While tinkering around with the generated enclave DLLs I noticed that release (non-simulation, non-debug) enclave DLLs seem to export the following two functions:
<sdk-examples-dir>\LocalAttestation>dumpbin /EXPORTS Release\Enclave1.dll ... ordinal hint RVA name 1 0 00002EEE enclave_entry = _enclave_entry 2 1 000AE304 g_peak_heap_used = _g_peak_heap_used
g_peak_heap_used seems to be exported into the dll by sgx_tstdc.lib
$ dlltool -z def <sgx-install-dir>/bin/win32/Release/sgx_tstdc.lib; cat def EXPORTS _g_peak_heap_used @ 1 DATA
I have two questions:
- Does it make sense to export g_peak_heap_used in release enclave DLLs?
- Does it work? Can the peak heap usage of an actual enclave, not running in debug mode, be accessed through this function?
I understand that the enclave DLL is not the same as an actual loaded enclave, protected by the CPU. But as the loading mechanism performed by the SDK (sgx_create_enclave()) is a black box to me, I cannot judge how this exported function affects security.
The Intel(R) Software Guard Extensions SDK provides a tool called sgx_emmt, Enclave Memory Measurement Tool, which measures the real usage of protected memory (EPC - Enclave Page Cache) by the enclave at run-time. The symbol, g_peak_heap_used, contains the maximum heap usage of the enclave. The tool provides the actual max heap usage data to allow an optimized configuration of the EPC reserved for this enclave's heap. EPC is a limited resource in the system.
Currently the enclave memory measurement tool provides the following two functions:
1. Obtains the stack peak usage value for the enclave.
2. Obtains the heap peak usage value for the enclave.
With the accurate runtime stack and heap usage information for your enclaves, you can rework the enclave configuration file to optimize (limit) the use of the protected memory (EPC).
The Intel(R) Software Guard Extensions Developers Reference provides additional details on the use of this tool.