Merge pull request #144 from skalenetwork/SKALE-3039-downloadwhitelist

Skale 3039 downloadwhitelist

.github/workflows/dockerimagerelease.yml

+name: Build, test and push release SGX container
+on: [push]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+    steps:
+      - name: Login to docker
+        env:
+          GITHUB_TOKEN: ${{ secrets.DOCKER_SECRET }}
+        run: docker login -u skalelabs -p ${GITHUB_TOKEN}
+      - uses: actions/checkout@v1
+      - name: submodule update
+        run: git submodule update --init --recursive
+      - name: build
+        run: python3 scripts/docker_build.py Dockerfile sgxwallet ${GITHUB_SHA}
+      - name: deploy docker image
+        if: contains(github.ref, 'develop') || contains(github.ref, 'beta') || contains(github.ref, 'master') || contains(github.ref, 'stable')
+        run : |
+          export BRANCH=${GITHUB_REF##*/}
+          echo "Branch $BRANCH"
+          export VERSION=$(cat VERSION)
+          echo "Version $VERSION"
+          export VERSION=$(bash ./scripts/calculate_version.sh $BRANCH $VERSION)
+          echo "::set-env name=VERSION::$VERSION"
+          echo "Version $VERSION"
+          export RELEASE=true
+          echo "::set-env name=RELEASE::$RELEASE"
+          bash ./scripts/build_image.sh DockerfileRelease sgxwallet_release
+          bash ./scripts/publish_image.sh sgxwallet_release
\ No newline at end of file

Dockerfile

 FROM skalenetwork/sgxwallet_base:latest
 
 COPY . /usr/src/sdk
+RUN apt update && apt install -y curl
 WORKDIR /usr/src/sdk
-
 RUN touch /var/hwmode
-
-
 RUN ./autoconf.bash
 RUN ./configure
 RUN bash -c "make -j$(nproc)"
 RUN ccache -sz
-RUN mkdir /usr/src/sdk/sgx_data
+RUN mkdir -p /usr/src/sdk/sgx_data
 COPY docker/start.sh ./
 ENTRYPOINT ["/usr/src/sdk/start.sh"]

DockerfileBase

@@ -15,7 +15,7 @@ RUN    apt update && \
            libcurl4-openssl-dev protobuf-compiler git libprotobuf-dev  libboost-all-dev \
            alien cmake debhelper uuid-dev libxml2-dev ccache vim libprotobuf10 \
            yasm cmake flex bison  libprocps-dev ccache autoconf texinfo libssl-dev \
-           libboost-all-dev libjsonrpccpp-dev libjsonrpccpp-tools && \
+           libboost-all-dev libjsonrpccpp-dev curl libjsonrpccpp-tools && \
        ln -s /usr/bin/ccache /usr/local/bin/clang && \
        ln -s /usr/bin/ccache /usr/local/bin/clang++ && \
        ln -s /usr/bin/ccache /usr/local/bin/gcc && \

DockerfileRelease

+FROM skalenetwork/sgxwallet_base:latest
+
+COPY . /usr/src/sdk
+RUN cp -f secure_enclave/secure_enclave.config.xml.release secure_enclave/secure_enclave.config.xml
+RUN apt update && apt install -y curl
+WORKDIR /usr/src/sdk
+#Test signing key generation
+RUN cd scripts && ./generate_signing_key.bash
+RUN touch /var/hwmode
+RUN ./autoconf.bash
+RUN ./configure --with-sgx-build=release
+RUN bash -c "make -j$(nproc)"
+RUN cd scripts && ./sign_enclave.bash
+RUN ccache -sz
+RUN mkdir -p /usr/src/sdk/sgx_data
+COPY docker/start.sh ./
+ENTRYPOINT ["/usr/src/sdk/start.sh"]

DockerfileSimulation

 FROM skalenetwork/sgxwallet_base:latest
 
 
+RUN apt update &&  apt install -y curl
 
 RUN ccache -sz
 
@@ -10,7 +11,7 @@ RUN ./autoconf.bash && \
     ./configure --enable-sgx-simulation && \
     bash -c "make" && \
     ccache -sz && \
-    mkdir /usr/src/sdk/sgx_data
+    mkdir -p /usr/src/sdk/sgx_data
 
 COPY docker/start.sh ./
 

ServerInit.cpp

@@ -78,7 +78,7 @@ void initEnclave(uint32_t _logLevel) {
     }
 #endif
 
-    spdlog::debug("SGX_DEBUG_FLAG = {}", SGX_DEBUG_FLAG);
+    spdlog::info("SGX_DEBUG_FLAG = {}", SGX_DEBUG_FLAG);
 
     status = sgx_create_enclave_search(ENCLAVE_NAME, SGX_DEBUG_FLAG, &token,
                                        &updated, &eid, 0);

build_instructions.txt

+How to Build/Execute the C++11 sample program
+---------------------------------------------
+1. Install Intel(R) Software Guard Extensions (Intel(R) SGX) SDK for Linux* OS
+2. Make sure your environment is set:
+    $ source ${sgx-sdk-install-path}/environment
+3. Build the project with the prepared Makefile:
+    a. Hardware Mode, Debug build:
+        $ make
+    b. Hardware Mode, Pre-release build:
+        $ make SGX_PRERELEASE=1 SGX_DEBUG=0
+    c. Hardware Mode, Release build:
+        $ make SGX_DEBUG=0
+    d. Simulation Mode, Debug build:
+        $ make SGX_MODE=SIM
+    e. Simulation Mode, Pre-release build:
+        $ make SGX_MODE=SIM SGX_PRERELEASE=1 SGX_DEBUG=0
+    f. Simulation Mode, Release build:
+        $ make SGX_MODE=SIM SGX_DEBUG=0
+4. Execute the binary directly:
+    $ ./app
+5. Remember to "make clean" before switching build mode

docker/start.sh

@@ -15,6 +15,8 @@ echo "the command line includes -v /dev/urandom:/dev/random";
 exit 1;
 fi
 
+echo "Connection SUCCESS."
+
 ls /dev/random;
 rm -f /root/.rnd;
 dd if=/dev/random of=/root/.rnd bs=256 count=1;
@@ -22,6 +24,10 @@ ls /root/.rnd;
 
 cd /usr/src/sdk;
 
+echo "Checking that sgxwallet can connect to SGX whitelist update server whitelist.trustedservices.intel.com "
+echo "If this test fails, you need to update your network config or firewall to allow this connection"
+
+curl  -I http://whitelist.trustedservices.intel.com/SGX/LCWL/Linux/sgx_white_list_cert.bin
 
 if [[ -f "/var/hwmode" ]]
 then

docs/prerequisites.md

@@ -15,6 +15,7 @@ Sgxwallet may run on other Linux distributions,
 but the installation process is likely to be more complicated, 
 and the use of other distributions is not supported by their respective communities at this time.
 
+
 ### Install Docker engine
 
 Docker engine is pre-installed on Ubuntu 18.04.  You can re-install it as 
@@ -36,6 +37,27 @@ To verify a correct installation, run `docker-compose version`
 
 For details on Docker installation, see <https://docs.docker.com/engine/installation/linux/ubuntu> and <https://docs.docker.com/compose/install/#install-compose>
 
+### Verify Internet connection
+
+Intel SGX automatically downloads enclave whitelist updates from
+
+```
+http://whitelist.trustedservices.intel.com/SGX/LCWL/Linux/sgx_white_list_cert.bin
+```
+
+Verify that your network and firewall configuration allows connections to this URL by
+running 
+
+```
+curl  -I http://whitelist.trustedservices.intel.com/SGX/LCWL/Linux/sgx_white_list_cert.bin
+```
+
+ If you need to set advanced options, such as outgoing network proxy, edit "/etc/aesmd.conf" file in
+ the sgxwallet docker container.  
+
+
+ #endif" 
+
 ### Verify SGX support
 
 Install cpuid and libelf-dev packages:

scripts/generate_signing_key.bash

+#/bin/bash
+set -x
+set -e
+openssl genrsa -out skale_sgx_insecure_test_private_key1.pem -3 3072
+openssl rsa -in skale_sgx_insecure_test_private_key1.pem -pubout -out skale_sgx_insecure_test_public_key1.pem
+

scripts/sign_enclave.bash

+#!/bin/bash
+set -x
+set -e
+
+rm -f skale_sgx_enclave_hash1.hex skale_sgx_enclave_signature1.hex ../secure_enclave/secure_enclave_signed.so skale_sgx_enclave_metadata_info1.txt 
+
+/opt/intel/sgxsdk/bin/x64/sgx_sign gendata -enclave ../secure_enclave/secure_enclave.so -config ../secure_enclave/secure_enclave.config.xml -out skale_sgx_enclave_hash1.hex
+
+openssl dgst -sha256 -out skale_sgx_enclave_signature1.hex -sign skale_sgx_private_key1.pem -keyform PEM skale_sgx_enclave_hash1.hex
+
+/opt/intel/sgxsdk/bin/x64/sgx_sign catsig -enclave ../secure_enclave/secure_enclave.so -config ../secure_enclave/secure_enclave.config.xml  -out ../secure_enclave/secure_enclave_signed.so -key skale_sgx_public_key1.pem -sig skale_sgx_enclave_signature1.hex -unsigned skale_sgx_enclave_hash1.hex
+
+/opt/intel/sgxsdk/bin/x64/sgx_sign dump -enclave ../secure_enclave/secure_enclave_signed.so -dumpfile skale_sgx_enclave_metadata_info1.txt

secure_enclave/secure_enclave.c

@@ -45,6 +45,8 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #include <sgx_tgmp.h>
 #include <sgx_trts.h>
 
+#include <sgx_key.h>
+
 #include "Point.h"
 #include "DomainParameters.h"
 
@@ -207,7 +209,14 @@ void trustedGenerateSEK(int *errStatus, char *errString,
         AES_key[i] = SEK_raw[i];
     }
 
-    sgx_status_t status = sgx_seal_data(0, NULL, hex_aes_key_length + 1, (uint8_t *) SEK_hex, sealedLen,
+
+    sgx_attributes_t attribute_mask;
+    attribute_mask.flags = 0xfffffffffffffff3;
+    attribute_mask.xfrm = 0x0;
+
+    sgx_misc_select_t misc = 0xF0000000;
+
+    sgx_status_t status = sgx_seal_data_ex(SGX_KEYPOLICY_MRENCLAVE, attribute_mask, misc, 0, NULL, hex_aes_key_length + 1, (uint8_t *) SEK_hex, sealedLen,
                                         (sgx_sealed_data_t *) encrypted_SEK);
     CHECK_STATUS("seal SEK failed");
 
@@ -256,7 +265,15 @@ void trustedSetSEK_backup(int *errStatus, char *errString,
 
     uint32_t sealedLen = sgx_calc_sealed_data_size(0, strlen(SEK_hex) + 1);
 
-    sgx_status_t status = sgx_seal_data(0, NULL, strlen(SEK_hex) + 1, (uint8_t *) SEK_hex, sealedLen,
+
+    sgx_attributes_t attribute_mask;
+    attribute_mask.flags = 0xfffffffffffffff3;
+    attribute_mask.xfrm = 0x0;
+
+    sgx_misc_select_t misc = 0xF0000000;
+
+    sgx_status_t status = sgx_seal_data_ex(SGX_KEYPOLICY_MRENCLAVE,
+                                           attribute_mask, misc, 0, NULL, strlen(SEK_hex) + 1, (uint8_t *) SEK_hex, sealedLen,
                                         (sgx_sealed_data_t *) encrypted_SEK);
 
     CHECK_STATUS2("seal SEK failed with status %d")

secure_enclave/secure_enclave.config.xml.release

+<EnclaveConfiguration>
+ <ProdID>0</ProdID>
+ <ISVSVN>0</ISVSVN>
+ <StackMaxSize>0x1000000</StackMaxSize>
+ <HeapMaxSize>0x100000000</HeapMaxSize>
+ <TCSNum>128</TCSNum>
+ <TCSMaxNum>128</TCSMaxNum>
+ <TCSMinPool>128</TCSMinPool>
+ <TCSPolicy>0</TCSPolicy>
+ <!-- Recommend changing 'DisableDebug' to 1 to make the enclave undebuggable for enclave release -->
+ <DisableDebug>1</DisableDebug>
+ <MiscSelect>0</MiscSelect>
+ <MiscMask>0xFFFFFFFF</MiscMask>
+ </EnclaveConfiguration>

third_party/graphene/is_sgx_available/Makefile

+PREFIX ?= /usr/local
+
+.PHONY: all
+all: is_sgx_available
+
+.PHONY: install
+install:
+	install is_sgx_available ${PREFIX}/bin
+
+.PHONY: clean
+clean:
+	$(RM) is_sgx_available
+
+.PHONY: distclean
+distclean: clean
+
+is_sgx_available: is_sgx_available.cpp
+	g++ -O2 -std=c++14 -DNDEBUG -Wall -Wextra -Wno-multichar -masm=intel $< -o $@

