Configuring a Simple Application

Different applications have different runtime requirements. They may need different amounts of memory, different numbers of threads, and different input and output data. By configuring the Anjuna SGX Runtime’s secure enclave, you can ensure that it meets an application’s requirements while at the same time protecting sensitive data.

This section describes how to make the most commonly-used customization of a secure enclave: the size of memory allocated to it.

We’ll first write and compile a simple C program that allocates a large area of memory. We’ll then see how we can configure a secure enclave that refuses to run that program because its memory requirements are too great, and then how to adjust the secure enclave’s parameters to allow the program to run.

A Program that Allocates Too Much

Begin by creating a C program named bigmalloc.c containing the following code:

#include <stdio.h>
#include <errno.h>

#define ALLOC_SIZE (1024*1024*1024)

int main() {
    void* mem_arena = malloc(ALLOC_SIZE);
    if (NULL == mem_arena) {
        fprintf(stderr, "Failed allocating %lu bytes\n", (long unsigned int) ALLOC_SIZE);
        return ENOMEM;
    }

    printf("Successfully allocated %lu bytes\n", (long unsigned int) ALLOC_SIZE);
    free(mem_arena);
    return 0;
}

bigmalloc.c allocates a region of memory 1 GB in size. Compile the program by running the following command:

$ gcc bigmalloc.c -o bigmalloc

The compiler creates the executable bigmalloc, which we’ll use to test the Anjuna SGX Runtime.

Now let’s configure the Anjuna SGX Runtime to start bigmalloc in a secure enclave that doesn’t allow it to allocate so much memory. First, use anjuna-sgxrun to create a manifest template for bigmalloc:

anjuna-sgxrun --setup bigmalloc

As we saw previously in the Configure and Run a Program section, anjuna-sgxrun generates a manifest template file named manifest.template.yaml.

Using your preferred editor, open manifest.template.yaml and adjust the maximum allowed memory. Find the line that reads:

enclave_size: 2G

and change it to read:

enclave_size: 512M

This change configures the secure enclave to forbid memory allocations over 512M in size. What happens when bigmalloc tries to allocate a gigabyte?

Try executing the following command:

$ anjuna-sgxrun bigmalloc

When bigmalloc tries to allocate memory in excess of the amount allowed by the manifest, the Anjuna SGX Runtime prevents it, displaying the following output:

Anjuna-Runtime: ran out of enclave user memory (enclave user memory size = 458379264, requested = 1073876992). Please enlarge enclave size.
Failed allocating 1073741824 bytes

The secure enclave stopped execution of our test program because it tried to allocate memory in excess of the limit that we set in the manifest template. We can change the limit in order to enable the test program to run to completion.

Open manifest.template.yaml in your editor and once again adjust the maximum allowed memory. This time, change the line that reads

enclave_size: 512M

to instead read:

enclave_size: 2G

Now use the Anjuna SGX Runtime to run the test program again:

$ anjuna-sgxrun bigmalloc

This time, the test program displays

Successfully allocated 1073741824 bytes