Process for allocating heap memory to an Intel® Software Guard Extensions (Intel® SGX) enclave
Unable to determine how heap memory that is larger than available Enclave Page Cache (EPC) memory is allocated to enclaves at creation.
Intel® Software Guard Extensions (Intel® SGX) uses the EADD processor instruction to add memory, including heap, to an enclave. To EADD a heap page, there must be a free Enclave Page Cache (EPC) page available. If a free page already exists, it is immediately used by EADD. If the EPC is already full, a currently in-use page is paged out and freed. That now free page could be used for the heap page. This page is in the EPC because it’s a newly freed page. In either case, no page gets swapped in. When the actual EADD occurs, the page will already be present in the EPC—no paging or swapping required.
Following the code:
- First, the SGX signtool determines enclave layout. It places the layout information in the metadata. Here is where the heap is added and set to EADD only: manage_metadata#L775
- During enclave load, the untrusted Run-time System (uRTS) loader loops through the layout entries and adds appropriately: loader.cpp#L382
- Each enclave page is added by calling the driver, which calls EADD: loader.cpp#L311