background image

Vol. 3D 39-5

ENCLAVE OPERATION

39.2.3.1   ERESUME Interaction

ERESUME restores registers depending on the mode of the enclave (32 or 64 bit).

In 32-bit mode (IA32_EFER.LMA = 0 || CS.L = 0), the low 32-bits of the legacy registers (EAX, EBX, ECX, EDX, 
ESP, EBP, ESI, EDI, EIP and EFLAGS) are restored from the thread’s GPR area of the current SSA frame. Neither 
the upper 32 bits of the legacy registers nor the 64-bit registers (R8 … R15) are loaded. 

In 64-bit mode (IA32_EFER.LMA = 1 && CS.L = 1), all 64 bits of the general processor registers (RAX, RBX, 
RCX, RDX, RSP, RBP, RSI, RDI, R8 … R15, RIP and RFLAGS) are loaded.

Extended features specified by SECS.ATTRIBUTES.XFRM are restored from the XSAVE area of the current SSA 
frame. The layout of the x87 area depends on the current values of IA32_EFER.LMA and CS.L:

IA32_EFER.LMA = 0 || CS.L = 0
— 32-bit load in the same format that XSAVE/FXSAVE uses with these values.

IA32_EFER.LMA = 1 && CS.L = 1
— 64-bit load in the same format that XSAVE/FXSAVE uses with these values as if REX.W = 1.

39.3 

CALLING ENCLAVE PROCEDURES

39.3.1 Calling 

Convention

In standard call conventions subroutine parameters are generally pushed onto the stack. The called routine, being 
aware of its own stack layout, knows how to find parameters based on compile-time-computable offsets from the 
SP or BP register (depending on runtime conventions used by the compiler).
Because of the stack switch when calling an enclave, stack-located parameters cannot be found in this manner. 
Entering the enclave requires a modified parameter passing convention.
For example, the caller might push parameters onto the untrusted stack and then pass a pointer to those parame-
ters in RAX to the enclave software. The exact choice of calling conventions is up to the writer of the edge routines; 
be those routines hand-coded or compiler generated. 

39.3.2 Register 

Preservation

As with most systems, it is the responsibility of the callee to preserve all registers except that used for returning a 
value. This is consistent with conventional usage and tends to optimize the number of register save/restore oper-
ations that need be performed. It has the additional security result that it ensures that data is scrubbed from any 
registers that were used by enclave to temporarily contain secrets.

39.3.3 

Returning to Caller

No registers are modified during EEXIT. It is the responsibility of software to remove secrets in registers before 
executing EEXIT.

39.4 

INTEL® SGX KEY AND ATTESTATION

39.4.1 Enclave 

Measurement

During the enclave build process, two “measurements” are taken of each enclave and are stored in two 256-bit 
Measurement Registers (MR): MRENCLAVE and MRSIGNER. MRENCLAVE represents the enclave's contents and 
build process. MRSIGNER represents the entity that signed the enclave's SIGSTRUCT.