41-34 Vol. 3D

SGX INSTRUCTION REFERENCES

EINIT—Initialize an Enclave for Execution 

Instruction Operand Encoding

Description

This leaf function is the final instruction executed in the enclave build process. After EINIT, the MRENCLAVE 
measurement is complete, and the enclave is ready to start user code execution using the EENTER instruction.
EINIT takes the effective address of a SIGSTRUCT and EINITTOKEN. The SIGSTRUCT describes the enclave 
including MRENCLAVE, ATTRIBUTES, ISVSVN, a 3072 bit RSA key, and a signature using the included key. 
SIGSTRUCT must be populated with two values, q1 and q2. These are calculated using the formulas shown below: 
q1 = floor(Signature

2

 / Modulus);

q2 = floor((Signature

3

 - q1 * Signature * Modulus) / Modulus);

The EINITTOKEN contains the MRENCLAVE, MRSIGNER, and ATTRIBUTES. These values must match the corre-
sponding values in the SECS. If the EINITTOKEN was created with a debug launch key, the enclave must be in 
debug mode as well. 

Opcode/

Instruction

Op/En

64/32 

bit Mode 

Support

CPUID 

Feature 

Flag

Description

 EAX = 02H

IR

V/V

SGX1

This leaf function initializes the enclave and makes it ready to 

execute enclave code.

ENCLS[EINIT]

Op/En

EAX

RBX

RCX

RDX

IR

EINIT (In)

Error code (Out)

Address of SIGSTRUCT (In)

Address of SECS (In)

Address of EINITTOKEN (In)

Figure 41-1.  Relationships Between SECS, SIGSTRUCT and EINITTOKEN

MRSIGNER

ATTRIBUTES

MRENCLAVE

Hashed

Check

If VALID=1, Check

Signature

ATTRIBUTES

PubKey

ATTRIBUTEMASK
MRENCLAVE

SIGSTRUCT

Verify

DS:RBX

EINIT

SECS

ENCLAVE

EPC

ATTRIBUTES

MRENCLAVE

MRSIGNER

If VALID=1, 
Check

Copy

DS:RCX

Check

DS:RDX

EINITTOKEN