Vol. 3D 39-1
ENCLAVE OPERATION
CHAPTER 39
ENCLAVE OPERATION
The following aspects of enclave operation are described in this chapter:
•
Enclave creation: Includes loading code and data from outside of enclave into the EPC and establishing the
enclave entity.
•
Adding pages and measuring the enclave.
•
Initialization of an enclave: Finalizes the cryptographic log and establishes the enclave identity and sealing
identity.
•
Enclave entry and exiting including:
— Controlled entry and exit.
— Asynchronous Enclave Exit (AEX) and resuming execution after an AEX.
39.1
CONSTRUCTING AN ENCLAVE
Figure 39-1 illustrates a typical Enclave memory layout.
The enclave creation, commitment of memory resources, and finalizing the enclave’s identity with measurement
comprises multiple phases. This process can be illustrated by the following exemplary steps:
1. The application hands over the enclave content along with additional information required by the enclave
creation API to the enclave creation service running at privilege level 0.
2. The enclave creation service running at privilege level 0 uses the ECREATE leaf function to set up the initial
environment, specifying base address and size of the enclave. This address range, the ELRANGE, is part of the
application's address space. This reserves the memory range. The enclave will now reside in this address
Figure 39-1. Enclave Memory Layout
Thread Data
Global Data
Code
Enclave Memory
SECS
TCS
Base + Size
Base
Replicated once
per thread
Enclave {Base, Size}
Application Context
OS Context