The background description provided herein is for the purpose of generally presenting the context of the disclosure. Unless otherwise indicated herein, the materials described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
Security, protection from malicious software, has emerged as a major concern of the computing art. It is expected that processors, e.g., some processors from Intel® Corporation of Santa Clara, Calif., will begin to provide support for isolated/protected execution environments to individual applications (also referred to as application execution enclaves or simply, enclaves). Accesses to the enclave memory areas will be limited to codes resident in the enclaves only. Codes outside the enclave will have no access to enclave memory areas. For Intel® processors, the technology is currently known as SGX (Software Guard Extensions). For further information, see Intel® Software Guard Extensions Programming Reference, dated October, 2014.
It is expected that the isolation supports will include support for enclave dynamic memory management, allowing cache pages to be dynamically added to or removed from an enclave on an as needed basis. One proposed approach contemplated for dynamically augmenting an enclave with additional cache pages includes having the enclave send a request to the privileged OS kernel or a privileged driver for a certain number of cache pages to be mapped to a specified virtual address. Since, for security reasons, calls to system services from enclaves are not allowed, an enclave would have to make the request through the non-isolated portion of an application.
In response, the privileged software (i.e., the OS kernel or the privileged driver) will use the support features provided by the processor (e.g., the EAUG instruction for SGX) to allocate and map the required number of cache pages to the requesting enclave. Similar to the request, the privileged software would communicate completion of the allocation and mapping to the enclave through the non-isolated portion of the application. On notification of completion of the allocation and mapping, the enclave is to execute an acknowledgement (e.g., the EACCEPT instruction for SGX) for each newly added cache page.