background image

37-4 Vol. 3D

INTRODUCTION TO INTEL® SOFTWARE GUARD EXTENSIONS

37.7 

DISCOVERING SUPPORT FOR INTEL® SGX AND ENABLING ENCLAVE 

INSTRUCTIONS

Detection of support of Intel SGX and enumeration of available and enabled Intel SGX resources are queried using 
the CPUID instruction. The enumeration interface comprises the following:

Processor support of Intel SGX is enumerated by a feature flag in CPUID leaf 07H: CPUID.(EAX=07H, 
ECX=0H):EBX.SGX[bit 2]. If CPUID.(EAX=07H, ECX=0H):EBX.SGX = 1, the processor has support for Intel 
SGX, and requires opt-in enabling by BIOS via IA32_FEATURE_CONTROL MSR. 
If CPUID.(EAX=07H, ECX=0H):EBX.SGX = 1, CPUID will report via the available sub-leaves of

CPUID.(EAX=12H) on available and/or configured Intel SGX resources.

The available and configured Intel SGX resources enumerated by the sub-leaves of CPUID.(EAX=12H) depend 
on the state of BIOS configuration.

37.7.1 

Intel® SGX Opt-In Configuration

On processors that support Intel SGX, IA32_FEATURE_CONTROL provides the SGX_ENABLE field (bit 18). Before 
system software can configure and enable Intel SGX resources, BIOS is required to set 
IA32_FEATURE_CONTROL.SGX_ENABLE = 1 to opt-in the use of Intel SGX by system software.
The semantics of setting SGX_ENABLE follows the rules of IA32_FEATURE_CONTROL.LOCK (bit 0). Software is 
considered to have opted into Intel SGX if and only if IA32_FEATURE_CONTROL.SGX_ENABLE and 
IA32_FEATURE_CONTROL.LOCK are set to 1. The setting of IA32_FEATURE_CONTROL.SGX_ENABLE (bit 18) is not 
reflected by CPUID.

ENCLS[EEXTEND]

Extend EPC page measurement.

ENCLS[EINIT]

Initialize an enclave.

ENCLS[ELDB]

Load an EPC page in blocked state.

ENCLS[ELDU]

Load an EPC page in unblocked state.

ENCLS[EPA]

Add an EPC page to create a version array.

ENCLS[EREMOVE]

Remove an EPC page from an enclave.

ENCLS[ETRACK]

Activate EBLOCK checks.

ENCLS[EWB]

Write back/invalidate an EPC page.

Table 37-2.  Supervisor and User Mode Enclave Instruction Leaf Functions in Long-Form of SGX2

Supervisor Instruction

Description

User Instruction

Description

ENCLS[EAUG]

Allocate EPC page to an existing enclave.

ENCLU[EACCEPT]

Accept EPC page into the enclave.

ENCLS[EMODPR]

Restrict page permissions.

ENCLU[EMODPE]

Enhance page permissions.

ENCLS[EMODT]

Modify EPC page type.

ENCLU[EACCEPTCOPY] Copy contents to an augmented EPC 

page and accept the EPC page into 

the enclave.

Table 37-3.  Intel® SGX Opt-in and Enabling Behavior

CPUID.(07H,0H):EBX.

SGX

CPUID.(12H)

FEATURE_CONTROL.

LOCK

FEATURE_CONTROL.

SGX_ENABLE

Enclave Instruction

0

Invalid

X

X

#UD

1

Valid*

X

X

#UD**

Table 37-1.  Supervisor and User Mode Enclave Instruction Leaf Functions in Long-Form of SGX1

Supervisor Instruction

Description

User Instruction

Description