation and hide the feature from the system. Otherwise, the BIOS will implement the support for the Intel SGX by following the corresponding documents provided by Intel in addition to the requirements specified in this section.

As part ofp the Intel SGX support, the BIOS will provide a Setup field " Intel Software Guard Extensions (SGX)" via the Security Setup page.  The options for the Setup field will be Enable, Disable and S/W Controlled with the default set to S/W Controlled and changeable via <F10=BIOS Setup> or using tools/scripts such as the HP BIOS Configuration Utility (WMI-based or UEFI protocol-based).

S/W Controlled Setup Configuration Note that the BIOS configuration of the Setup option S/W Controlled is the same as Disable, but in addition, the BIOS will provide the structure EPC_OS_CONFIG for the Intel runtime SGX application as required by the Intel SGX document. The structure is used by the Intel SGX application to send a runtime request to the BIOS to enable the SGX support (i.e., the user doesn’t have to enter <F10=BIOS Setup> to manually change the setting). Upon the detection of the request by checking the EPC_OS_CONFIG structure during reboot, the BIOS will change the setting of the Intel SGX in <F10=BIOS Setup> from S/W Controlled to Enable and configure the SGX support accordingly.

Physical Presence Check If the option is changed from Enable or S/W Controlled to Disable when the system's MPM is locked, the BIOS will confirm the request via the following Physical Presence check during the next boot: