Selecting the Owner EPOCH input type

Use this task to change the seed for the security key used for the locked memory region that is created. The Intel drivers use the seed to create a key to lock the secure memory enclave. The system ships with a default seed. Change this number at startup to secure your memory.

There are two input type options:

  • Generate random values through the BIOS - the BIOS generates a value. You cannot change a system generated value.

  • Manually enter values - you enter a value that you can change.

NOTE:

Changing the Owner EPOCHs destroys the data in any existing enclaves.

Prerequisites

Intel Software Guard Extensions (SGX) is enabled.

Procedure
  1. From the System Utilities screen, select System Configuration > BIOS/Platform Configuration (RBSU) > System Options > Processor Options > Select Owner EPOCH input type and press Enter.
  2. Select a setting and press Enter.
    1. No Change in Owner EPOCHs - Do not change the current input type.
    2. Change to New Random Owner EPOCHs - Change EPOCH to a system generated random number.
    3. Manual User Defined Owner EPOCHs - Change the EPOCH seed to a hexadecimal value that you enter.
  3. Press Enter. The system advises you to write down the EPOCH values that the system will generate or that you will enter.
  4. Optional: To not change the current EPOCH value, select No Change in Owner EPOCHs and press Enter. Continue with Step 7.
  5. Optional: To have the system generate a random EPOCH value:
    1. Select Change to New Random Owner EPOCHs and press Enter.
      The system generates and displays the EPOCH values:

      • Software Guard Extensions Epoch 0 [<hexadecimal value>]

      • Software Guard Extensions Epoch 1 [<hexadecimal value>]

      You cannot edit these values.

    2. Write down the values. They are not shown again after you leave this screen.
    3. Continue with Step 7.
  6. Optional: To manually enter an EPOCH value:
    1. Select Manual User Defined Owner EPOCHs and press Enter.

      The system prompts you to enter the EPOCH values:

      • Software Guard Extensions Epoch 0 [ ]

      • Software Guard Extensions Epoch 1 [ ]

    2. Enter a 1-16 digit hexadecimal value for each EPOCH value.
    3. Write down the values. They are not shown again after you leave this screen.
    4. Continue with Step 7.
  7. Press F10.

    After you exit, the option is automatically set to No Change in Owner EPOCHs.