0

I know intel sgx supports running multiple threads on one enclave. But I'curious that whether I can use fork to run 2 processes on one enclave?

hly19
  • 21
  • 4
  • This depends on your definition of a "process". Do you want separate address spaces or not? – Jonathan S. May 04 '22 at 15:18
  • CPUs don't support processes. At all. They're something made up by software. So the answer is yes. You can make them up in software inside your enclave code. – user253751 May 04 '22 at 15:48
  • 1
    @user253751: Hardware support is necessary to give separate address-spaces, the difference between a thread and process. (Part of) the question is whether the HW supports two separate address-spaces using SGX. I don't know a lot about SGX, but IDK how they might communicate with each other directly inside the same enclave if they don't share memory, though. Would there be a meaningful differences between the unsupported thing of two separate address-spaces in one enclave vs. two processes using separate enclaves? Maybe that would be meaningful if it were supported, IDK. – Peter Cordes May 06 '22 at 12:36
  • @PeterCordes another artificial distinction; systems without memory protection may still be said to have processes (without memory protection). The actual distinction between a thread and a process seems to be the level of co-operation. – user253751 May 06 '22 at 12:40
  • 1
    @user253751: Part of the point of SGX is isolation; it hardly seems like an artificial distinction. – Peter Cordes May 06 '22 at 13:10

1 Answers1

1

What you cannot do: have more that 1 program (or process) to use an enclave. Only the process that has created the enclave can use it.

What you can do: have more that 1 thread inside an enclave, but you have to create them in the untrusted part of the app. In your XML enclave config file there are 2 values, TCSNum and TCSPolicy.

For more information, see here and here.

X99
  • 905
  • 10
  • 24