On Mon, Dec 17, 2018 at 08:55:02PM -0800, Andy Lutomirski wrote: > On Mon, Dec 17, 2018 at 5:39 PM Jarkko Sakkinen > <jarkko.sakkinen@xxxxxxxxxxxxxxx> wrote: > > > > On Mon, Dec 17, 2018 at 02:20:48PM -0800, Sean Christopherson wrote: > > > The only potential hiccup I can see is the build flow. Currently, > > > EADD+EEXTEND is done via a work queue to avoid major performance issues > > > (10x regression) when userspace is building multiple enclaves in parallel > > > using goroutines to wrap Cgo (the issue might apply to any M:N scheduler, > > > but I've only confirmed the Golang case). The issue is that allocating > > > an EPC page acts like a blocking syscall when the EPC is under pressure, > > > i.e. an EPC page isn't immediately available. This causes Go's scheduler > > > to thrash and tank performance[1]. > > > > I don't see any major issues having that kthread. All the code that > > maps the enclave would be removed. > > > > I would only allow to map enclave to process address space after the > > enclave has been initialized i.e. SGX_IOC_ENCLAVE_ATTACH. > > > > What's SGX_IOC_ENCLAVE_ATTACH? Why would it be needed at all? I > would imagine that all pages would be faulted in as needed (or > prefaulted as an optimization) and the enclave would just work in any > process. The way I see it the efficient way to implement this is to have the enclave attached to a single process address space at a time. #PF handler is trivial with multiple address spaces but swapping is a bit tedious as you would need to zap N processes. /Jarkko
