Graphene Pre-Loading Files

[Colin McKechney]

Good morning,

My name is Colin McKechney, I'm with a research team using Graphene for SGX programs and we have come across something that we would like to clarify about Graphene. In a few of our programs we are using file I/O to read in information. In these programs, we don't see an OCALL to load those files into the enclave, and as a result the program is running faster than expected. Is it a feature of Graphene to pre-load those allowed files into the enclave before execution when Graphene detects file I/O? Thank You.

Sincerely,

Colin McKechney

Computer Science

University of Notre Dame '23

(585) 545-5952

cmck...@nd.edu

[Michał Kowalczyk]

Hmm, which files are these, exactly? Some system files are emulated inside enclave, like the whole /proc or /sys.

--
You received this message because you are subscribed to the Google Groups "Graphene Support Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graphene-suppo...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graphene-support/CACUbrUwN_F65oNm8Uy0_CFE6midtqLxrk5d%2BU%2B-xa0%3D92m%3Ds-Q%40mail.gmail.com.

[Taeho Jung]

Hi Michał,

We are reading our own file that contains some inputs for the SGX applications.

More specifically, we have a file that contains 10M AES ciphertexts of float numbers, and we’re reading them in one by one and decrypting it.

It takes only 6 seconds on average to finish the whole reading & decryption, which made us guess context switching did not happen.

Best,

Taeho

--

Assistant Professor

Department of Computer Science and Engineering, University of Notre Dame

Notre Dame, IN, United States

https://sites.nd.edu/taeho-jung

[Michał Kowalczyk]

For allowed_files (do I read correctly, that this is what you use?) it should not be preloaded and ocall_read() should be used, if I remember correctly.

we don't see an OCALL to load those files into the enclave

How do you check which OCALLs were called?

[Taeho Jung]

Yes, they were allowed files.

We didn’t explicitly check whether ocall occured. From our understanding, an empty ocall would take at least 8000 cycles according to the literature (https://www.ofirweisse.com/ISCA17_Ofir_Weisse.pdf),
and 10M ocalls on a CPU with 5Ghz clock rate would take 16 seconds in theory. The 6 seconds from our program running with Graphene inside SGX was far lower than the theoretic estimate, which made us guess not all context switches occured for all 10M fread in a simple cpp code

(https://github.com/justinpajak/Sum_SGX/blob/main/aggsum.cpp). Note that the code in that link has 1M calls to fread — the 6 seconds was measured from the program with 10M fread.

[Michał Kowalczyk]

fread() call is not a syscall, it's a standard C/C++ library call, and it doesn't have to translate 1-1 to read(). Looking at your code, it most likely uses stdio buffering, which results in far fewer syscalls than you expect.

[Taeho Jung]

That makes sense! Thank you so much for the clarification!