37-2 Vol. 3D
INTRODUCTION TO INTELĀ® SOFTWARE GUARD EXTENSIONS
Intel SGX introduces two significant capabilities to the Intel Architecture. First is the change in enclave memory
access semantics. The second is protection of the address mappings of the application.
37.3
ENCLAVE LIFE CYCLE
Enclave memory management is divided into two parts: address space allocation and memory commitment.
Address space allocation is the specification of the range of logical addresses that the enclave may use. This range
is called the ELRANGE. No actual resources are committed to this region. Memory commitment is the assignment
of actual memory resources (as pages) within the allocated address space. This two-phase technique allows flexi-
bility for enclaves to control their memory usage and to adjust dynamically without overusing memory resources
when enclave needs are low. Commitment adds physical pages to the enclave. An operating system may support
separate allocate and commit operations.
During enclave creation, code and data for an enclave are loaded from a clear-text source, i.e. from non-enclave
memory.
Untrusted application code starts using an initialized enclave typically by using the EENTER leaf function provided
by Intel SGX to transfer control to the enclave code residing in the protected Enclave Page Cache (EPC). The
enclave code returns to the caller via the EEXIT leaf function. Upon enclave entry, control is transferred by hard-
ware to software inside the enclave. The software inside the enclave switches the stack pointer to one inside the
enclave. When returning back from the enclave, the software swaps back the stack pointer then executes the
EEXIT leaf function.
On processors that supports the SGX2 extensions, an enclave writer may add memory to an enclave using the
SGX2 instruction set, after the enclave is built and running. These instructions allow adding additional memory
resources to the enclave for use in such areas as the heap. In addition, SGX2 instructions allow the enclave to add
new threads to the enclave. The SGX2 features provide additional capabilities to the software model without
changing the security properties of the Intel SGX architecture.
Calling an external procedure from an enclave could be done using the EEXIT leaf function. Software would use
EEXIT and a software convention between the trusted section and the untrusted section.
An active enclave consumes resource from the Enclave Page Cache (EPC, see Section 37.5). Intel SGX provides the
EREMOVE instruction that an EPC manager can use to reclaim EPC pages committed to an enclave. The EPC
manager uses EREMOVE on every enclave page when the enclave is torn down. After successful execution of
EREMOVE the EPC page is available for allocation to another enclave.
37.4
DATA STRUCTURES AND ENCLAVE OPERATION
There are 2 main data structures associated with operating an enclave, the SGX Enclave Control Structure (SECS,
see Section 38.7) and the Thread Control Structure (TCS, see Section 38.8).
There is one SECS for each enclave. The SECS contains meta-data about the enclave which is used by the hardware
and cannot be directly accessed by software. Included in the SECS is a field that stores the enclave build measure-
ment value. This field, MRENCLAVE, is initialized by the ECREATE instruction and updated by every EADD and
EEXTEND. It is locked by EINIT.
Every enclave contains one or more TCS structures. The TCS contains meta-data used by the hardware to save and
restore thread specific information when entering/exiting the enclave. There is one field, FLAGS, that may be
accessed by software. This field can only be accessed by debug enclaves. The flag bit, DBGOPTIN, allows to single
step into the thread associated with the TCS. (see Section 38.8.1)
The SECS is created when ECREATE (see Table 37-1) is executed. The TCS can be created using the EADD instruc-
tion or the SGX2 instructions (see Table 37-2).
37.5
ENCLAVE PAGE CACHE
The Enclave Page Cache (EPC) is the secure storage used to store enclave pages when they are a part of an
executing enclave. For an EPC page, hardware performs additional access control checks to restrict access to the
page. After the current page access checks and translations are performed, the hardware checks that the EPC page