background image

SAFER MODE EXTENSIONS REFERENCE

Vol. 2D 6-3

.

6.2.2.2  

GETSEC[ENTERACCS]

The GETSEC[ENTERACCS] leaf enables authenticated code execution mode. The ENTERACCS leaf function 
performs an authenticated code module load using the chipset public key as the signature verification. ENTERACCS 
requires the existence of an IntelĀ® Trusted Execution Technology capable chipset since it unlocks the chipset 
private configuration register space after successful authentication of the loaded module. The physical base 
address and size of the authenticated code module are specified as input register values in EBX and ECX, respec-
tively. 
While in the authenticated code execution mode, certain processor state properties change. For this reason, the 
time in which the processor operates in authenticated code execution mode should be limited to minimize impact 
on external system events. 
Upon entry into , the previous paging context is disabled (since the authenticated code module image is specified 
with physical addresses and can no longer rely upon external memory-based page-table structures).
Prior to executing the GETSEC[ENTERACCS] leaf, system software must ensure the logical processor issuing 
GETSEC[ENTERACCS] is the boot-strap processor (BSP), as indicated by IA32_APIC_BASE.BSP = 1. System soft-
ware must ensure other logical processors are in a suitable idle state and not marked as BSP.
The GETSEC[ENTERACCS] leaf may be used by different agents to load different authenticated code modules to 
perform functions related to different aspects of a measured environment, for example system software and 
IntelĀ® TXT enabled BIOS may use more than one authenticated code modules.

6.2.2.3  

GETSEC[EXITAC]

GETSEC[EXITAC] takes the processor out of . When this instruction leaf is executed, the contents of the authenti-
cated code execution area are scrubbed and control is transferred to the non-authenticated context defined by a 
near pointer passed with the GETSEC[EXITAC] instruction. 
The authenticated code execution area is no longer accessible after completion of GETSEC[EXITAC]. RBX (or EBX) 
holds the address of the near absolute indirect target to be taken. 

6.2.2.4  

GETSEC[SENTER]

The GETSEC[SENTER] leaf function is used by the initiating logical processor (ILP) to launch an MLE. 
GETSEC[SENTER] can be considered a superset of the ENTERACCS leaf, because it enters  as part of the measured 
environment launch. 
Measured environment startup consists of the following steps:

Table 6-2.  GETSEC Leaf Functions 

Index (EAX)

Leaf function

Description

0

CAPABILITIES

Returns the available leaf functions of the GETSEC instruction.

1

Undefined

Reserved

2

ENTERACCS

Enter 

3

EXITAC

Exit 

4

SENTER

Launch an MLE.

5

SEXIT

Exit the MLE.

6

PARAMETERS

Return SMX related parameter information.

7

SMCTRL

SMX  mode  control.

8

WAKEUP

Wake up sleeping processors in safer mode.

9 - (4G-1)

Undefined

Reserved