Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.

About EPC limitation in SGXv2 ?

pp__monkeyking
Beginner
607 Views

Hello everyone,

1、We know that the EPC limitation is 128MB in SGXv1;

2、But,
1) what is the EPC limit in SGXv2?
2) Where can I see the introduction of EPC limitation in SGXv2?

3、The SGXv2 supports EDMM, so:
1)What is the maximum value of statically allocated memory ?
2)What is the maximum value of dynamically allocated memory ?

0 Kudos
1 Solution
Sahira_Intel
Moderator
224 Views

Hi,

Let me rephrase, SGX2 does not affect EPC. SGX2 just allows you to dynamically manage memory.

Maximum enclave capacity is determined by your OS. Linux supports paging, so the amount of memory you can allocate to an enclave is not limited by the EPC size or amount of available memory. So the size of the enclave can be as large as MaxEnclaveSize. Windows does not support paging, so the maximum size of an enclave is limited by the available EPC, which goes back to what you mentioned above about different platforms having different PRM sizes. (note that only a portion of PRM is reserved for EPC). See more information about how to find the size of EPC on your platform here

 

SGX Enclave Capacity and SGX Enclave EPC are terms that are used interchangeably - they are referring to the same thing. 

There is a document that describes Dynamic Memory Allocation in SGX2 here: https://caslab.csl.yale.edu/workshops/hasp2016/HASP16-17.pdf

 

Hope this is helpful, please let me know if you have more questions. 

Sincerely,

Sahira

View solution in original post

5 Replies
Sahira_Intel
Moderator
285 Views

Hi,


EPC size is still limited to 128 MB in SGX2.

Here is some more useful information about dynamic and static memory allocation in SGX2: https://caslab.csl.yale.edu/workshops/hasp2016/HASP16-16_slides.pdf#page=8


As far as the maximum value, let me look into that for you.


Sincerely,

Sahira


pp__monkeyking
Beginner
277 Views

Hi,

First of all, thank you for your reply;

However, on the following page, I see such description:

1、https://www.intel.com/content/www/us/en/products/docs/processors/xeon/3rd-gen-xeon-scalable-processo...
Support for up to 512 GB Intel SGX enclave capacity, per CPU, available on multiple SKUs. See SKU table on Page 14 for more details.
SKU'S Supporting Maximum Intel SGX Enclave Capacity

pp__monkeyking_0-1673242723792.png

 

2、https://github.com/intel/linux-sgx/issues/899
Our 3rd Generation Xeon Scalable CPUs (aka Ice Lake Server - "ICX") did switch to using a technology called Total Memory Encryption - Multi-Key (TME-MK) (Whitepaper) that uses AES-XTS, moving away from the Memory Encryption Engine that the consumer and Xeon E CPUs used. This allowed us to massively increase the possible EPC size (up to 512GB/CPU) as well as gain a big increase in performance. More info about SGX on our multi-package, Scalable platforms here.

 

3、https://www.intel.com/content/www/us/en/support/articles/000089550/software/intel-security-products....
Additional information
Most platforms have either 128 MB or 256 MB of PRM. The exception are 3rd Generation Intel® Xeon® Scalable processors, which each support 512GB of PRM size, adding up to 1TB on a two-socket platform.

 

===========================================================

I don't understand the difference between SGX Enclave Capacity and SGX Enclave EPC ?

 

 

Sahira_Intel
Moderator
225 Views

Hi,

Let me rephrase, SGX2 does not affect EPC. SGX2 just allows you to dynamically manage memory.

Maximum enclave capacity is determined by your OS. Linux supports paging, so the amount of memory you can allocate to an enclave is not limited by the EPC size or amount of available memory. So the size of the enclave can be as large as MaxEnclaveSize. Windows does not support paging, so the maximum size of an enclave is limited by the available EPC, which goes back to what you mentioned above about different platforms having different PRM sizes. (note that only a portion of PRM is reserved for EPC). See more information about how to find the size of EPC on your platform here

 

SGX Enclave Capacity and SGX Enclave EPC are terms that are used interchangeably - they are referring to the same thing. 

There is a document that describes Dynamic Memory Allocation in SGX2 here: https://caslab.csl.yale.edu/workshops/hasp2016/HASP16-17.pdf

 

Hope this is helpful, please let me know if you have more questions. 

Sincerely,

Sahira

pp__monkeyking
Beginner
210 Views
 
Hi,
 

Thank you for your quick reply.

I have a few additional questions:

 

1、Is there any sample code for demonstrating the new features of sgxv2 (such as EDMM, Dynamic Memory Allocation, etc.) ?

 

2、Is there an Intel GPU (Graphics Processing Unit) that has implemented SGX-like technology?

 

3、Which NUC kits or desktop computers already support intel sgxv2?

 

Thanks.

Sahira_Intel
Moderator
182 Views

Hi,

 

This might be helpful to you, it describes what parameters to edit in the Enclave Config File to create an enclave that allocates memory dynamically: https://www.intel.com/content/www/us/en/support/articles/000088648/software/intel-security-products....

 

No, there is not an Intel GPU that has SGX technology. 

 

There are 2 NUC Kits that are enabled for SGX development that support SGX2:

 

As far as any other systems that support SGX2, systems with processors formerly known as Gemini Lake or processors formerly known as Ice Lake support SGX2. Note that just because SGX2 (or any SGX feature) is supported in the processor, does not mean it is enabled in the BIOS. You must confirm with the system manufacturer if it is supported in the BIOS. 

 

Sincerely,

Sahira

Reply