Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.

Thread handling in SGX

Anandakumar
New Contributor I
586 Views

Hello,

 

This is an extension of previous thread : https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGX-Threads-behavior/td-p/1290722/jum...

 

I need clarifications on few thread related topics,

 

1. Only N number of simultaneous threads can run in SGX enclave in a N core machine because each thread will be binded to a physical core.
TCS NUM( Thread Control Structure ) will decide how many threads can spawn in the SGX Enclave. Lets say M (M>N) is set as TCSNUM the N thread can run simultaneouly and the remaining M-N threads will have to wait for their schedule.

Is my understanding correct? Can we have more number of TCS than the number of cores?


2. Regarding the TCSPolicy Binded/Non-binded mode. Give me some examples that explains when to use either of them.

 

Thanks

Anand

0 Kudos
1 Solution
JesusG_Intel
Moderator
568 Views

Hello Anand,


  1. YES. You can configure a higher TCS_NUM than the number of logical processors on a system.
  2. TCS_POLICY causes confusion because there are 2 aspects related to it, which might not be clearly explained in our documentation.

 

  • Trusted (Enclave component):
    • Unbinding policy (1): Thread Local Storage (TLS) area for each Thread Context (TCS) is reinitialized on every root ECALL.
    • Binding policy (0): Thread Local Storage (TLS) is not initialized on every ECALL.
  • Untrusted (loader component):
    • Unbinding policy (1): On every root ECALL, the uRTS finds the first available TCS and assigns said TCS to the untrusted thread.
    • Binding policy (0): The uRTS binds the untrusted thread to a TCS.

As long as the untrusted thread is alive, the TCS cannot be used for another thread.

When an application creates more threads than TCSes and uses this policy you get SGX_ERROR_OUT_OF_TCS.

 

Binding was the default policy in the initial versions of the SGX SDK.

Then we realized that developers could run into issues with binding policy if they weren’t careful using thread synchronization functions.


For that reason, we switched the default policy to unbinding (TCS_POLICY 1).


The binding policy (TCS_NUM 0) is useful if an enclave requires preserving TLS across root ECALLs.

However, we are not aware of any use case that requires this feature.


In general, use the current default (unbinding - TCS_POLICY 1).


Sincerely,

Jesus G.

Intel Customer Support


View solution in original post

2 Replies
JesusG_Intel
Moderator
569 Views

Hello Anand,


  1. YES. You can configure a higher TCS_NUM than the number of logical processors on a system.
  2. TCS_POLICY causes confusion because there are 2 aspects related to it, which might not be clearly explained in our documentation.

 

  • Trusted (Enclave component):
    • Unbinding policy (1): Thread Local Storage (TLS) area for each Thread Context (TCS) is reinitialized on every root ECALL.
    • Binding policy (0): Thread Local Storage (TLS) is not initialized on every ECALL.
  • Untrusted (loader component):
    • Unbinding policy (1): On every root ECALL, the uRTS finds the first available TCS and assigns said TCS to the untrusted thread.
    • Binding policy (0): The uRTS binds the untrusted thread to a TCS.

As long as the untrusted thread is alive, the TCS cannot be used for another thread.

When an application creates more threads than TCSes and uses this policy you get SGX_ERROR_OUT_OF_TCS.

 

Binding was the default policy in the initial versions of the SGX SDK.

Then we realized that developers could run into issues with binding policy if they weren’t careful using thread synchronization functions.


For that reason, we switched the default policy to unbinding (TCS_POLICY 1).


The binding policy (TCS_NUM 0) is useful if an enclave requires preserving TLS across root ECALLs.

However, we are not aware of any use case that requires this feature.


In general, use the current default (unbinding - TCS_POLICY 1).


Sincerely,

Jesus G.

Intel Customer Support


JesusG_Intel
Moderator
549 Views

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


Reply