background image

Vol. 3D 42-1

INTEL® SGX INTERACTIONS WITH IA32 AND INTEL® 64 ARCHITECTURE

CHAPTER 42

INTEL® SGX INTERACTIONS WITH IA32 AND INTEL® 64 ARCHITECTURE

Intel

®

 SGX provides Intel

®

 Architecture with a collection of enclave instructions for creating protected execution 

environments on processors supporting IA32 and Intel

®

 64 architectures. These Intel SGX instructions are 

designed to work with legacy software and the various IA32 and Intel 64 modes of operation.

42.1 

INTEL® SGX AVAILABILITY IN VARIOUS PROCESSOR MODES

The Intel SGX extensions (see Table 37-1) are available only when the processor is executing in protected mode of 
operation. Additionally, the extensions are not available in System Management Mode (SMM) of operation or in 
Virtual 8086 (VM86) mode of operation. Finally, all leaf functions of ENCLU and ENCLS require CR0.PG enabled.
The exact details of exceptions resulting from illegal modes and their priority are listed in the reference pages of 
ENCLS and ENCLU.

42.2 IA32_FEATURE_CONTROL

IA32_FEATURE_CONTROL MSR provides two new bits related to two aspects of Intel SGX: using the instruction 
extensions and launch control configuration.

42.2.1 

Availability of Intel SGX 

IA32_FEATURE_CONTROL[bit 18] allows BIOS to control the availability of Intel SGX extensions. For Intel SGX 
extensions to be available on a logical processor, bit 18 in the IA32_FEATURE_CONTROL MSR on that logical 
processor must be set, and IA32_FEATURE_CONTROL MSR on that logical processor must be locked (bit 0 must be 
set). See Section 37.7.1 for additional details. OS is expected to examine the value of bit 18 prior to enabling Intel 
SGX on the thread, as the settings of bit 18 is not reflected by CPUID.

42.2.2 

Intel SGX Launch Control Configuration

The IA32_SGXLEPUBKEYHASHn MSRs used to configure authorized launch enclaves MRSIGNER digest value are 
present on logical processors that support the collection of SGX1 leaf functions (i.e. CPUID.(EAX=12H, 
ECX=00H):EAX[0] = 1). IA32_FEATURE_CONTROL[bit 17] allows to BIOS to enable write access to these MSRs. If 
IA32_FEATURE_CONTROL.LE_WR (bit 17) is set to 1 and IA32_FEATURE_CONTROL is locked on that logical 
processor, IA32_SGXLEPUBKEYHASH MSRs on that logical processor then the IA32_SGXLEPUBKEYHASHn MSR are 
writeable. If this bit 17 is not set or IA32_FEATURE_CONTROL is not locked, IA32_SGXLEPUBKEYHASH MSRs are 
read only. See Section 39.1.4 for additional details.

42.3 INTERACTIONS 

WITH 

SEGMENTATION

42.3.1 

Scope of Interaction

Intel SGX extensions are available only when the processor is executing in a protected mode operation (see 
Section 42.1 for Intel SGX availability in various processor modes). Enclaves abide by all the segmentation policies 
set up by the OS, but they can be more restrictive than the OS.
Intel SGX interacts with segmentation at two levels: 

The Intel SGX instruction (see the enclave instruction in Table 37-1).