drginfo/ia32-64
1
0
Fork 0
forked from NRZCode/ia32-64
Code Pull requests Activity
ia32-64/x86/enclu.html
NRZ Code 92622c37d6 Initial commit
2025-07-08 02:23:29 -03:00

167 lines
7.4 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:svg="http://www.w3.org/2000/svg" xmlns:x86="http://www.felixcloutier.com/x86"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><link rel="stylesheet" type="text/css" href="style.css"></link><title>ENCLU
— Execute an Enclave User Function of Specified Leaf Number</title></head><body><header><nav><ul><li><a href='index.html'>Index</a></li><li>December 2023</li></ul></nav></header><h1>ENCLU
— Execute an Enclave User Function of Specified Leaf Number</h1>
<table>
<tr>
<th>Opcode/Instruction</th>
<th>Op/En</th>
<th>64/32 bit Mode Support</th>
<th>CPUID Feature Flag</th>
<th>Description</th></tr>
<tr>
<td>NP 0F 01 D7 ENCLU</td>
<td>ZO</td>
<td>V/V</td>
<td>NA</td>
<td>This instruction is used to execute non-privileged Intel SGX leaf functions.</td></tr></table>
<h2 id="instruction-operand-encoding">Instruction Operand Encoding<a class="anchor" href="#instruction-operand-encoding">
</a></h2>
<table>
<tr>
<td>Op/En</td>
<td>Operand 1</td>
<td>Operand 2</td>
<td>Operand 3</td>
<td>Implicit Register Operands</td></tr>
<tr>
<td>ZO</td>
<td>NA</td>
<td>NA</td>
<td>NA</td>
<td>See Section 38.4</td></tr></table>
<h3 id="description">Description<a class="anchor" href="#description">
</a></h3>
<p>The ENCLU instruction invokes the specified non-privileged Intel SGX leaf functions. Software specifies the leaf function by setting the appropriate value in the register EAX as input. The registers RBX, RCX, and RDX have leaf-specific purpose, and may act as input, as output, or may be unused. In 64-bit mode, the instruction ignores upper 32 bits of the RAX register.</p>
<p>The ENCLU instruction produces an invalid-opcode exception (#UD) if CR0.PE = 0 or RFLAGS.VM = 1, or if it is executed in system-management mode (SMM). Additionally, any attempt to execute this instruction when CPL &lt; 3 results in #UD. The instruction produces a general-protection exception (#GP) if either CR0.PG or CR0.NE is 0, or if an attempt is made to invoke an undefined leaf function. The ENCLU instruction produces a device not available exception (#NM) if CR0.TS = 1.</p>
<p>Addresses and operands are 32 bits outside 64-bit mode (IA32_EFER.LMA = 0 or CS.L = 0) and are 64 bits in 64-bit mode (IA32_EFER.LMA = 1 and CS.L = 1). CS.D value has no impact on address calculation. The DS segment is used to create linear addresses.</p>
<p>Segment override prefixes and address-size override prefixes are ignored, as is the REX prefix in 64-bit mode.</p>
<h3 id="operation">Operation<a class="anchor" href="#operation">
</a></h3>
<pre>IN_64BIT_MODE := 0;
IF TSX_ACTIVE
THEN GOTO TSX_ABORT_PROCESSING; FI;
(* If enclosing app has CET indirect branch tracking enabled then if it is not ERESUME leaf cause a #CP fault *)
(* If the ERESUME is not successful it will leave tracker in WAIT_FOR_ENDBRANCH *)
TRACKER = (CPL == 3) ? IA32_U_CET.TRACKER : IA32_S_CET.TRACKER
IF EndbranchEnabledAndNotSuppressed(CPL) and TRACKER = WAIT_FOR_ENDBRANCH and
(EAX != ERESUME or CR0.TS or (in SMM) or (CPUID.SGX_LEAF.0:EAX.SE1 = 0) or (CPL &lt; 3))
THEN
Handle CET State machine violation (* see Section 17.3.6, “Legacy Compatibility Treatment,” in the
Intel<sup>®</sup> 64 and IA-32 Architectures Software Developers Manual, Volume 1. *)
FI;
IF CR0.PE= 0 or RFLAGS.VM = 1 or in SMM or CPUID.SGX_LEAF.0:EAX.SE1 = 0
THEN #UD; FI;
IF CR0.TS = 1
THEN #NM; FI;
IF CPL &lt; 3
THEN #UD; FI;
IF IA32_FEATURE_CONTROL.LOCK = 0 or IA32_FEATURE_CONTROL.SGX_ENABLE = 0
THEN #GP(0); FI;
IF EAX is invalid leaf number
THEN #GP(0); FI;
IF CR0.PG = 0 or CR0.NE = 0
THEN #GP(0); FI;
