Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1492 Discussions

Intel SGX & Life Cycle of an Enclave

Kumar__Dixit
Novice
‎05-01-2020 11:18 AM
1,227 Views
Solved Jump to solution

Hello everyone, 

After reading this forum-post Number of enclaves in an Application, I get to know that SGX supports multiple enclaves within an application.

But after reading Intel SGX Explained, Section 5.3, I got confused, How does SGX maintains enclave life cycle when there are multiple enclaves in the application?

I have some more fundamental doubts about the same. Kindly have a look.

  1. ECREATE sets the ELRANGE (base address and size for the enclave sensitive page) for an enclave. In case when an application has multiple enclaves then, Does ECREATE get called for each enclave separately? Also, how ECREATE sets the ELRANGE now?
  2. EDD and EEXTEND are used to load initial code and data into the EPC region. Now, when an application has multiple enclaves in it, Does all initial enclaves sensitive pages are load into the EPC (for attestation) at the once, Or they get loaded, one after another (When one enclave finishes its execution and other enclaves need to get executed)?
  3. Does EREMOVE instruction get called for each enclave individually, Or it gets called when all enclave within the application finished their jobs?

Regards,
Dixit

0 Kudos
1 Solution
JesusG_Intel
Moderator
‎05-01-2020 11:22 AM
1,227 Views
Solved Jump to solution

Hello Dixit,

Each enclave gets created and executed in it's own "logical processor," which means they get executed in separate threads with their own Thread Control Structures (TCS). In this way, each enclave is completely independent. All of those instructions get executed for each enclave separately and independently. They do not interfere with each other's EPC either.

Regards,

Jesus

View solution in original post

0 Kudos
Copy link

Link Copied

3 Replies
JesusG_Intel
Moderator
‎05-01-2020 11:22 AM
1,228 Views
Solved Jump to solution

Hello Dixit,

Each enclave gets created and executed in it's own "logical processor," which means they get executed in separate threads with their own Thread Control Structures (TCS). In this way, each enclave is completely independent. All of those instructions get executed for each enclave separately and independently. They do not interfere with each other's EPC either.

Regards,

Jesus

0 Kudos
Copy link
JesusG_Intel
Moderator
‎05-01-2020 11:26 AM
1,227 Views
Solved Jump to solution

Each Enclave is a separate shared library (DLL or .so) so an application does not "contain" enclaves. Rather, applications (untrusted) can create and call multiple enclaves. The enclave shared library is then dynamically linked and executed.

This is explained in more detail in the Intel Software Guard Extensions Developer Guide.

 

Regards,

Jesus

0 Kudos
Copy link
Kumar__Dixit
Novice
‎05-02-2020 06:43 AM
1,227 Views
Solved Jump to solution

Hello Jesus,

Thank you so much for the detailed and precise explanation. It settled my doubts & helps me  in understanding the fundamental of SGX enclaves more better.

Regards,
Dixit

0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.