Configuring a simple application
Different applications have different runtime requirements. They may need different amounts of memory, different numbers of threads, and different input and output data. By configuring the Anjuna SGX Runtime’s secure enclave, you can ensure that it meets an application’s requirements while at the same time protecting sensitive data.
This section describes how to make the most commonly-used customization of a secure enclave: the size of memory allocated to it.
First you will write and compile a simple C program that allocates a large area of memory, and then you will configure a secure enclave. The enclave will refuse to run that application since its memory requirements are too large, and you will adjust the secure enclave’s parameters in order to allow the program to run.
A program that allocates too much
Begin by creating a C program named bigmalloc.c containing the following code:
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#define ALLOC_SIZE (1024*1024*1024)
int main() {
void* mem_arena = malloc(ALLOC_SIZE);
if (NULL == mem_arena) {
fprintf(stderr, "Failed allocating %lu bytes\n", (long unsigned int) ALLOC_SIZE);
return ENOMEM;
}
printf("Successfully allocated %lu bytes\n", (long unsigned int) ALLOC_SIZE);
free(mem_arena);
return 0;
}bigmalloc.c allocates a region of memory 1 GB in size.
Compile the program by running the following command:
$ gcc bigmalloc.c -o bigmallocThe compiler creates the executable bigmalloc, which you will use to test the Anjuna SGX Runtime.
Now you will configure the Anjuna SGX Runtime to start bigmalloc in a secure enclave that does not
allow it to allocate so much memory.
First, use anjuna-sgxrun to create a manifest template for bigmalloc:
$ anjuna-sgxrun --setup bigmallocAs you saw previously in the
Configure and run a program section,
anjuna-sgxrun generates a manifest template file named bigmalloc.manifest.template.yaml.
Using your preferred editor,
open bigmalloc.manifest.template.yaml and adjust the maximum allowed memory.
Find the line that reads:
enclave_size: 2Gand change it to read:
enclave_size: 512MThis change configures the secure enclave to forbid memory allocations over 512M in size.
What happens when bigmalloc tries to allocate a gigabyte?
Try executing the following command:
$ anjuna-sgxrun bigmallocWhen bigmalloc tries to allocate memory in excess of the amount allowed by the manifest,
the Anjuna SGX Runtime prevents it, displaying the following output:
Out of enclave memory (requested allocation size = 1073745920). Increase enclave size. Failed to grow brk region by alloc_size=1073614848. bkeep_mmap returned -13. brk=0x840223000 brk_start=0x800202000 brk_current=0x800223000 brk_end=0x800242000 Out of enclave memory (requested allocation size = 1073876992). Increase enclave size. Failed allocating 1073741824 bytes
The secure enclave stopped execution of your test program because it tried to allocate memory in excess of the limit that you set in the manifest template. You can change the limit in order to enable the test program to run to completion.
Open bigmalloc.manifest.template.yaml in your editor and once again adjust the maximum
allowed memory.
This time, change the line that reads
enclave_size: 512Mto instead read:
enclave_size: 2GNow use the Anjuna SGX Runtime to run the test program again:
$ anjuna-sgxrun bigmallocThis time, the test program displays
Successfully allocated 1073741824 bytes