Hi Jarkko
On Fri, 28 Jan 2022 05:50:22 -0600, Jarkko Sakkinen <jarkko@xxxxxxxxxx>
wrote:
On Fri, Jan 28, 2022 at 12:08:07PM +0200, Jarkko Sakkinen wrote:
I noticed that with aesmd the only feasible way to host it is to make a
VM for it because:
- A beter predictable round-trip time for attestation.
- In the worst case, attestation could be potentially blocked.
I don't fully understand your description here. Based on what you said
below, I think you are talking about how to improve (control of) EPC
allocation for apps in case of over-subscription (i.e., when EPC runs
out). My comments below are with this understanding.
In case you think there are limitations of aesmd implementation that
prevent aesmd from being hosted in other than a separate VM, please create
an issue on the corresponding GitHub.
Should the driver have a page locking mechanism to make this more
robust,
or do we want to satisfy to this? I'm not 100% sure what'd be the right
path forward, just pointing out a potential availability issue.
Current swapping would ensure the last active pages be loaded so it gives
some level of insurance that aesmd would be able to run as long as there
is swapping RAM and other apps are not super active during attestation.
I think SGX cgroups support should help address this concern in a general
way, which was discussed before and I think is in plan.
Not sure if lock works better, could you explain how it work?
