41-84 Vol. 3D
SGX INSTRUCTION REFERENCES
EGETKEY—Retrieves a Cryptographic Key
Instruction Operand Encoding
Description
The ENCLU[EGETKEY] instruction returns a 128-bit secret key from the processor specific key hierarchy. The
register RBX contains the effective address of a KEYREQUEST structure, which the instruction interprets to deter-
mine the key being requested. The Requesting Keys section below provides a description of the keys that can be
requested. The RCX register contains the effective address where the key will be returned. Both the addresses in
RBX & RCX should be locations inside the enclave.
EGETKEY derives keys using a processor unique value to create a specific key based on a number of possible inputs.
This instruction leaf can only be executed inside an enclave.
EEGETKEY Memory Parameter Semantics
After validating the operands, the instruction determines which key is to be produced and performs the following
actions:
•
The instruction assembles the derivation data for the key based on the Table 41-56
•
Computes derived key using the derivation data and package specific value
•
Outputs the calculated key to the address in RCX
The instruction fails with #GP(0) if the operands are not properly aligned. Successful completion of the instruction
will clear RFLAGS.{ZF, CF, AF, OF, SF, PF}. The instruction returns an error code if the user tries to request a key
based on an invalid CPUSVN or ISVSVN (when the user request is accepted, see the table below), requests a key
for which it has not been granted the attribute to request, or requests a key that is not supported by the hardware.
These checks may be performed in any order. Thus, an indication by error number of one cause (for example,
invalid attribute) does not imply that there are not also other errors. Different processors may thus give different
error numbers for the same Enclave. The correctness of software should not rely on the order resulting from the
checks documented in this section. In such cases the ZF flag is set and the corresponding error bit
(SGX_INVALID_SVN, SGX_INVALID_ATTRIBUTE, SGX_INVALID_KEYNAME) is set in RAX and the data at the
address specified by RCX is unmodified.
Requesting Keys
The KEYREQUEST structure (see Section 38.17.1) identifies the key to be provided. The Keyrequest.KeyName field
identifies which type of key is requested.
Deriving Keys
Key derivation is based on a combination of the enclave specific values (see Table 41-56) and a processor key.
Depending on the key being requested a field may either be included by definition or the value may be included
from the KeyRequest. A “yes” in Table 41-56 indicates the value for the field is included from its default location,
identified in the source row, and a “request” indicates the values for the field is included from its corresponding
KeyRequest field.
Opcode/
Instruction
Op/En
64/32
bit Mode
Support
CPUID
Feature
Flag
Description
EAX = 04H
IR
V/V
SGX1
This leaf function retrieves a cryptographic key.
ENCLU[EGETKEY]
Op/En
EAX
RBX
RCX
IR
EGETKEY (In)
Address to a KEYREQUEST (In)
Address of the OUTPUTDATA (In)
KEYREQUEST
OUTPUTDATA
Enclave read access
Enclave write access