Vol. 3D 39-5
ENCLAVE OPERATION
39.2.3.1 ERESUME Interaction
ERESUME restores registers depending on the mode of the enclave (32 or 64 bit).
•
In 32-bit mode (IA32_EFER.LMA = 0 || CS.L = 0), the low 32-bits of the legacy registers (EAX, EBX, ECX, EDX,
ESP, EBP, ESI, EDI, EIP and EFLAGS) are restored from the thread’s GPR area of the current SSA frame. Neither
the upper 32 bits of the legacy registers nor the 64-bit registers (R8 … R15) are loaded.
•
In 64-bit mode (IA32_EFER.LMA = 1 && CS.L = 1), all 64 bits of the general processor registers (RAX, RBX,
RCX, RDX, RSP, RBP, RSI, RDI, R8 … R15, RIP and RFLAGS) are loaded.
Extended features specified by SECS.ATTRIBUTES.XFRM are restored from the XSAVE area of the current SSA
frame. The layout of the x87 area depends on the current values of IA32_EFER.LMA and CS.L:
•
IA32_EFER.LMA = 0 || CS.L = 0
— 32-bit load in the same format that XSAVE/FXSAVE uses with these values.
•
IA32_EFER.LMA = 1 && CS.L = 1
— 64-bit load in the same format that XSAVE/FXSAVE uses with these values as if REX.W = 1.
39.3
CALLING ENCLAVE PROCEDURES
39.3.1 Calling
Convention
In standard call conventions subroutine parameters are generally pushed onto the stack. The called routine, being
aware of its own stack layout, knows how to find parameters based on compile-time-computable offsets from the
SP or BP register (depending on runtime conventions used by the compiler).
Because of the stack switch when calling an enclave, stack-located parameters cannot be found in this manner.
Entering the enclave requires a modified parameter passing convention.
For example, the caller might push parameters onto the untrusted stack and then pass a pointer to those parame-
ters in RAX to the enclave software. The exact choice of calling conventions is up to the writer of the edge routines;
be those routines hand-coded or compiler generated.
39.3.2 Register
Preservation
As with most systems, it is the responsibility of the callee to preserve all registers except that used for returning a
value. This is consistent with conventional usage and tends to optimize the number of register save/restore oper-
ations that need be performed. It has the additional security result that it ensures that data is scrubbed from any
registers that were used by enclave to temporarily contain secrets.
39.3.3
Returning to Caller
No registers are modified during EEXIT. It is the responsibility of software to remove secrets in registers before
executing EEXIT.
39.4
INTEL® SGX KEY AND ATTESTATION
39.4.1 Enclave
Measurement
During the enclave build process, two “measurements” are taken of each enclave and are stored in two 256-bit
Measurement Registers (MR): MRENCLAVE and MRSIGNER. MRENCLAVE represents the enclave's contents and
build process. MRSIGNER represents the entity that signed the enclave's SIGSTRUCT.