Venue | Category |
---|---|
SIGMETRICS'19 | SGX Performance |
Everything You Should Know About Intel SGX Performance on Virtualized Systems1. SummaryMotivation of this paperSGX Evaluation2. Strength (Contributions of the paper)3. Weakness (Limitations of the paper)4. Some Insights (Future work)
Motivation
No work has studies in detail the performance degradation caused by SGX in virtualized systems.
identify several optimization strategies to improve performance of Intel SGX
Intel SGX in a virtualized system
For each VM started with SGX support, the hypervisor allocates a section of the EPC to use a virtual EPC.
Evaluation setting
buffer in, out, in/out, user_check (zero-copy data transfer)
write/read from the enclave vs. write/read from outside the application
Result:
Evict process:
Paging Measurement
Initialization: Before an enclave is ready to use, its memory contents are measured by CPU to produce a cryptographic hash
add a large static array into the enclave code and measured the enclave startup time
Destruction: large EPC also means more pages in the enclave's working set must be deallocated
Measure the performance of encrypting memory buffers of various sizes from 16 bytes to 16MB using AES-128-GCM.
Trusted platform module (TPM): used for platform integrity purpose by measuring critical system software (firmware, boot loaders, kernel, etc.) through the use of platform configuration registers
Intel SGX: users no longer need to trust the system software nor any other hardware components. (self-contained solution)
Virtualization-friendly trusted computing
AMD secure encrypted virtualization (SEV): a memory encryption-based technique:
Microsoft shielded VM
At the boot time, the BIOS verifies whether SGX is enabled. It then reserves a region of physical memory for the CPU