Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.

OS process management of enclave process

wwfbear789
Beginner
927 Views

To execute a process in Enclave, the host process uses the EENTER or ERESUME instruction. At this time, the host process must be software running on Ring 3. Now I have a question. How does the operating system manage processes for SGX applications? Normally, the OS uses the priority of each process to run or sleep the process. Does this also apply to the Enclave process? I was wondering this because the OS needs to issue an EEXIT instruction to evict the Enclave process, but this is not possible due to software privileges.

 

Best Regards,

0 Kudos
1 Solution
KFPW_Intel
Moderator
837 Views

Hi wwfbear789,

 

Thank you for your patience.

I have checked with the development team.

 

Are you referring to the Asynchronous Enclave Exits (AEXs) which allows interrupts (including OS's scheduler timer interrupt) to interrupt an enclave's execution, as with normal ring 3 processes?

 

There is Section 35.2 Enclave Entry and Exiting, in Intel® 64 and IA-32 Architectures Software Developer's Manual Volume 3D: System Programming Guide, Part 4 (page 33) discussed the AEXs in detailed which can be found in this reference.

 

There is a AEX flow in Section 36.4 (page 50) in the same reference that explains the Enclave Exiting Events which could be useful for your use case.

 

Hope this is helpful.

 

Regards,

Ken

 

View solution in original post

5 Replies
KFPW_Intel
Moderator
913 Views

Hi wwfbear789,

 

The ENCLU[EENTER] and ENCLU[ERESUME] are user SGX Instructions for enter or re-enter an Enclave. When an EENTER instruction is executed to transition control into an enclave, register state and other information regarding to the untrusted state is saved; then inside the enclave thread state and other information regarding the trusted state is loaded so execution can begin in the enclave.

 

With Intel SGX, the app talks directly to the encrypted enclave on the processor, providing additional protection from potential threats targeting the OS and VMMs. The picture shows how Intel SGX helps protect data from attacks. Visit Intel® Software Guard Extensions Solution Brief for more information.

 

KFPW_Intel_1-1670485890173.png

 

Hope this is helpful.

 

Regards,

Ken

 

wwfbear789
Beginner
906 Views

I am sorry. My question was unclear.


Generally, the operating system manages which processes are allocated CPU resources in order to run multiple processes simultaneously (https://en.wikipedia.org/wiki/Process_management_(computing)). This is a very important function of an operating system.
However, when this functionality is applied to an SGX application, it is necessary for the OS to put the running Enclave process in the READY or BLOCKED state, and it is also necessary for the Enclave process in the READY state to be executed by the operating system. However, the EENTER, EEXIT, and ERESUME instructions cannot be executed directly by the OS. Therefore, we would like to know how the OS manages the Enclave process.

 

Best Regards,

KFPW_Intel
Moderator
838 Views

Hi wwfbear789,

 

Thank you for your patience.

I have checked with the development team.

 

Are you referring to the Asynchronous Enclave Exits (AEXs) which allows interrupts (including OS's scheduler timer interrupt) to interrupt an enclave's execution, as with normal ring 3 processes?

 

There is Section 35.2 Enclave Entry and Exiting, in Intel® 64 and IA-32 Architectures Software Developer's Manual Volume 3D: System Programming Guide, Part 4 (page 33) discussed the AEXs in detailed which can be found in this reference.

 

There is a AEX flow in Section 36.4 (page 50) in the same reference that explains the Enclave Exiting Events which could be useful for your use case.

 

Hope this is helpful.

 

Regards,

Ken

 

KFPW_Intel
Moderator
426 Views

Hi wwfbear789,


Hope all is well with you.

I hope the information I provided was helpful to you. Do you need further help with this issue?

Thank you.

 

Regards,

Ken


KFPW_Intel
Moderator
409 Views

Hi wwfbear789,


I hope the information I provided was helpful to you. Since we haven't heard from you, Intel will stop monitoring this thread. If you need further assistance, please open a new thread.


Regards,

Ken


Reply