Vol. 3D 39-9
ENCLAVE OPERATION
39.5
EPC AND MANAGEMENT OF EPC PAGES
EPC layout is implementation specific, and is enumerated through CPUID (see Table 37-6 for EPC layout). EPC is
typically configured by BIOS at system boot time.
The exact amount, size, and layout of EPC are model-specific, and depend on BIOS settings.
39.5.1 EPC
Implementation
EPC must be properly protected against attacks. One example of EPC implementation could use a Memory Encryp-
tion Engine (MEE). An MEE provides a cost-effective mechanism of creating cryptographically protected volatile
storage using platform DRAM. These units provide integrity, replay, and confidentiality protection. Details are
implementation specific.
39.5.2
OS Management of EPC Pages
The EPC is a finite resource. SGX1 (i.e. CPUID.(EAX=12H, ECX=0):EAX.SGX1 = 1 but CPUID.(EAX=12H,
ECX=0):EAX.SGX2 = 0) provides the EPC manager with leaf functions to manage this resource and properly swap
pages out of and into the EPC. For that, the EPC manager would need to keep track of all EPC entries, type and
state, context affiliation, and SECS affiliation.
Enclave pages that are candidates for eviction should be moved to BLOCKED state using EBLOCK instruction that
ensures no new cached virtual to physical address mappings can be created by attempts to reference a BLOCKED
page.
Before evicting blocked pages, EPC manager should execute ETRACK leaf function on that enclave and ensure that
there are no stale cached virtual to physical address mappings for the blocked pages remain on any thread on the
platform.
After removing all stale translations from blocked pages, system software should use the EWB leaf function for
securely evicting pages out of the EPC. EWB encrypts a page in the EPC, writes it to unprotected memory, and
invalidates the copy in EPC. In addition, EWB also creates a cryptographic MAC (PCMD.MAC) of the page and stores
it in unprotected memory. A page can be reloaded back to the processor only if the data and MAC match. To ensure
that the only latest version of the evicted page can be loaded back, the version of the evicted page is stored
securely in a Version Array (VA) in EPC.
SGX1 includes two instructions for reloading pages that have been evicted by system software: ELDU and ELDB.
The difference between the two instructions is the value of the paging state at the end of the instruction. ELDU
results in a page being reloaded and set to an UNBLOCKED state, while ELDB results in a page loaded to a
BLOCKED state.
ELDB is intended for use by a Virtual Machine Monitor (VMM). When a VMM reloads an evicted page, it needs to
restore it to the correct state of the page (BLOCKED vs. UNBLOCKED) as it existed at the time the page was
evicted. Based on the state of the page at eviction, the VMM chooses either ELDB or ELDU.
39.5.2.1 Enhancement to Managing EPC Pages
On processors supporting SGX2 (i.e. CPUID.(EAX=12H, ECX=0):EAX.SGX2 = 1), the EPC manager can manage
EPC resources (while enclave is running) with more flexibility provided by the SGX2 leaf functions. The additional
flexibility is described in Section 39.5.7 through Section 39.5.11.
39.5.3
Eviction of Enclave Pages
Intel SGX paging is optimized to allow the Operating System (OS) to evict multiple pages out of the EPC under a
single synchronization.
The suggested flow for evicting a list of pages from the EPC is:
1. For each page to be evicted from the EPC:
a. Select an empty slot in a Version Array (VA) page.