Vol. 3D 41-87

SGX INSTRUCTION REFERENCES

(* Verify RESERVED spaces in KEYREQUEST are valid *)
IF ( (DS:RBX).RESERVED ≠ 0) or (DS:RBX.KEYPOLICY.RESERVED ≠ 0) ) 

THEN #GP(0); FI;

TMP_CURRENTSECS  CR_ACTIVE_SECS;

(* Determine which enclave attributes that must be included in the key. Attributes that must always be include INIT & DEBUG *)
REQUIRED_SEALING_MASK[127:0]  00000000 00000000 00000000 00000003H;
TMP_ATTRIBUTES  (DS:RBX.ATTRIBUTEMASK | REQUIRED_SEALING_MASK) & TMP_CURRENTSECS.ATTRIBUTES;

(* Compute MISCSELECT fields to be included *)
TMP_MISCSELECT  DS:RBX.MISCMASK & TMP_CURRENTSECS.MISCSELECT

CASE (DS:RBX.KEYNAME)

SEAL_KEY:

IF (DS:RBX.CPUSVN is beyond current CPU configuration)

THEN

RFLAGS.ZF  1;
RAX  SGX_INVALID_CPUSVN;
GOTO EXIT;

FI;
IF (DS:RBX.ISVSVN > TMP_CURRENTSECS.ISVSVN)

THEN

RFLAGS.ZF  1;
RAX  SGX_INVALID_ISVSVN;
GOTO EXIT;

FI;
// Include enclave identity?
TMP_MRENCLAVE  0;
IF (DS:RBX.KEYPOLICY.MRENCLAVE = 1)

THEN TMP_MRENCLAVE  TMP_CURRENTSECS.MRENCLAVE;

FI;
// Include enclave author?
TMP_MRSIGNER  0;
IF (DS:RBX.KEYPOLICY.MRSIGNER = 1)

THEN TMP_MRSIGNER  TMP_CURRENTSECS.MRSIGNER;

FI;
//Determine values key is based on
TMP_KEYDEPENDENCIES.KEYNAME  SEAL_KEY;
TMP_KEYDEPENDENCIES.ISVPRODID  TMP_CURRENTSECS.ISVPRODID;
TMP_KEYDEPENDENCIES.ISVSVN  DS:RBX.ISVSVN;
TMP_KEYDEPENDENCIES.OWNEREPOCH  CSR_SEOWNEREPOCH;
TMP_KEYDEPENDENCIES.ATTRIBUTES  TMP_ATTRIBUTES;
TMP_KEYDEPENDENCIES.ATTRIBUTESMASK  DS:RBX.ATTRIBUTEMASK;
TMP_KEYDEPENDENCIES.MRENCLAVE  TMP_MRENCLAVE;
TMP_KEYDEPENDENCIES.MRSIGNER  TMP_MRSIGNER;
TMP_KEYDEPENDENCIES.KEYID  DS:RBX.KEYID;
TMP_KEYDEPENDENCIES.SEAL_KEY_FUSES  CR_SEAL_FUSES;
TMP_KEYDEPENDENCIES.CPUSVN  DS:RBX.CPUSVN;
TMP_KEYDEPENDENCIES.PADDING  TMP_CURRENTSECS.PADDING;
TMP_KEYDEPENDENCIES.MISCSELECT  TMP_MISCSELECT;
TMP_KEYDEPENDENCIES.MISCMASK  ~DS:RBX.MISCMASK;
BREAK;

REPORT_KEY: