Vol. 3D 39-3
ENCLAVE OPERATION
The EINIT leaf function checks the EINIT token to validate that the enclave has been enabled on this platform. If
the enclave is not correctly constructed, or the EINIT token is not valid for the platform, or SIGSTRUCT isn't prop-
erly signed, then EINIT will fail. See the EINIT leaf function for details on the error reporting.
The enclave identity is a cryptographic hash that reflects the enclave attributes and MISCSELECT value, content
of the enclave, the order in which it was built, the addresses it occupies in memory, the security attributes, and
access right permissions of each page. The enclave identity is established by the EINIT leaf function.
The sealing identity is managed by a sealing authority represented by the hash of the public key used to sign the
SIGSTRUCT structure processed by EINIT. The sealing authority assigns a product ID (ISVPRODID) and security
version number (ISVSVN) to a particular enclave identity.
EINIT establishes the sealing identity using the following steps:
1. Verifies that SIGSTRUCT is properly signed using the public key enclosed in the SIGSTRUCT.
2. Checks that the measurement of the enclave matches the measurement of the enclave specified in SIGSTRUCT.
3. Checks that the enclave’s attributes and MISCSELECT values are compatible with those specified in SIGSTRUCT.
4. Finalizes the measurement of the enclave and records the sealing identity (the sealing authority, product id
and security version number) and enclave identity in the SECS.
5. Sets the ATTRIBUTES.INIT bit for the enclave.
39.1.4
Intel® SGX Launch Control Configuration
Intel® SGX Launch Control is a set of controls that govern the creation of enclaves. Before the EINIT leaf function
will successfully initialize an enclave, a designated Launch Enclave must create an EINITTOKEN for that enclave.
Launch Enclaves have SECS.ATTRIBUTES.EINITTOKENKEY = 1, granting them access to the EINITTOKENKEY from
the EGETKEY leaf function. EINITTOKENKEY must be used by the Launch Enclave when computing EINIT-
TOKEN.MAC, the Message Authentication Code of the EINITTOKEN.
The hash of the public key used to sign the SIGSTRUCT of the Launch Enclave must equal the value in the
IA32_SGXLEPUBKEYHASH MSRs. Only Launch Enclaves are allowed to launch without a valid token.
The IA32_SGXLEPUBKEYHASH MSRs are provided to designate the platform’s Launch Enclave.
IA32_SGXLEPUBKEYHASH defaults to digest of Intel’s launch enclave signing key after reset.
IA32_FEATURE_CONTROL bit 17 controls the permissions on the IA32_SGXLEPUBKEYHASH MSRs when
CPUID.(EAX=12H, ECX=00H):EAX[0] = 1. If IA32_FEATURE_CONTROL is locked with bit 17 set,
IA32_SGXLEPUBKEYHASH MSRs are reconfigurable (writeable). If either IA32_FEATURE_CONTROL is not locked or
bit 17 is clear, the MSRs are read only. By leaving these MSRs writable, system SW or a VMM can support a plurality
of Launch Enclaves for hosting multiple execution environments. See Section 42.3.2 for more details.
39.2
ENCLAVE ENTRY AND EXITING
39.2.1
Controlled Entry and Exit
The EENTER leaf function is the method to enter the enclave under program control. To execute EENTER, software
must supply an address of a TCS that is part of the enclave to be entered. The TCS holds the location inside the
enclave to transfer control to and a pointer to the SSA frame inside the enclave that an AEX should store the
register state to.
When a logical processor enters an enclave, the TCS is considered busy until the logical processors exits the
enclave. An attempt to enter an enclave through a busy TCS results in a fault. Intel
®
SGX allows an enclave builder
to define multiple TCSs, thereby providing support for multithreaded enclaves.
Software must also supply to EENTER the Asynchronous Exit Pointer (AEP) parameter. AEP is an address external
to the enclave which an exception handler will return to using IRET. Typically the location would contain the
ERESUME instruction. ERESUME transfers control back to the enclave, to the address retrieved from the enclave
thread’s saved state.
EENTER performs the following operations: