Applications and high performance networks to support new usage models and services such as voice, video, transactions, and private data, present new challenges in the area of security. The need to protect data in storage or in transit for confidentiality and integrity is important, but supporting high speed cryptographic operations and storage required to maintain secured access to protected code and/or data adds to complexity and ultimately to expense.
One technique for creating and maintaining a secured, protected, or isolated partition or environment is known as establishing an enclave. An enclave is a set of information and processing capabilities that are protected as a group. The information and processing capabilities may include networks, hosts, or applications. When data and/or instructions for an enclave are loaded from external memory, they are decrypted, authenticated and then stored or cached in a protected memory. Similarly when data and/or instructions for an enclave are evicted from the protected memory, they are encrypted before being stored back to external memory.
Therefore, when performing paging in (i.e. loading) and/or paging out (i.e. evicting and writing back) of memory pages for a secure enclave, cryptographic operations must be performed on the entire pages, which may be typically of 4 KB in size. Consequently, loading or evicting a page for a secure enclave may require many tens of thousands of processing cycles. If the paging in, or the paging out process is interrupted, it may need to be re-executed, but since the occurrence of interrupts may be relatively frequent, forward progress of loading or evicting a page for a secure enclave may be difficult to guarantee. On the other hand, if servicing of interrupts were not permitted until loading or evicting of a page for the secure enclave had completed, then the delayed servicing of interrupts may cause unacceptable glitches in some services such as voice, video and real-time transactions.
Therefore guaranteeing forward progress of loading and/or evicting memory pages for secure enclaves presents a set of unique user-experience and performance challenges. To date, solutions that address these challenges, potential performance limiting issues, and real-time complexities have not been adequately explored.