Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarification on Thread Behavior in Intel SGX Enclave #1067

Open
BaoSKY opened this issue Nov 23, 2024 · 2 comments
Open

Clarification on Thread Behavior in Intel SGX Enclave #1067

BaoSKY opened this issue Nov 23, 2024 · 2 comments

Comments

@BaoSKY
Copy link

BaoSKY commented Nov 23, 2024

I have been reading the Intel SGX Developer Guide (https://download.01.org/intel-sgx/latest/linux-latest/docs/Intel_SGX_Developer_Guide.pdf, Thu 12 Sep 2024 05:51:39 AM UTC) and encountered some confusion regarding thread behavior in the enclave.

Here are the specific sections causing my confusion:

  1. P30-P31: In Table 8, "Summary of Intel® SGX Rules and Limitations," it mentions:
    "Threading support is Partially. Creating threads inside the enclave is not supported. Threads that run inside the enclave are created within the (untrusted) application. Spin-locks, trusted mutex, and condition variables API can be used for thread synchronization inside the enclave."

  2. P144: In the section about pthreads, it states:
    "The Intel® Software Guard Extensions (Intel® SGX) SDK includes a trusted version of the pthreads library. The library is named sgx_pthread and can only be used inside an enclave."

Questions:

  • Does this mean threads cannot be created or used directly inside the enclave?
  • How does the sgx_pthread library work in this context, and in what specific scenarios can it be used inside the enclave?
  • For applications that depend heavily on multi-threading for performance optimization, what are the recommended strategies when using an SGX enclave? Alternatively, should I consider a different platform, such as Confidential-VM technologies like TDX?

Any clarification or guidance on how to approach multi-threading in an SGX environment would be greatly appreciated. Thank you for your assistance!
@jbdelcuv
Copy link
Contributor

jbdelcuv commented Nov 25, 2024
edited
Loading

The wording in Table 8 probably requires updating.
Yes, you may use the pthread library to create/use threads inside an enclave. However, creating threads requires making an OCALL to have the OS create such thread.
Note that the pthread API supported inside enclaves is the minimum required in order to support the OpenMP library. Please review the Intel SGX Developer Reference for limitations.
Whether you use SGX or TDX depends on what you're trying to achieve and your security posture/requirements.

@BaoSKY
Copy link
Author

BaoSKY commented Nov 27, 2024

The wording in Table 8 probably requires updating. Yes, you may use the pthread library to create/use threads inside an enclave. However, creating threads requires making an OCALL to have the OS create such thread. Note that the pthread API supported inside enclaves is the minimum required in order to support the OpenMP library. Please review the Intel SGX Developer Reference for limitations. Whether you use SGX or TDX depends on what you're trying to achieve and your security posture/requirements.

OK. I appreciate your detailed explanation, it clarified my doubts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jbdelcuv @BaoSKY