Is enclave code executes atomically, if there is no hardware exception or multi-threading?

Kumar__Dixit · ‎04-25-2020

I have some fundamental doubts about the working of enclave applications.

1. In case, if there is no multi-threading and hardware exception, then can we say, execution of enclave code will be done in an atomic manner? Atomic means, processor will be in enclave mode only until it finishes the enclave code execution?

2. Is it possible to have interaction between a trusted code and untrusted code, assuming system doesn't have any multi-threading support?

JesusG_Intel · ‎04-27-2020

Hello Dixit,

There is no system that supports Intel SGX that does not have multi-threading support. SGX does not trust host software, therefore, the only possible interactions between the host application (untrusted code) and enclave (trusted code), is via ECALLs and OCALLs.

In the paper, Intel SGX Explained, section 5.4 The Life Cycle of an SGX Thread, you will see that the enclave is executed by a Logical Processor in "enclave mode" and uses a Thread Control Structure "TCS". That TCS is set to "busy" and cannot be used by any other logical processor until it finishes its task. When it done with it's task, the EEXIT instruction is issued and execution is returned to the host process.

"Assuming that no hardware exception occurs, an enclave’s host process uses the EENTER instruction, described in § 5.4.1, to execute enclave code. When the enclave code finishes performing its task, it uses the EEXIT instruction, covered in § 5.4.2, to return the execution control to the host process that invoked the enclave."

Regards,

Jesus