background image

Vol. 3D 41-73

SGX INSTRUCTION REFERENCES

EENTER—Enters an Enclave

Instruction Operand Encoding

Description

The ENCLU[EENTER] instruction transfers execution to an enclave. At the end of the instruction, the logical 
processor is executing in enclave mode at the RIP computed as EnclaveBase + TCS.OENTRY. If the target address 
is not within the CS segment (32-bit) or is not canonical (64-bit), a #GP(0) results.

EENTER Memory Parameter Semantics

EENTER is a serializing instruction. The instruction faults if any of the following occurs: 

The following operations are performed by EENTER:

RSP and RBP are saved in the current SSA frame on EENTER and are automatically restored on EEXIT or 
interrupt.

The AEP contained in RCX is stored into the TCS for use by AEXs.FS and GS (including hidden portions) are 
saved and new values are constructed using TCS.OFSBASE/GSBASE (32 and 64-bit mode) and 
TCS.OFSLIMIT/GSLIMIT (32-bit mode only). The resulting segments must be a subset of the DS segment. 

If CR4.OSXSAVE == 1, XCR0 is saved and replaced by SECS.ATTRIBUTES.XFRM. The effect of RFLAGS.TF 
depends on whether the enclave entry is opt-in or opt-out (see Section 43.1.2):
— On opt-out entry, TF is saved and cleared (it is restored on EEXIT or AEX). Any attempt to set TF via a POPF 

instruction while inside the enclave clears TF (see Section 43.2.5).

— On opt-in entry, a single-step debug exception is pended on the instruction boundary immediately after 

EENTER (see Section 43.2.2)

All code breakpoints that do not overlap with ELRANGE are also suppressed. If the entry is an opt-out entry, all 
code and data breakpoints that overlap with the ELRANGE are suppressed.

On opt-out entry, a number of performance monitoring counters and behaviors are modified or suppressed 
(see Section 43.2.3):

Opcode/

Instruction

Op/En

64/32 

bit Mode 

Support

CPUID 

Feature 

Flag

Description

 EAX = 02H

IR

V/V

SGX1

This leaf function is used to enter an enclave.

ENCLU[EENTER]

Op/En

EAX

RBX

RCX

IR

EENTER (In)

Content of RBX.CSSA 

(Out)

Address of a TCS (In)

Address of AEP (In)

Address of IP following 

EENTER (Out)

TCS

 Enclave access

Address in RBX is not properly aligned.

Any TCS.FLAGS’s must-be-zero bit is not zero.

TCS pointed to by RBX is not valid or available or 

locked.

Current 32/64 mode does not match the enclave mode in 

SECS.ATTRIBUTES.MODE64.

The SECS is in use.

Either of TCS-specified FS and GS segment is not a subsets of the current DS 

segment.

Any one of DS, ES, CS, SS is not zero.

If XSAVE available, CR4.OSXSAVE = 0, but SECS.ATTRIBUTES.XFRM ≠ 3.

CR4.OSFXSR ≠ 1.

If CR4.OSXSAVE = 1, SECS.ATTRIBUTES.XFRM is not a subset of XCR0.