background image

Vol. 3D 41-85

SGX INSTRUCTION REFERENCES

Keys that permit the specification of a CPU or ISV's code's SVNs have additional requirements. The caller may not 
request a key for an SVN beyond the current CPU or ISV SVN, respectively. 
Several keys are access controlled. Access to the Provisioning Key and Provisioning Seal key requires the enclave's 
ATTRIBUTES.PROVISIONKEY be set. The EINITTOKEN Key requires ATTRIBUTES.EINITTOKENKEY be set and 
SECS.MRSIGNER equal IA32_SGXLEPUBKEYHASH.
Some keys are derived based on a hardcode PKCS padding constant (352 byte string): 
HARDCODED_PKCS1_5_PADDING[15:0] 

 0100H;

HARDCODED_PKCS1_5_PADDING[2655:16] 

 SignExtend330Byte(-1); // 330 bytes of 0FFH

HARDCODED_PKCS1_5_PADDING[2815:2656] 

 2004000501020403650148866009060D30313000H;

The error codes are: 

Concurrency Restrictions

Table 41-56.  Key Derivation

Key Name Attributes 

Owner 

Epoch

CPU SVN

ISV SVN

ISV 

PRODID MRENCLAVE MRSIGNER RAND 

Source

Key 

Dependent 

Constant

Y 

SECS.ATTRIBUTE

S and 

SECS.MISCSELECT;

CSR_SEO

WNEREP

OCH

Y CPUSVN 

Register;

R 

Req.ISVSVN;

SECS. 

ISVID

SECS. 

MRENCLAVE

SECS. 

MRSIGNER

Req. 

KEYID

RAttribMask & 

SECS.ATTRIBUTE

S and 

SECS.MISCSELECT;

R 

Req.CPUSVN;

EINITTOKEN Yes

Request

Yes

Request

Request

Yes

No

Yes

Request

Report

Yes

Yes

Yes

Yes

No

No

Yes

No

Request

Seal

Yes

Request

Yes

Request

Request

Yes

Request

Request

Request

Provisioning Yes

Request

No

Request

Request

Yes

No

Yes

Yes

Provisioning 

Seal

Yes

Request

No

Request

Request

Yes

No

Yes

Yes

Table 41-57.  EGETKEY Return Value in RAX

 Error Code (see Table 41-3)

Value

Description

No Error

0

EGETKEY successful

SGX_INVALID_ATTRIBUTE

The KEYREQUEST contains a KEYNAME for which the enclave is not 
authorized

SGX_INVALID_CPUSVN

If KEYREQUEST.CPUSVN is an unsupported platforms CPUSVN value

SGX_INVALID_ISVSVN

If KEYREQUEST.ISVSVN is greater than the enclave's ISV_SVN

SGX_INVALID_KEYNAME

If KEYREQUEST.KEYNAME is an unsupported value

Table 41-58.  Concurrency Restrictions of EGETKEY with Other Intel® SGX Operations 1 of 2

Operation

EEXIT

EADD

EBLOCK

ECRE

ATE

EDBGRD/

WR

EENTER/

ERESUME

EEXTEND

EGETKEY

EINIT

ELDB/ELDU

EPA

Param TCS SSA SECS Targ SECS Targ SECS SECS

Targ SECS TCS SSA SECS Targ SECS Param SECS SECS Targ VA

SECS VA

EGETKEY

Param

U

Y

U

U

SECS

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y