Software Guard Extensions (SGX)
Intel Software Guard Extensions (SGX) provide two sets of instruction leaf functions to enable application software to instantiate a protected container, referred to as an enclave. The enclave instructions are organized as leaf functions under two instruction mnemonics: ENCLS (ring 0) and ENCLU (ring 3).
Contents
Tip: For detailed information about each instruction please read: Intel Architectures Software Developer’s Manual Volume 2: Instruction Set Reference, A-Z
Supervisor Instructions
| Instruction | Meaning |
|---|---|
| Setup | |
| ENCLS[ECREATE] | Create an enclave |
| ENCLS[EINIT] | Initialize an enclave |
| ENCLS[EADD] | Add a page |
| ENCLS[EEXTEND] | Extend EPC page measurement |
| Eviction | |
| ENCLS[EBLOCK] | Block an EPC page |
| ENCLS[ETRACK] | Activate EBLOCK checks |
| ENCLS[EWB] | Write back/invalidate an EPC page |
| ENCLS[EPA] | Add version array |
| Restoration | |
| ENCLS[ELDB] | Load an EPC page as blocked |
| ENCLS[ELDBC] | Load an EPC page as blocked but with improved conflict handling for over-subscription |
| ENCLS[ELDU] | Load an EPC page as unblocked |
| ENCLS[ELDUC] | Load an EPC page as unblocked but with improved conflict handling for over-subscription |
| Dynamic Management | |
| ENCLS[EAUG] | Add a page to an initialized enclave |
| ENCLS[EREMOVE] | Remove a page from EPC |
| ENCLS[EMODPR] | Restrict the permissions of an EPC page |
| ENCLS[EMODT] | Change the type of an EPC page |
| Debug | |
| ENCLS[EDBGRD] | Read data by debugger |
| ENCLS[EDBGWR] | Write data by debugger |
User Instructions
| Instruction | Meaning |
|---|---|
| Lifecycle Flow | |
| ENCLU[EENTER] | Enter an Enclave |
| ENCLU[ERESUME] | Re-enter an Enclave |
| ENCLU[EEXIT] | Exit an Enclave |
| Memory Control | |
| ENCLU[EACCEPT] | Accept changes to an EPC page |
| ENCLU[EACCEPTCOPY] | Initialize a pending page |
| ENCLU[EMODPE] | Extend an EPC page permissions |
| Security | |
| ENCLU[EREPORT] | Create a cryptographic report |
| ENCLU[EGETKEY] | Create a cryptographic key |