third_party/graphene/is_sgx_available/is_sgx_available.cpp

+/* SPDX-License-Identifier: LGPL-3.0-or-later */
+/* Copyright (C) 2018-2020 Invisible Things Lab
+ *                         Michal Kowalczyk <mkow@invisiblethingslab.com>
+ */
+
+#include <cinttypes>
+#include <cstdint>
+#include <cstring>
+#include <exception>
+#include <iostream>
+#include <sys/stat.h>
+
+enum ExitCodes {
+    SUCCESS = 0,
+    NO_CPU_SUPPORT = 1,
+    NO_BIOS_SUPPORT = 2,
+    PSW_NOT_INSTALLED = 3,
+    AESMD_NOT_RUNNING = 4 // This is a separate exit code, because AESMD tends
+                          // to die spontaneously.
+};
+
+bool file_exists(const char* path) {
+    struct stat statbuf;
+    return stat(path, &statbuf) == 0;
+}
+
+void cpuid(uint32_t leaf, uint32_t subleaf, uint32_t* eax, uint32_t* ebx,
+           uint32_t* ecx, uint32_t* edx) {
+    unsigned long eax_, ebx_, ecx_, edx_;
+    __asm__ ("cpuid\n"
+        : "=a" (eax_), "=b" (ebx_), "=c" (ecx_), "=d" (edx_)
+        : "0" (leaf), "2" (subleaf));
+    if (eax) *eax = (eax_ & 0xFFFFFFFF);
+    if (ebx) *ebx = (ebx_ & 0xFFFFFFFF);
+    if (ecx) *ecx = (ecx_ & 0xFFFFFFFF);
+    if (edx) *edx = (edx_ & 0xFFFFFFFF);
+}
+
+static bool is_cpuid_supported() {
+    // Checks whether (R/E)FLAGS.ID is writable (bit 21).
+    uint64_t write_diff;
+    __asm__ (
+        "pushf\n"
+
+        "pushf\n"
+        "xor qword ptr [rsp], (1<<21)\n"
+        "popf\n"
+        "pushf\n"
+        "pop %0\n"
+        "xor %0, [rsp]\n"
+
+        "popf\n"
+        : "=r" (write_diff)
+    );
+    return write_diff;
+}
+
+// 2**exp with saturation for unsigned types.
+template<class T> T saturating_exp2(T exp) {
+    // Protect against UB.
+    if (exp >= sizeof(T)*8)
+        return ~(T)0;
+    // No overflow.
+    return (T)1 << exp;
+}
+
+class SgxCpuChecker {
+    bool cpuid_supported_ = false;
+    bool is_intel_cpu_ = false;
+    bool sgx_supported_ = false;
+    bool sgx1_supported_ = false;
+    bool sgx2_supported_ = false;
+    bool flc_supported_ = false;
+    bool sgx_virt_supported_ = false;
+    bool sgx_mem_concurrency_supported_ = false;
+    bool cet_supported_ = false;
+    bool kss_supported_ = false;
+    uint64_t maximum_enclave_size_x86_ = false;
+    uint64_t maximum_enclave_size_x64_ = false;
+    uint64_t epc_region_size_ = 0;
+
+public:
+    explicit SgxCpuChecker() {
+        uint32_t cpuid_max_leaf_value;
+        uint32_t cpuid_0_ebx;
+        uint32_t cpuid_0_ecx;
+        uint32_t cpuid_0_edx;
+
+        uint32_t cpuid_7_0_eax;
+        uint32_t cpuid_7_0_ebx;
+        uint32_t cpuid_7_0_ecx;
+        uint32_t cpuid_7_0_edx;
+        // Used only if sgx_supported().
+        uint32_t cpuid_12_0_eax;
+        uint32_t cpuid_12_0_ebx;
+        uint32_t cpuid_12_0_ecx;
+        uint32_t cpuid_12_0_edx;
+        uint32_t cpuid_12_1_eax;
+        uint32_t cpuid_12_1_ebx;
+        uint32_t cpuid_12_1_ecx;
+        uint32_t cpuid_12_1_edx;
+
+        cpuid_supported_ = is_cpuid_supported();
+        if (!cpuid_supported_)
+            return;
+        cpuid(0, 0, &cpuid_max_leaf_value, &cpuid_0_ebx, &cpuid_0_ecx, &cpuid_0_edx);
+        is_intel_cpu_ = cpuid_0_ebx == __builtin_bswap32('Genu')
+                     && cpuid_0_edx == __builtin_bswap32('ineI')
