Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Intel SGX & Life Cycle of an Enclave

Kumar__Dixit
Novice
1,151 Views

Hello everyone, 

After reading this forum-post Number of enclaves in an Application, I get to know that SGX supports multiple enclaves within an application.

But after reading Intel SGX Explained, Section 5.3, I got confused, How does SGX maintains enclave life cycle when there are multiple enclaves in the application?

I have some more fundamental doubts about the same. Kindly have a look.

  1. ECREATE sets the ELRANGE (base address and size for the enclave sensitive page) for an enclave. In case when an application has multiple enclaves then, Does ECREATE get called for each enclave separately? Also, how ECREATE sets the ELRANGE now?
  2. EDD and EEXTEND are used to load initial code and data into the EPC region. Now, when an application has multiple enclaves in it, Does all initial enclaves sensitive pages are load into the EPC (for attestation) at the once, Or they get loaded, one after another (When one enclave finishes its execution and other enclaves need to get executed)?
  3. Does EREMOVE instruction get called for each enclave individually, Or it gets called when all enclave within the application finished their jobs?

Regards,
Dixit

0 Kudos
1 Solution
JesusG_Intel
Moderator
1,151 Views

Hello Dixit,

Each enclave gets created and executed in it's own "logical processor," which means they get executed in separate threads with their own Thread Control Structures (TCS). In this way, each enclave is completely independent. All of those instructions get executed for each enclave separately and independently. They do not interfere with each other's EPC either.

Regards,

Jesus

View solution in original post

0 Kudos
3 Replies
JesusG_Intel
Moderator
1,152 Views

Hello Dixit,

Each enclave gets created and executed in it's own "logical processor," which means they get executed in separate threads with their own Thread Control Structures (TCS). In this way, each enclave is completely independent. All of those instructions get executed for each enclave separately and independently. They do not interfere with each other's EPC either.

Regards,

Jesus

0 Kudos
JesusG_Intel
Moderator
1,151 Views

Each Enclave is a separate shared library (DLL or .so) so an application does not "contain" enclaves. Rather, applications (untrusted) can create and call multiple enclaves. The enclave shared library is then dynamically linked and executed.

This is explained in more detail in the Intel Software Guard Extensions Developer Guide.

 

Regards,

Jesus

0 Kudos
Kumar__Dixit
Novice
1,151 Views

Hello Jesus,

Thank you so much for the detailed and precise explanation. It settled my doubts & helps me  in understanding the fundamental of SGX enclaves more better.

Regards,
Dixit

0 Kudos
Reply