Initialisation of big Enclaves

boukhari · ‎11-04-2022

Hello,

I am trying to create a enclave of 50 GB maxheapsize (on multisocket machine which has 128GB of EPC memory). The initialization of smaller enclaves in hardware mode happens without problems and I am able to run my code inside the enclave. But once I try to start an enclave with a big maxheapsize (several gigabytes) my program gets stuck on the enclave init step and I am unable to continue the execution of the program. I tried leaving it running for an hour or so but it still stuck on the enclave creation step.

Can someone help me explain/solve this problem ?

Best

KFPW_Intel · ‎11-07-2022

Hi,

It is expected that initializing large amounts of memory for an enclave heap will take a long time. Initializing and adding memory to the EPC for an enclave is much more complex than a simple memory allocation in a regular application. Before a chunk of memory is added to the EPC it must go through several security checks, including being measured using a 256-bit SHA-2 secure hash function.

If the processor supports Intel® Software Guard Extensions (Intel® SGX) SGX2, in the Enclave Configuration File:

set HeapMaxSize to the largest amount of memory the enclave will require
set HeapInitSize to something minimal.

HeapInitSize is the amount to fully initialize (i.e. EADD the page then EEXTEND it) at enclave launch, which takes time. With a minimal initialization size, it would be quicker, and the rest of the memory would only be added utilizing the SGX2 instructions when allocated, via malloc, by the enclave during runtime.

Regards,

Ken