background image

Vol. 3D 42-11

INTEL® SGX INTERACTIONS WITH IA32 AND INTEL® 64 ARCHITECTURE

42.11.3  Interactions with Authenticated Code Modules (ACMs)

Intel SGX only allows launching ACMs with an Intel SGX SVN that is at the same level or higher than the expected 
Intel SGX SVN. The expected Intel SGX SVN is specified by BIOS and locked down by the processor on the first 
successful execution of an Intel SGX instruction that doesn’t return an error code. Intel SGX provides interfaces for 
system software to discover whether a non faulting Intel SGX instruction has been executed, and evaluate the suit-
ability of the Intel SGX SVN value of any ACM that is expected to be launched by the OS or the VMM. 
These interfaces are provided through a read-only MSR called the IA32_SGX_SVN_STATUS MSR (MSR address 
500h). The IA32_SGX_SVN_STATUS MSR has the format shown in Table 42-2.

OS/VMM that wishes to launch an architectural ACM such as SINIT is expected to read the IA32_SGX_SVN_STATUS 
MSR to determine whether the ACM can be launched or a new ACM is needed:

If either the Intel SGX SVN of the ACM is greater than the value reported by IA32_SGX_SVN_STATUS, or the 
lock bit in the IA32_SGX_SVN_STATUS is not set, then the OS/VMM can safely launch the ACM.

If the Intel SGX SVN value reported in the corresponding component of the IA32_SGX_SVN_STATUS is greater 
than the Intel SGX SVN value in the ACM's header, and if bit 0 of IA32_SGX_SVN_STATUS is 1, then the 
OS/VMM should not launch that version of the ACM. It should obtain an updated version of the ACM either from 
the BIOS or from an external resource. 

However, OSVs/VMMs are strongly advised to update their version of the ACM any time they detect that the Intel 
SGX SVN of the ACM carried by the OS/VMM is lower than that reported by IA32_SGX_SVN_STATUS MSR, irrespec-
tive of the setting of the lock bit.

42.12 INTERACTIONS 

WITH 

CACHING 

OF LINEAR-ADDRESS TRANSLATIONS 

Entering and exiting an enclave causes the logical processor to flush all the global linear-address context as well as 
the linear-address context associated with the current VPID and PCID. The MONITOR FSM is also cleared.

42.13  INTERACTIONS WITH INTEL® TRANSACTIONAL SYNCHRONIZATION 

EXTENSIONS (INTEL® TSX)

1. ENCLU or ENCLS instructions inside an HLE region will cause the flow to be aborted and restarted non-specula-
tively. ENCLU or ENCLS instructions inside an RTM region will cause the flow to be aborted and transfer control to 
the fallback handler.
2. If XBEGIN is executed inside an enclave, the processor does NOT check whether the address of the fallback 
handler is within the enclave.
3. If an RTM transaction is executing inside an enclave and there is an attempt to fetch an instruction outside the 
enclave, the transaction is aborted and control is transferred to the fallback handler. No #GP is delivered.

Table 42-2.  Layout of the IA32_SGX_SVN_STATUS MSR

Bit Position

Name

ACM Module ID

Value

0

Lock

N.A.

• If 1, indicates that a non-faulting Intel SGX instruction has been 

executed, consequently, launching a properly signed ACM but with Intel 

SGX SVN value less than the BIOS specified Intel SGX SVN threshold 

would lead to an TXT shutdown. 

• If 0, indicates that the processor will allow a properly signed ACM to 

launch irrespective of the Intel SGX SVN value of the ACM.

15:1

RSVD N.A.

0

23:16

SGX_SVN_SINIT SINIT ACM

• If CPUID.01H:ECX.SMX =1, this field reflects the expected threshold of 

Intel SGX SVN for the SINIT ACM. 

• If CPUID.01H:ECX.SMX =0, this field is reserved (0).

63:24

RSVD N.A.

0