background image

37-2 Vol. 3D


Intel SGX introduces two significant capabilities to the Intel Architecture. First is the change in enclave memory 
access semantics. The second is protection of the address mappings of the application.



Enclave memory management is divided into two parts: address space allocation and memory commitment. 
Address space allocation is the specification of the range of logical addresses that the enclave may use. This range 
is called the ELRANGE. No actual resources are committed to this region. Memory commitment is the assignment 
of actual memory resources (as pages) within the allocated address space. This two-phase technique allows flexi-
bility for enclaves to control their memory usage and to adjust dynamically without overusing memory resources 
when enclave needs are low. Commitment adds physical pages to the enclave. An operating system may support 
separate allocate and commit operations. 
During enclave creation, code and data for an enclave are loaded from a clear-text source, i.e. from non-enclave 
Untrusted application code starts using an initialized enclave typically by using the EENTER leaf function provided 
by Intel SGX to transfer control to the enclave code residing in the protected Enclave Page Cache (EPC). The 
enclave code returns to the caller via the EEXIT leaf function. Upon enclave entry, control is transferred by hard-
ware to software inside the enclave. The software inside the enclave switches the stack pointer to one inside the 
enclave. When returning back from the enclave, the software swaps back the stack pointer then executes the 
EEXIT leaf function.
On processors that supports the SGX2 extensions, an enclave writer may add memory to an enclave using the 
SGX2 instruction set, after the enclave is built and running. These instructions allow adding additional memory 
resources to the enclave for use in such areas as the heap. In addition, SGX2 instructions allow the enclave to add 
new threads to the enclave. The SGX2 features provide additional capabilities to the software model without 
changing the security properties of the Intel SGX architecture. 
Calling an external procedure from an enclave could be done using the EEXIT leaf function. Software would use 
EEXIT and a software convention between the trusted section and the untrusted section.
An active enclave consumes resource from the Enclave Page Cache (EPC, see Section 37.5). Intel SGX provides the 
EREMOVE instruction that an EPC manager can use to reclaim EPC pages committed to an enclave. The EPC 
manager uses EREMOVE on every enclave page when the enclave is torn down. After successful execution of 
EREMOVE the EPC page is available for allocation to another enclave.



There are 2 main data structures associated with operating an enclave, the SGX Enclave Control Structure (SECS, 
see Section 38.7) and the Thread Control Structure (TCS, see Section 38.8). 
There is one SECS for each enclave. The SECS contains meta-data about the enclave which is used by the hardware 
and cannot be directly accessed by software. Included in the SECS is a field that stores the enclave build measure-
ment value. This field, MRENCLAVE, is initialized by the ECREATE instruction and updated by every EADD and 
EEXTEND. It is locked by EINIT. 
Every enclave contains one or more TCS structures. The TCS contains meta-data used by the hardware to save and 
restore thread specific information when entering/exiting the enclave. There is one field, FLAGS, that may be 
accessed by software. This field can only be accessed by debug enclaves. The flag bit, DBGOPTIN, allows to single 
step into the thread associated with the TCS. (see Section 38.8.1)
The SECS is created when ECREATE (see Table 37-1) is executed. The TCS can be created using the EADD instruc-
tion or the SGX2 instructions (see Table 37-2). 



The Enclave Page Cache (EPC) is the secure storage used to store enclave pages when they are a part of an 
executing enclave. For an EPC page, hardware performs additional access control checks to restrict access to the 
page. After the current page access checks and translations are performed, the hardware checks that the EPC page