Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.

Determine the max creatable SGX enclave (EPC)

apklub
Beginner
606 Views

I couldn't find a way of determining what would be the max creatable enclave using the SGX SDK. Is there any way of fetching these capabilities? This is especially useful in cloud environments where you can create virtual machines with EPC sections and you don't know the actual usable size of the provisioned EPC.  

 
Labels (1)
0 Kudos
1 Solution
JesusG_Intel
Moderator
586 Views

Hello apklub,


The SGX SDK does not provide a way to find the maximum EPC size but it is possible to determine the size of your EPC programmatically by checking the processor registers. Test-sgx demonstrates this.

 

There are a few ways to determine the maximum EPC size on your processor. Below are the easiest two methods, programmatically and in BIOS.

 

Method 1:

  1. Go to the SGX Hardware Github and download the file test_sgx.c or clone the repository
  2. Compile and run test_sgx.c according to these instructions:

$ git clone https://github.com/ayeks/SGX-hardware.git

$ cd SGX-hardware/

$ gcc test-sgx.c -o test-sgx

$ ./test-sgx


Look for output like:

CPUID Leaf 12H, Sub-Leaf 2 of Intel SGX Capabilities (EAX=12H,ECX=2)

eax: 70200001 ebx: 0 ecx: 5d80001 edx: 0

size of EPC section in Processor Reserved Memory, 93 M

On my system exc: 5d80000 = 93MB


The maximum enclave size is reported in MaxEnclaveSize

MaxEnclaveSize_Not64: the maximum supported enclave size is 2^(EDX[7:0]) bytes when not in 64-bit mode

MaxEnclaveSize_64: the maximum supported enclave size is 2^(EDX[15:8]) bytes when operating in 64- bit mode.

So the maximum Virtual Size of the enclave is 2^(0x1f) for 32bit and 2^(0x24) for 64bit enclaves.


Refer to the values returned by the CPUID call (Section 37.7.2, Table 37-6 of the IA Software Developer Manual Vol 3d Part 4 )

 

Method 2:

Find the SGX Processor Reserved Memory size in BIOS. It will be listed differently depending on your BIOS but you can usually find the SGX memory setting next to the SGX enable setting.

 

Windows does not support paging for SGX enclaves, so you are limited to the EPC size. Linux supports paging so the amount of memory you can allocate to an enclave is not limited by the EPC size.


View solution in original post

2 Replies
JesusG_Intel
Moderator
587 Views

Hello apklub,


The SGX SDK does not provide a way to find the maximum EPC size but it is possible to determine the size of your EPC programmatically by checking the processor registers. Test-sgx demonstrates this.

 

There are a few ways to determine the maximum EPC size on your processor. Below are the easiest two methods, programmatically and in BIOS.

 

Method 1:

  1. Go to the SGX Hardware Github and download the file test_sgx.c or clone the repository
  2. Compile and run test_sgx.c according to these instructions:

$ git clone https://github.com/ayeks/SGX-hardware.git

$ cd SGX-hardware/

$ gcc test-sgx.c -o test-sgx

$ ./test-sgx


Look for output like:

CPUID Leaf 12H, Sub-Leaf 2 of Intel SGX Capabilities (EAX=12H,ECX=2)

eax: 70200001 ebx: 0 ecx: 5d80001 edx: 0

size of EPC section in Processor Reserved Memory, 93 M

On my system exc: 5d80000 = 93MB


The maximum enclave size is reported in MaxEnclaveSize

MaxEnclaveSize_Not64: the maximum supported enclave size is 2^(EDX[7:0]) bytes when not in 64-bit mode

MaxEnclaveSize_64: the maximum supported enclave size is 2^(EDX[15:8]) bytes when operating in 64- bit mode.

So the maximum Virtual Size of the enclave is 2^(0x1f) for 32bit and 2^(0x24) for 64bit enclaves.


Refer to the values returned by the CPUID call (Section 37.7.2, Table 37-6 of the IA Software Developer Manual Vol 3d Part 4 )

 

Method 2:

Find the SGX Processor Reserved Memory size in BIOS. It will be listed differently depending on your BIOS but you can usually find the SGX memory setting next to the SGX enable setting.

 

Windows does not support paging for SGX enclaves, so you are limited to the EPC size. Linux supports paging so the amount of memory you can allocate to an enclave is not limited by the EPC size.


JesusG_Intel
Moderator
563 Views

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


Reply