Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

Intel SGX Enclave Virtual Memory Limit

AAhma10
Novice
‎11-08-2016 12:17 PM
1,414 Views

Hi,

I wanted to inquire whether there is a maximum limit set on the virtual memory that can be allocated to an enclave? If yes, can you please tell me what it is and the reason for it?

Thanks!

Adil

0 Kudos

Link Copied

6 Replies
Surenthar_S_Intel
Employee
‎11-09-2016 04:43 AM
1,414 Views

The 6th generation core processors that support SGX only support the v1.0 instruction set. The addition functionality in the v2 set are not yet available.(I have no statement on the intercept of the v2.0 instructions at this time).

Enclave Page Cache (EPC) is a subset of Processor Reserved Memory (PRM), BIOS reserves PRM and then the HW carves out EPC from that region, depending on the amount of metadata the MEE requires. So when the BIOS reserves 128MB PRM the EPC carve out is ~90MB.

-Surenthar

0 Kudos
Copy link
AAhma10
Novice
‎11-09-2016 12:44 PM
1,414 Views

Thanks for the reply! I apologize since my question wasn't clear enough. I actually want to inquire about the maximum virtual address space that an enclave can occupy? Since the complete virtual address space has to be included in the measurement, is there a limit to which we can extend the virtual address space?

Some researchers have hinted that the maximum virtual address space is 64GB. Is that correct? If yes, can you please explain why such a limit exists?

Thanks!

0 Kudos
Copy link
Surenthar_S_Intel
Employee
‎11-09-2016 11:25 PM
1,414 Views

On Windows you are limited to the size of the enclave page cache, which is somewhere around 90 MB. The EPC is part of the processor reserved memory that is used by SGX, and is limited in the BIOS. The reason it's limited is because this memory is not available for use by other applications (or the OS) once SGX is enabled. Because there is no support for paging in Windows, you can't allocate more memory than this. All active enclaves have to fit within the EPC.

On Linux there is support for paging so enclaves are not limited to the size of the EPC. They can theoretically consume all the memory and virtual memory available to the system (minus the needs of the OS).

-Surenthar

0 Kudos
Copy link
AAhma10
Novice
‎11-12-2016 09:23 PM
1,414 Views

That answers my question. Thank you!

0 Kudos
Copy link
E_-O__B_
Beginner
‎11-16-2016 03:03 AM
1,414 Views

Sorry for reviving this old thread, but if I run the simple code below in an enclave (with SGX_MODE=HW) malloc eventually returns 0 (at around the 70th iteration). I have installed the Linux SDK/PSW/driver module, and "small" programs run fine. Do you have an advice? It runs fine in software emulation mode.

 

for (int i=0;i<96;i++) {
  malloc(1024*1024);
}

 

 

 

0 Kudos
Copy link
Meysam_t_
Beginner
‎06-18-2017 03:04 PM
1,414 Views

Thanks Surenthar for your reply,

I have a question related to this topic.

Why PRM or EPC is limited in Intel CPUs/ it is some restriction posed by hardware or it is for the sake of security?

thanks

Meysam

 

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.