+                     && cpuid_0_ecx == __builtin_bswap32('ntel');
+        if (!is_intel_cpu_ || cpuid_max_leaf_value < 7)
+            return;
+        // See chapter 36.7 in Intel SDM vol.3
+        cpuid(7, 0, &cpuid_7_0_eax, &cpuid_7_0_ebx, &cpuid_7_0_ecx, &cpuid_7_0_edx);
+        sgx_supported_ = cpuid_7_0_ebx & (1 << 2);
+        if (!sgx_supported_ || cpuid_max_leaf_value < 0x12)
+            return;
+        flc_supported_ = cpuid_7_0_ecx & (1 << 30);
+        cpuid(0x12, 0, &cpuid_12_0_eax, &cpuid_12_0_ebx, &cpuid_12_0_ecx, &cpuid_12_0_edx);
+        cpuid(0x12, 1, &cpuid_12_1_eax, &cpuid_12_1_ebx, &cpuid_12_1_ecx, &cpuid_12_1_edx);
+        sgx1_supported_ = cpuid_12_0_eax & (1 << 0);
+        sgx2_supported_ = cpuid_12_0_eax & (1 << 1);
+        sgx_virt_supported_ = cpuid_12_0_eax & (1 << 5);
+        sgx_mem_concurrency_supported_ = cpuid_12_0_eax & (1 << 6);
+        cet_supported_ = cpuid_12_1_eax & (1 << 6);
+        kss_supported_ = cpuid_12_1_eax & (1 << 7);
+        maximum_enclave_size_x86_ = saturating_exp2<uint64_t>(cpuid_12_0_edx & 0xFF);
+        maximum_enclave_size_x64_ = saturating_exp2<uint64_t>((cpuid_12_0_edx >> 8) & 0xFF);
+        // Check if there's any EPC region allocated by BIOS
+        for (uint32_t subleaf = 2; subleaf >= 2; subleaf++) {
+            uint32_t eax, ebx, ecx, edx;
+            cpuid(0x12, subleaf, &eax, &ebx, &ecx, &edx);
+            auto type = eax & 0xF;
+            if (!type)
+                break;
+            if (type == 1) {
+                // EAX and EBX report the physical address of the base of the EPC region,
+                // but we only care about the EPC size
+                if (ecx & 0xFFFFF000 || edx & 0xFFFFF) {
+                    epc_region_size_ += ecx & 0xFFFFF000;
+                    epc_region_size_ += (uint64_t)(edx & 0xFFFFF) << 32;
+                }
+            }
+        }
+    }
+
+    bool cpuid_supported() const { return cpuid_supported_; }
+    bool is_intel_cpu() const { return is_intel_cpu_; }
+    bool sgx_supported() const { return sgx_supported_; }
+    bool sgx1_supported() const { return sgx1_supported_; }
+    // SGX2 enclave dynamic memory management (EDMM) support (EAUG, EACCEPT, EMODPR, ...)
+    bool sgx2_supported() const { return sgx2_supported_; }
+    // Flexible Launch Control support (IA32_SGXPUBKEYHASH{0..3} MSRs)
+    bool flc_supported() const { return flc_supported_; }
+    // Extensions for virtualizers (EINCVIRTCHILD, EDECVIRTCHILD, ESETCONTEXT).
+    bool sgx_virt_supported() const { return sgx_virt_supported_; }
+    // Extensions for concurrent memory management (ETRACKC, ERDINFO, ELDBC, ELDUC).
+    bool sgx_mem_concurrency_supported() const { return sgx_mem_concurrency_supported_; }
+    // CET enclave attributes support (See Table 37-5 in the SDM)
+    bool cet_supported() const { return cet_supported_; }
+    // Key separation and sharing (KSS) support (CONFIGID, CONFIGSVN, ISVEXTPRODID, ISVFAMILYID report fields)
+    bool kss_supported() const { return kss_supported_; }
+    uint64_t maximum_enclave_size_x86() const { return maximum_enclave_size_x86_; }
+    uint64_t maximum_enclave_size_x64() const { return maximum_enclave_size_x64_; }
+    uint64_t epc_region_size() const { return epc_region_size_; }
