Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Enclave signing printout required memory

bitflipper101
Beginner
1,692 Views

Hello,

The sign executable in the SDK (at .../linux/installer/bin/sgxsdk/sign) gives me the following printout:

<EnclaveConfiguration>
<ProdID>0</ProdID>
<ISVSVN>0</ISVSVN>
<StackMaxSize>0x9000000</StackMaxSize>
<HeapMaxSize>0x9000000</HeapMaxSize>
<TCSNum>10</TCSNum>
<TCSPolicy>1</TCSPolicy>
<!-- Recommend changing 'DisableDebug' to 1 to make the enclave undebuggable for enclave release -->
<DisableDebug>0</DisableDebug>
<MiscSelect>0</MiscSelect>
<MiscMask>0xFFFFFFFF</MiscMask>
</EnclaveConfiguration>
tcs_num 10, tcs_max_num 10, tcs_min_pool 1
The required memory is 1671802880B.
The required memory is 0x63a5b000, 1632620 KB.
Succeed.
SIGN => build/enclave.signed.so
The project has been built in debug hardware mode.

 

I am interested in the "required memory" line (~=1.6GB). I am unsure how this is being calculated? Does this mean running this program inside an enclave will use all of the available 128MB (~90MB after overhead) and swap in and out to main untrusted RAM?

 

The program should not be using that much memory by design, so wondering about how this is calculated?

 

Thanks

 

 

Labels (1)
0 Kudos
1 Solution
JesusG_Intel
Moderator
1,669 Views

Hello bitflipper,


Yes, your enclave requires 1.6GB and reducing TCSNum will reduce your required memory. Please see this document for more info on Enclave memory footprint: https://caslab.csl.yale.edu/workshops/hasp2016/HASP16-17.pdf. See Page 2-Figure 1 and page 4, section 5.1, Figure 4.


The Enclave's memory footprint includes the Thread Context, Enclave Heap, and Enclave Code.


In other words, enclaves require more than just your code and data. There are also several other data structures that are used to secure and manage your enclave.


View solution in original post

0 Kudos
6 Replies
JesusG_Intel
Moderator
1,681 Views

Hello bitflipper101,


Your question is answered in this thread: https://community.intel.com/t5/Intel-Software-Guard-Extensions/The-number-of-allocated-pages-to-the-enclave/m-p/1159049, specifically here https://community.intel.com/t5/Intel-Software-Guard-Extensions/The-number-of-allocated-pages-to-the-enclave/m-p/1159054/highlight/true#M2804 and https://community.intel.com/t5/Intel-Software-Guard-Extensions/The-number-of-allocated-pages-to-the-enclave/m-p/1159050/highlight/true#M2800.


In Linux, it is possible to allocate memory for an enclave that is larger than the EPC size because Linux supports page swapping of EPC pages. However, Windows does not support swapping of EPC pages so your enclave must fit within the EPC limit in Windows.





0 Kudos
bitflipper101
Beginner
1,677 Views

Thanks JesusG. 

So changing the TCSNum in the config should reduce this memory requirement?

My assertion is correct that my program requires ~1.6GB of memory? Do you have any more info on how this is calculated? 

Thanks

0 Kudos
JesusG_Intel
Moderator
1,670 Views

Hello bitflipper,


Yes, your enclave requires 1.6GB and reducing TCSNum will reduce your required memory. Please see this document for more info on Enclave memory footprint: https://caslab.csl.yale.edu/workshops/hasp2016/HASP16-17.pdf. See Page 2-Figure 1 and page 4, section 5.1, Figure 4.


The Enclave's memory footprint includes the Thread Context, Enclave Heap, and Enclave Code.


In other words, enclaves require more than just your code and data. There are also several other data structures that are used to secure and manage your enclave.


0 Kudos
bitflipper101
Beginner
1,660 Views

Thanks JesusG. 

I reduced my TCSNum and the memory requirement came down to ~300MB. 

I'm confused about how my enclave is functioning - this stems from the fact that my machine is SGX1 enabled, but the paper seems to mainly discuss SGX2 instruction capabilities - dynamic heap management, stack expansion, and thread context creation.

Are some of the functionalities in the linux driver but not neccesarily targeting SGX2 instructions?

0 Kudos
JesusG_Intel
Moderator
1,651 Views

Hello bitflipper101,


I didn't mean to confuse you with that paper on SGX 2. I just wanted you to see the graphical representations of the SGX memory layout so you can see all the different components. Since your system is SGX 1, then only Figure 1, is relevant to you.


0 Kudos
JesusG_Intel
Moderator
1,638 Views

Intel is no longer monitoring this thread. If you want a response from Intel in a follow-up question, please open a new thread.


0 Kudos
Reply