topic On Windows you are limited to in Intel® Software Guard Extensions (Intel® SGX)

Intel SGX Enclave Virtual Memory Limit

AAhma10 — Tue, 08 Nov 2016 20:17:47 GMT

Hi,

I wanted to inquire whether there is a maximum limit set on the virtual memory that can be allocated to an enclave? If yes, can you please tell me what it is and the reason for it?

Thanks!

Adil

The 6th generation core

Surenthar_S_Intel — Wed, 09 Nov 2016 12:43:56 GMT

The 6th generation core processors that support SGX only support the v1.0 instruction set. The addition functionality in the v2 set are not yet available.(I have no statement on the intercept of the v2.0 instructions at this time).

Enclave Page Cache (EPC) is a subset of Processor Reserved Memory (PRM), BIOS reserves PRM and then the HW carves out EPC from that region, depending on the amount of metadata the MEE requires. So when the BIOS reserves 128MB PRM the EPC carve out is ~90MB.

-Surenthar

Thanks for the reply! I

AAhma10 — Wed, 09 Nov 2016 20:44:33 GMT

Thanks for the reply! I apologize since my question wasn't clear enough. I actually want to inquire about the maximum virtual address space that an enclave can occupy? Since the complete virtual address space has to be included in the measurement, is there a limit to which we can extend the virtual address space?

Some researchers have hinted that the maximum virtual address space is 64GB. Is that correct? If yes, can you please explain why such a limit exists?

Thanks!

On Windows you are limited to

Surenthar_S_Intel — Thu, 10 Nov 2016 07:25:41 GMT

On Windows you are limited to the size of the enclave page cache, which is somewhere around 90 MB. The EPC is part of the processor reserved memory that is used by SGX, and is limited in the BIOS. The reason it's limited is because this memory is not available for use by other applications (or the OS) once SGX is enabled. Because there is no support for paging in Windows, you can't allocate more memory than this. All active enclaves have to fit within the EPC.

On Linux there is support for paging so enclaves are not limited to the size of the EPC. They can theoretically consume all the memory and virtual memory available to the system (minus the needs of the OS).

-Surenthar

That answers my question.

AAhma10 — Sun, 13 Nov 2016 05:23:32 GMT

That answers my question. Thank you!

Sorry for reviving this old

E_-O__B_ — Wed, 16 Nov 2016 11:03:31 GMT

Sorry for reviving this old thread, but if I run the simple code below in an enclave (with SGX_MODE=HW) malloc eventually returns 0 (at around the 70th iteration). I have installed the Linux SDK/PSW/driver module, and "small" programs run fine. Do you have an advice? It runs fine in software emulation mode.

for (int i=0;i<96;i++) {
  malloc(1024*1024);
}

Thanks Surenthar for your

Meysam_t_ — Sun, 18 Jun 2017 22:04:34 GMT

Thanks Surenthar for your reply,

I have a question related to this topic.

Why PRM or EPC is limited in Intel CPUs/ it is some restriction posed by hardware or it is for the sake of security?

thanks

Meysam