Performance Optimization Solutions For The Next Generation Of Intel Trusted Execution Environment

With the rapid development of cloud computing,more and more services and data are deployed to the cloud,data security and privacy protection are more and more valued by users,and the voice of users for cloud security is more and more strong.Confidential computing technology based on Trusted Execution Environments(TEE)is one of the mainstream cloud security solutions.Intel SGX is TEE widely used in confidential computing technology.SGX allows applications to run in TEE called enclave,which can protect the code and data in use.However,SGX has been criticized in terms of performance,in which the enclave may produce a large number of enclave switching at runtime,enclave switching is expensive,seriously affecting the overall performance of SGX.Recently,Intel released SGX-Icelake,the next generation of TEE.Based on the architecture characteristics of the next generation TEE,we propose a typical SGX workflow,which is divided into four stages: thread scheduling,IO read-write,memory management,and time acquisition.We systematically evaluate and analyze the performance overhead of SGX-Icelake in each stage,and find that SGX-Icelake still has the problem of enclave switching performance.Based on the idea of enclave switchless and asynchrony,combined with the larger enclave memory and more processor cores of SGX-Icelake,we propose whole process SGX performance optimization solutions.For the thread scheduling phase,we propose coroutine-based in-enclave scheduling based on Rust Async / Await,and design a : : scheduling mechanism to avoid enclave switching in the thread scheduling phase;For IO read-write phase,we propose enclave asynchronous IO based on Linux io?uring.We realize enclave switchless asynchronous IO,and propose eager execution and promised execution asynchronous strategies.Based on these two asynchronous strategies,network buffer and page cache are designed in the enclave to speed up the performance of network IO and file IO respectively,avoid enclave switching in io readwrite stage,and hide the overhead of IO actual execution;For the memory management phase,we propose enclave asynchronous memory management based on memory pool,which dynamically allocates memory through the memory pool in the enclave and asynchronously manages memory through the memory management coroutine,thus avoiding enclave switching in the memory management phase;For the time acquisition phase,we propose enclave time acquisition based on v DSO,which avoids the enclave switching in the time acquisition phase by executing the time acquisition system calls with the verified v DSO or with the simulated v DSO.We implemented the system based on the open-source SGX Lib OS Occlum and carried out a lot of experimental evaluations.The experimental results show that,for each stage of the typical SGX workflow,our optimization shows a significant performance improvement,reaching 17.8,3.6,44.8,and 16.8 times the original SGX performance.