Vol. 3D 41-87
SGX INSTRUCTION REFERENCES
(* Verify RESERVED spaces in KEYREQUEST are valid *)
IF ( (DS:RBX).RESERVED ≠ 0) or (DS:RBX.KEYPOLICY.RESERVED ≠ 0) )
THEN #GP(0); FI;
TMP_CURRENTSECS CR_ACTIVE_SECS;
(* Determine which enclave attributes that must be included in the key. Attributes that must always be include INIT & DEBUG *)
REQUIRED_SEALING_MASK[127:0] 00000000 00000000 00000000 00000003H;
TMP_ATTRIBUTES (DS:RBX.ATTRIBUTEMASK | REQUIRED_SEALING_MASK) & TMP_CURRENTSECS.ATTRIBUTES;
(* Compute MISCSELECT fields to be included *)
TMP_MISCSELECT DS:RBX.MISCMASK & TMP_CURRENTSECS.MISCSELECT
CASE (DS:RBX.KEYNAME)
SEAL_KEY:
IF (DS:RBX.CPUSVN is beyond current CPU configuration)
THEN
RFLAGS.ZF 1;
RAX SGX_INVALID_CPUSVN;
GOTO EXIT;
FI;
IF (DS:RBX.ISVSVN > TMP_CURRENTSECS.ISVSVN)
THEN
RFLAGS.ZF 1;
RAX SGX_INVALID_ISVSVN;
GOTO EXIT;
FI;
// Include enclave identity?
TMP_MRENCLAVE 0;
IF (DS:RBX.KEYPOLICY.MRENCLAVE = 1)
THEN TMP_MRENCLAVE TMP_CURRENTSECS.MRENCLAVE;
FI;
// Include enclave author?
TMP_MRSIGNER 0;
IF (DS:RBX.KEYPOLICY.MRSIGNER = 1)
THEN TMP_MRSIGNER TMP_CURRENTSECS.MRSIGNER;
FI;
//Determine values key is based on
TMP_KEYDEPENDENCIES.KEYNAME SEAL_KEY;
TMP_KEYDEPENDENCIES.ISVPRODID TMP_CURRENTSECS.ISVPRODID;
TMP_KEYDEPENDENCIES.ISVSVN DS:RBX.ISVSVN;
TMP_KEYDEPENDENCIES.OWNEREPOCH CSR_SEOWNEREPOCH;
TMP_KEYDEPENDENCIES.ATTRIBUTES TMP_ATTRIBUTES;
TMP_KEYDEPENDENCIES.ATTRIBUTESMASK DS:RBX.ATTRIBUTEMASK;
TMP_KEYDEPENDENCIES.MRENCLAVE TMP_MRENCLAVE;
TMP_KEYDEPENDENCIES.MRSIGNER TMP_MRSIGNER;
TMP_KEYDEPENDENCIES.KEYID DS:RBX.KEYID;
TMP_KEYDEPENDENCIES.SEAL_KEY_FUSES CR_SEAL_FUSES;
TMP_KEYDEPENDENCIES.CPUSVN DS:RBX.CPUSVN;
TMP_KEYDEPENDENCIES.PADDING TMP_CURRENTSECS.PADDING;
TMP_KEYDEPENDENCIES.MISCSELECT TMP_MISCSELECT;
TMP_KEYDEPENDENCIES.MISCMASK ~DS:RBX.MISCMASK;
BREAK;
REPORT_KEY: