Initializing an Intel® Software Guard Extensions (Intel® SGX) Enclave with a Large Heap Size Is Slow

• Initializing an enclave with HeapInitSize of a few megabytes takes less than one second.
• Initalizing an enclave with large HeapInitSize, for example, 1 GB, takes several seconds.

Cause:
It is expected that initializing large amounts of memory for an enclave heap will take a long time. Initializing and adding memory to the Enclave Page Cache (EPC) for an enclave is much more complex than a simple memory allocation in a regular application. Before a chunk of memory is added to the EPC it must go through several security checks, including being measured using a 256-bit SHA-2 secure hash function.

Refer to sections 5.1, 5.3, 5.6 in SGX Explained, and the EADD and EEXTEND instructions in Intel SGX Enclave Lifecycle.

Mitigation:
If the processor supports Intel® Software Guard Extensions (Intel® SGX) SGX2, in the Enclave Configuration File:

• set HeapMaxSize to the largest amount of memory the enclave will require
• set HeapInitSize to something minimal.

HeapInitSize is the amount to fully initialize (i.e. EADD the page then EEXTEND it) at enclave launch, which takes time. With a minimal initialization size, it would be quicker, and the rest of the memory would only be added utilizing the SGX2 instructions when allocated, via malloc, by the enclave during runtime.