Vol. 3D 41-73
SGX INSTRUCTION REFERENCES
EENTER—Enters an Enclave
Instruction Operand Encoding
Description
The ENCLU[EENTER] instruction transfers execution to an enclave. At the end of the instruction, the logical
processor is executing in enclave mode at the RIP computed as EnclaveBase + TCS.OENTRY. If the target address
is not within the CS segment (32-bit) or is not canonical (64-bit), a #GP(0) results.
EENTER Memory Parameter Semantics
EENTER is a serializing instruction. The instruction faults if any of the following occurs:
The following operations are performed by EENTER:
•
RSP and RBP are saved in the current SSA frame on EENTER and are automatically restored on EEXIT or
interrupt.
•
The AEP contained in RCX is stored into the TCS for use by AEXs.FS and GS (including hidden portions) are
saved and new values are constructed using TCS.OFSBASE/GSBASE (32 and 64-bit mode) and
TCS.OFSLIMIT/GSLIMIT (32-bit mode only). The resulting segments must be a subset of the DS segment.
•
If CR4.OSXSAVE == 1, XCR0 is saved and replaced by SECS.ATTRIBUTES.XFRM. The effect of RFLAGS.TF
depends on whether the enclave entry is opt-in or opt-out (see Section 43.1.2):
— On opt-out entry, TF is saved and cleared (it is restored on EEXIT or AEX). Any attempt to set TF via a POPF
instruction while inside the enclave clears TF (see Section 43.2.5).
— On opt-in entry, a single-step debug exception is pended on the instruction boundary immediately after
EENTER (see Section 43.2.2).
•
All code breakpoints that do not overlap with ELRANGE are also suppressed. If the entry is an opt-out entry, all
code and data breakpoints that overlap with the ELRANGE are suppressed.
•
On opt-out entry, a number of performance monitoring counters and behaviors are modified or suppressed
(see Section 43.2.3):
Opcode/
Instruction
Op/En
64/32
bit Mode
Support
CPUID
Feature
Flag
Description
EAX = 02H
IR
V/V
SGX1
This leaf function is used to enter an enclave.
ENCLU[EENTER]
Op/En
EAX
RBX
RCX
IR
EENTER (In)
Content of RBX.CSSA
(Out)
Address of a TCS (In)
Address of AEP (In)
Address of IP following
EENTER (Out)
TCS
Enclave access
Address in RBX is not properly aligned.
Any TCS.FLAGS’s must-be-zero bit is not zero.
TCS pointed to by RBX is not valid or available or
locked.
Current 32/64 mode does not match the enclave mode in
SECS.ATTRIBUTES.MODE64.
The SECS is in use.
Either of TCS-specified FS and GS segment is not a subsets of the current DS
segment.
Any one of DS, ES, CS, SS is not zero.
If XSAVE available, CR4.OSXSAVE = 0, but SECS.ATTRIBUTES.XFRM ≠ 3.
CR4.OSFXSR ≠ 1.
If CR4.OSXSAVE = 1, SECS.ATTRIBUTES.XFRM is not a subset of XCR0.