Vol. 3D 41-85
SGX INSTRUCTION REFERENCES
Keys that permit the specification of a CPU or ISV's code's SVNs have additional requirements. The caller may not
request a key for an SVN beyond the current CPU or ISV SVN, respectively.
Several keys are access controlled. Access to the Provisioning Key and Provisioning Seal key requires the enclave's
ATTRIBUTES.PROVISIONKEY be set. The EINITTOKEN Key requires ATTRIBUTES.EINITTOKENKEY be set and
SECS.MRSIGNER equal IA32_SGXLEPUBKEYHASH.
Some keys are derived based on a hardcode PKCS padding constant (352 byte string):
HARDCODED_PKCS1_5_PADDING[15:0]
0100H;
HARDCODED_PKCS1_5_PADDING[2655:16]
SignExtend330Byte(-1); // 330 bytes of 0FFH
HARDCODED_PKCS1_5_PADDING[2815:2656]
2004000501020403650148866009060D30313000H;
The error codes are:
Concurrency Restrictions
Table 41-56. Key Derivation
Key Name Attributes
Owner
Epoch
CPU SVN
ISV SVN
ISV
PRODID MRENCLAVE MRSIGNER RAND
Source
Key
Dependent
Constant
Y
SECS.ATTRIBUTE
S and
SECS.MISCSELECT;
CSR_SEO
WNEREP
OCH
Y CPUSVN
Register;
R
Req.ISVSVN;
SECS.
ISVID
SECS.
MRENCLAVE
SECS.
MRSIGNER
Req.
KEYID
RAttribMask &
SECS.ATTRIBUTE
S and
SECS.MISCSELECT;
R
Req.CPUSVN;
EINITTOKEN Yes
Request
Yes
Request
Request
Yes
No
Yes
Request
Report
Yes
Yes
Yes
Yes
No
No
Yes
No
Request
Seal
Yes
Request
Yes
Request
Request
Yes
Request
Request
Request
Provisioning Yes
Request
No
Request
Request
Yes
No
Yes
Yes
Provisioning
Seal
Yes
Request
No
Request
Request
Yes
No
Yes
Yes
Table 41-57. EGETKEY Return Value in RAX
Error Code (see Table 41-3)
Value
Description
No Error
0
EGETKEY successful
SGX_INVALID_ATTRIBUTE
The KEYREQUEST contains a KEYNAME for which the enclave is not
authorized
SGX_INVALID_CPUSVN
If KEYREQUEST.CPUSVN is an unsupported platforms CPUSVN value
SGX_INVALID_ISVSVN
If KEYREQUEST.ISVSVN is greater than the enclave's ISV_SVN
SGX_INVALID_KEYNAME
If KEYREQUEST.KEYNAME is an unsupported value
Table 41-58. Concurrency Restrictions of EGETKEY with Other Intel® SGX Operations 1 of 2
Operation
EEXIT
EADD
EBLOCK
ECRE
ATE
EDBGRD/
WR
EENTER/
ERESUME
EEXTEND
EGETKEY
EINIT
ELDB/ELDU
EPA
Param TCS SSA SECS Targ SECS Targ SECS SECS
Targ SECS TCS SSA SECS Targ SECS Param SECS SECS Targ VA
SECS VA
EGETKEY
Param
U
Y
U
U
SECS
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y