+};
+
+bool sgx_driver_loaded() {
+    // /dev/isgx is for LKM version, /dev/sgx is for in-kernel support.
+    return file_exists("/dev/isgx") || file_exists("/dev/sgx");
+}
+
+bool psw_installed() {
+    bool aesmd_installed = file_exists("/etc/aesmd.conf");
+    return sgx_driver_loaded() && aesmd_installed;
+}
+
+bool aesmd_running() {
+    return file_exists("/var/run/aesmd/aesm.socket");
+}
+
+void print_detailed_info(const SgxCpuChecker& cpu_checker) {
+    if (!cpu_checker.cpuid_supported()) {
+        puts("`cpuid` instruction not available");
+        return;
+    }
+    if (!cpu_checker.is_intel_cpu()) {
+        puts("Not an Intel CPU");
+        return;
+    }
+    auto bool2str = [](bool b){ return b ? "true" : "false"; };
+    auto sgx_supported = cpu_checker.sgx_supported();
+    printf("SGX supported by CPU: %s\n", bool2str(sgx_supported));
+    if (!sgx_supported)
+        return;
+    printf("SGX1 (ECREATE, EENTER, ...): %s\n", bool2str(cpu_checker.sgx1_supported()));
+    printf("SGX2 (EAUG, EACCEPT, EMODPR, ...): %s\n", bool2str(cpu_checker.sgx2_supported()));
+    printf("Flexible Launch Control (IA32_SGXPUBKEYHASH{0..3} MSRs): %s\n",
+           bool2str(cpu_checker.flc_supported()));
+    printf("SGX extensions for virtualizers (EINCVIRTCHILD, EDECVIRTCHILD, ESETCONTEXT): %s\n",
+           bool2str(cpu_checker.sgx_virt_supported()));
+    printf("Extensions for concurrent memory management (ETRACKC, ELDBC, ELDUC, ERDINFO): %s\n",
+           bool2str(cpu_checker.sgx_mem_concurrency_supported()));
+    printf("CET enclave attributes support (See Table 37-5 in the SDM): %s\n",
+           bool2str(cpu_checker.cet_supported()));
+    printf("Key separation and sharing (KSS) support (CONFIGID, CONFIGSVN, ISVEXTPRODID, "
+           "ISVFAMILYID report fields): %s\n", bool2str(cpu_checker.kss_supported()));
+    printf("Max enclave size (32-bit): 0x%" PRIx64 "\n", cpu_checker.maximum_enclave_size_x86());
+    printf("Max enclave size (64-bit): 0x%" PRIx64 "\n", cpu_checker.maximum_enclave_size_x64());
+    printf("EPC size: 0x%" PRIx64 "\n", cpu_checker.epc_region_size());
+    printf("SGX driver loaded: %s\n", bool2str(sgx_driver_loaded()));
+    printf("SGX PSW/libsgx installed: %s\n", bool2str(psw_installed()));
+    printf("AESMD running: %s\n", bool2str(aesmd_running()));
+}
+
+int main(int argc, char* argv[]) {
+    bool quiet = (argc >= 2) && !strcmp(argv[1], "--quiet");
+
+    SgxCpuChecker cpu_checker;
+    if (!quiet)
+        print_detailed_info(cpu_checker);
+
+    if (!cpu_checker.cpuid_supported() || !cpu_checker.is_intel_cpu()
+        || !cpu_checker.sgx_supported() || (!cpu_checker.sgx1_supported()
+                                            && !cpu_checker.sgx2_supported()))
+        return ExitCodes::NO_CPU_SUPPORT;
+    // We currently fail also when only one from 32/64 bit modes is available.
+    if (cpu_checker.maximum_enclave_size_x86() == 0
+        || cpu_checker.maximum_enclave_size_x64() == 0
+        || cpu_checker.epc_region_size() == 0)
+        return ExitCodes::NO_BIOS_SUPPORT;
+    if (!psw_installed())
+        return ExitCodes::PSW_NOT_INSTALLED;
+    if (!aesmd_running())
+        return ExitCodes::AESMD_NOT_RUNNING;
+    return ExitCodes::SUCCESS;
+}