Cause and mitigation for slow allocation of large amount of memory for an enclave.
- Initializing an enclave with HeapInitSize of a few megabytes takes less than one second.
- Initalizing an enclave with large HeapInitSize, for example, 1 GB, takes several seconds.
Cause:
It is expected that initializing large amounts of memory for an enclave heap will take a long time. Initializing and adding memory to the Enclave Page Cache (EPC) for an enclave is much more complex than a simple memory allocation in a regular application. Before a chunk of memory is added to the EPC it must go through several security checks, including being measured using a 256-bit SHA-2 secure hash function.
Refer to sections 5.1, 5.3, 5.6 in SGX Explained, and the EADD and EEXTEND instructions in Intel SGX Enclave Lifecycle.
Mitigation:
If the processor supports Intel® Software Guard Extensions (Intel® SGX) SGX2, in the Enclave Configuration File:
- set HeapMaxSize to the largest amount of memory the enclave will require
- set HeapInitSize to something minimal.
HeapInitSize is the amount to fully initialize (i.e. EADD the page then EEXTEND it) at enclave launch, which takes time. With a minimal initialization size, it would be quicker, and the rest of the memory would only be added utilizing the SGX2 instructions when allocated, via malloc, by the enclave during runtime.