Merge pull request #933 from oasisprotocol/kostko/tee-multipackage-bios

docs/node: Add multi-package BIOS configuration
oasisprotocol · Oct 14, 2024 · 39314f5 · 39314f5
2 parents f80485b + f16a52e
commit 39314f5
Showing 1 changed file with 12 additions and 5 deletions.
diff --git a/docs/node/run-your-node/prerequisites/set-up-trusted-execution-environment-tee.md b/docs/node/run-your-node/prerequisites/set-up-trusted-execution-environment-tee.md
@@ -25,10 +25,9 @@ set the BIOS settings as follows:
 - **SGX**: ENABLE
 - **Hyper-Threading**: DISABLE
 - **Intel SpeedStep**: DISABLE
-- **SecureBoot**: DISABLE  (not necessary for recent kernels)
-- **All Internal Graphics**: DISABLE
 - **Turbo Mode**: DISABLE
 - **CPU AES**: ENABLE
+- **SGX Auto MP Registration**: ENABLE
 
 ## Ensure Clock Synchronization
 
@@ -85,7 +84,7 @@ and look for the following line:
 
 ## DCAP Attestation
 
-### Ubuntu 22.04
+### Ubuntu 22.04+
 
 A convenient way to install the AESM service on Ubuntu 22.04 systems
 is to use the Intel's [official Intel SGX APT repository](https://download.01.org/intel-sgx/sgx_repo/).
@@ -223,9 +222,11 @@ running SGX workloads inside guest VMs. In this case additional provisioning may
 be required to be performed on the host.
 
 Note that the system must be booted in UEFI mode for provisioning to work as the
-provisioning process uses UEFI variables to communicate with the BIOS.
+provisioning process uses UEFI variables to communicate with the BIOS. In
+addition the **SGX Auto MP Registration** BIOS configuration setting should be
+set to _enabled_.
 
-#### Ubuntu 22.04
+#### Ubuntu 22.04+
 
 To provision and register your multi-socket system you need to install the Intel
 SGX Multi-Package Registration Agent Service as follows (assuming Intel's SGX
@@ -235,6 +236,12 @@ apt repository has been added as discussed above):
 sudo apt install sgx-ra-service
 ```
 
+After boot, the log in `/var/log/mpa_registration.log` should indicate
+successful registration. If an error is reported, make sure that you have
+enabled SGX Auto MP Registration in the BIOS as mentioned above. You can also
+perform re-provisioning by rebooting and setting the **SGX Factory Reset**
+option to _enabled_.
+
 #### VMware vSphere 8.0+
 
 In order to enable SGX remote attestation on VMware vSphere-based systems,