Determine the max creatable SGX enclave (EPC)

Question

I couldn't find a way of determining what would be the max creatable enclave using the SGX SDK. Is there any way of fetching these capabilities? This is especially useful in cloud environments where you can create virtual machines with EPC sections and you don't know the actual usable size of the provisioned EPC.

Answer 1

You can use the cpuid leaf -0x12 subleaf 2.. until you hit an invalid type and sum up the sizes.

Example with 254GB EPC:

$ cpuid -1 -l 0x12 -s2 
CPU:
   SGX Enclave Page Cache (EPC) enumeration (0x12/0x2):
      type                     = EPC section
      section physical address = 0x0000002030000000
      section size             = 0x0000001fcf3ff000
      section property         = confidentiality protection only

$ cpuid -1 -l 0x12 -s3
CPU:
   SGX Enclave Page Cache (EPC) enumeration (0x12/0x3):
      type                     = EPC section
      section physical address = 0x0000006030000000
      section size             = 0x0000001fd0000000
      section property         = confidentiality protection only

$ cpuid -1 -l 0x12 -s4
CPU:
   SGX Enclave Page Cache (EPC) enumeration (0x12/0x4):
      type = invalid

$ echo $(((0x0000001fcf3ff000 + 0x0000001fd0000000) / 1024 / 1024 / 1024))
254

$ sudo dmesg|fgrep EPC
[    3.082021] sgx: EPC section 0x2030000000-0x3fff3fefff
[    3.471415] sgx: EPC section 0x6030000000-0x7fffffffff

Answer 2

The only option I found to get the value of the EPC section is by filtering dmesg for the output of the SGX driver.

[    2.451815] intel_sgx: EPC section 0x240000000-0x2bfffffff

If we convert the start and end of the section in decimals and subtract the end from the start, we get a value in bytes which we can convert to gibibytes or mebibytes.

Here are the calculations for this example and the result in gibibytes:

python3 -c 'print((0x2bfffffff - 0x240000000) / 1024 ** 3)'
1.9999999990686774