IN_64BIT_MODE := IA32_EFER.LMA AND CS.L ? 1 : 0;
(* Check not in 16-bit mode and DS is not a 16-bit segment *)
IF not in 64-bit mode and CS.D = 0
THEN #GP(0); FI;
IF CR_ENCLAVE_MODE = 1 and (EAX = 2 or EAX = 3) (* EENTER or ERESUME *)
THEN #GP(0); FI;
IF CR_ENCLAVE_MODE = 0 and (EAX = 0 or EAX = 1 or EAX = 4 or EAX = 5 or EAX = 6 or EAX = 7 or EAX = 9)
(* EREPORT, EGETKEY, EEXIT, EACCEPT, EMODPE, EACCEPTCOPY, or EDECCSSA *)
THEN #GP(0); FI;
Jump to leaf specific flow
</pre>
<h3 id="flags-affected">Flags Affected<a class="anchor" href="#flags-affected">
</a></h3>
<p>See individual leaf functions</p>
<h3 class="exceptions" id="protected-mode-exceptions">Protected Mode Exceptions<a class="anchor" href="#protected-mode-exceptions">
</a></h3>
<table>
<tr>
<td rowspan="4">#UD</td>
<td>If any of the LOCK/66H/REP/VEX prefixes are used.</td></tr>
<tr>
<td>If current privilege level is not 3.</td></tr>
<tr>
<td>If CPUID.(EAX=12H,ECX=0):EAX.SGX1 [bit 0] = 0.</td></tr>
<tr>
<td>If logical processor is in SMM.</td></tr>
<tr>
<td rowspan="8">#GP(0)</td>
<td>If IA32_FEATURE_CONTROL.LOCK = 0.</td></tr>
<tr>
<td>If IA32_FEATURE_CONTROL.SGX_ENABLE = 0.</td></tr>
<tr>
<td>If input value in EAX encodes an unsupported leaf.</td></tr>
<tr>
<td>If input value in EAX encodes EENTER/ERESUME and ENCLAVE_MODE = 1.</td></tr>
<tr>
<td>If input value in EAX encodes EGETKEY/EREPORT/EEXIT/EACCEPT/EACCEPTCOPY/EMODPE and ENCLAVE_MODE = 0.</td></tr>
<tr>
<td>If operating in 16-bit mode.</td></tr>
<tr>
<td>If data segment is in 16-bit mode.</td></tr>
<tr>
<td>If CR0.PG = 0 or CR0.NE= 0.</td></tr>
<tr>
<td>#NM</td>
<td>If CR0.TS = 1.</td></tr></table>
<h3 class="exceptions" id="real-address-mode-exceptions">Real-Address Mode Exceptions<a class="anchor" href="#real-address-mode-exceptions">
</a></h3>
<table>
<tr>
<td>#UD</td>
<td>ENCLS is not recognized in real mode.</td></tr></table>
<h3 class="exceptions" id="virtual-8086-mode-exceptions">Virtual-8086 Mode Exceptions<a class="anchor" href="#virtual-8086-mode-exceptions">
</a></h3>
<table>
<tr>
<td>#UD</td>
<td>ENCLS is not recognized in virtual-8086 mode.</td></tr></table>
<h3 class="exceptions" id="compatibility-mode-exceptions">Compatibility Mode Exceptions<a class="anchor" href="#compatibility-mode-exceptions">
</a></h3>
<p>Same exceptions as in protected mode.</p>
<h3 class="exceptions" id="64-bit-mode-exceptions">64-Bit Mode Exceptions<a class="anchor" href="#64-bit-mode-exceptions">
</a></h3>
<table>
<tr>
<td rowspan="4">#UD</td>
<td>If any of the LOCK/66H/REP/VEX prefixes are used.</td></tr>
<tr>
<td>If current privilege level is not 3.</td></tr>
<tr>
<td>If CPUID.(EAX=12H,ECX=0):EAX.SGX1 [bit 0] = 0.</td></tr>
<tr>
<td>If logical processor is in SMM.</td></tr>
<tr>
<td rowspan="6">#GP(0)</td>
<td>If IA32_FEATURE_CONTROL.LOCK = 0.</td></tr>
<tr>
<td>If IA32_FEATURE_CONTROL.SGX_ENABLE = 0.</td></tr>
<tr>
<td>If input value in EAX encodes an unsupported leaf.</td></tr>
<tr>
<td>If input value in EAX encodes EENTER/ERESUME and ENCLAVE_MODE = 1.</td></tr>
<tr>
<td>If input value in EAX encodes EGETKEY/EREPORT/EEXIT/EACCEPT/EACCEPTCOPY/EMODPE and ENCLAVE_MODE = 0.</td></tr>
<tr>
<td>If CR0.NE= 0.</td></tr>
<tr>
<td>#NM</td>
<td>If CR0.TS = 1.</td></tr></table><footer><p>
This UNOFFICIAL, mechanically-separated, non-verified reference is provided for convenience, but it may be
inc<span style="opacity: 0.2">omp</span>lete or b<sub>r</sub>oke<sub>n</sub> in various obvious or non-obvious
ways. Refer to <a href="https://software.intel.com/en-us/download/intel-64-and-ia-32-architectures-sdm-combined-volumes-1-2a-2b-2c-2d-3a-3b-3c-3d-and-4">Intel® 64 and IA-32 Architectures Software Developers Manual</a> for anything serious.
</p></footer></body></html>
View git blame Copy permalink