background image

Vol. 3D 41-5

SGX INSTRUCTION REFERENCES

ENCLS—Execute an Enclave System Function of Specified Leaf Number 

Instruction Operand Encoding

Description

The ENCLS instruction invokes the specified privileged Intel SGX leaf function for managing and debugging 
enclaves. Software specifies the leaf function by setting the appropriate value in the register EAX as input. The 
registers RBX, RCX, and RDX have leaf-specific purpose, and may act as input, as output, or may be unused. In 64-
bit mode, the instruction ignores upper 32 bits of the RAX register.
The ENCLS instruction produces an invalid-opcode exception (#UD) if CR0.PE = 0 or RFLAGS.VM = 1, or if it is 
executed in system-management mode (SMM). Additionally, any attempt to execute the instruction when CPL > 0 
results in #UD. The instruction produces a general-protection exception (#GP) if CR0.PG = 0 or if an attempt is 
made to invoke an undefined leaf function.
In VMX non-root operation, execution of ENCLS may cause a VM exit if the “enable ENCLS exiting” VM-execution 
control is 1. In this case, execution of individual leaf functions of ENCLS is governed by the ENCLS-exiting bitmap 
field in the VMCS. Each bit in that field corresponds to the index of an ENCLS leaf function (as provided in EAX).
Software in VMX root operation can thus intercept the invocation of various ENCLS leaf functions in VMX non-root 
operation by setting the “enable ENCLS exiting” VM-execution control and setting the corresponding bits in the 
ENCLS-exiting bitmap.
Addresses and operands are 32 bits outside 64-bit mode (IA32_EFER.LMA = 0 || CS.L = 0) and are 64 bits in 64-
bit mode (IA32_EFER.LMA = 1 || CS.L = 1). CS.D value has no impact on address calculation. The DS segment is 
used to create linear addresses.
Segment override prefixes and address-size override prefixes are ignored, and is the REX prefix in 64-bit mode.

Operation

IF TSX_ACTIVE

THEN GOTO TSX_ABORT_PROCESSING; FI;

IF CR0.PE = 0 or RFLAGS.VM = 1 or in SMM or CPUID.SGX_LEAF.0:EAX.SE1 = 0

THEN #UD; FI;

IF (CPL > 0) 

THEN #UD; FI;

IF in VMX non-root operation and the “enable ENCLS exiting“ VM-execution control is 1

THEN 

IF EAX < 63 and ENCLS_exiting_bitmap[EAX] = 1 or EAX> 62 and ENCLS_exiting_bitmap[63] = 1

THEN VM exit;

FI;

FI;
IF IA32_FEATURE_CONTROL.LOCK = 0 or IA32_FEATURE_CONTROL.SGX_ENABLE = 0

THEN #GP(0); FI;

IF EAX is invalid leaf number)

Opcode/

Instruction

Op/En

64/32 

bit Mode 

Support

CPUID 

Feature 

Flag

Description

 0F 01 CF 

NP

V/V

SGX1

This instruction is used to execute privileged Intel SGX leaf func-

tions that are used for managing and debugging the enclaves.

ENCLS

Op/En

Operand 1

Operand 2

Operand 3

Implicit Register Operands

NP

NA

NA

NA

See Section 41.3