Efficient Memory Protection Method for Large-Scale Host-Enclave Data Transfer on Keystone Enclave

Abstract

Enclave-type Trusted Execution Environments (TEEs) provide a hardware-isolated environment, called an enclave, where confidential applications can be executed securely. The enclave runtime is designed to be fully trusted but tends to have limited functions due to its simple implementation, which prioritizes security. Thus, it relies on untrusted host OS functions, particularly I/O operations, through a minimum secure communication interface between a host and an enclave. Such a communication interface across the boundary between trusted and untrusted domains must be implemented in a manner that does not compromise security. However, tight security constraints can lead to a loss of performance and compatibility for applications. Achieving efficient and flexible secure communication is a challenging issue. Keystone Enclave is one of the representative enclave-type TEE implementations for RISC-V. While Keystone equips a set of edge calls as a communication interface, it introduces data transfer efficiency issues and security concerns. When transferring large amounts of data from a host to an enclave, the edge calls introduce a significant data transfer overhead due to the restrictions on Keystone’s implementation of memory isolation. Besides, the original edge calls do not protect the transferred data from other programs. This paper proposes a secure, efficient, and scalable host-enclave data transfer method for Keystone Enclave. The proposed method introduces an additional memory region dedicated to the protection of data transfer. This region is protected independently of the enclaves and other shared memory. It is enforced that the contents in the region are validated before use by privileged software. This approach enables efficient and scalable data transfer, as well as flexible data protection, without requiring additional hardware extensions. The evaluation of the proposed method on the HiFive Unmatched RISC-V board shows 2.2-2.4× better performance than the method using the original edge calls for large-size data transfer. We also evaluate the performance of the I/O system call delegation using the proposed method and confirm its practicality.