Software Guard Extensions (SGX)
Intel Software Guard Extensions (SGX) provide two sets of instruction leaf functions to enable application software to instantiate a protected container, referred to as an enclave. The enclave instructions are organized as leaf functions under two instruction mnemonics: ENCLS (ring 0) and ENCLU (ring 3).
Contents
- Supervisor Instructions
- Setup
- Eviction
- Restoration
- Dynamic Management
- Debug
- User Instructions
- Lifecycle Flow
- Memory Control
- Security
- VMM Instructions
Tip: For detailed information about each instruction please read: Intel Architectures Software Developer’s Manual Volume 2: Instruction Set Reference, A-Z
Supervisor Instructions
| Instruction | 📄 | Meaning |
|---|---|---|
| Setup | ||
| ENCLS[ECREATE] | ℹ️ | Create an enclave |
| ENCLS[EINIT] | ℹ️ | Initialize an enclave |
| ENCLS[EADD] | ℹ️ | Add a page |
| ENCLS[EEXTEND] | ℹ️ | Extend EPC page measurement |
| Eviction | ||
| ENCLS[EBLOCK] | ℹ️ | Block an EPC page |
| ENCLS[ETRACK] | ℹ️ | Activate EBLOCK checks |
| ENCLS[EWB] | ℹ️ | Write back/invalidate an EPC page |
| ENCLS[EPA] | ℹ️ | Add version array |
| Restoration | ||
| ENCLS[ELDB] | ℹ️ | Load an EPC page as blocked |
| ENCLS[ELDBC] | ℹ️ | Load an EPC page as blocked but with improved conflict handling for over-subscription |
| ENCLS[ELDU] | ℹ️ | Load an EPC page as unblocked |
| ENCLS[ELDUC] | ℹ️ | Load an EPC page as unblocked but with improved conflict handling for over-subscription |
| Dynamic Management | ||
| ENCLS[EAUG] | ℹ️ | Add a page to an initialized enclave |
| ENCLS[EREMOVE] | ℹ️ | Remove a page from EPC |
| ENCLS[EMODPR] | ℹ️ | Restrict the permissions of an EPC page |
| ENCLS[EMODT] | ℹ️ | Change the type of an EPC page |
| Debug | ||
| ENCLS[EDBGRD] | ℹ️ | Read data by debugger |
| ENCLS[EDBGWR] | ℹ️ | Write data by debugger |
User Instructions
| Instruction | 📄 | Meaning |
|---|---|---|
| Lifecycle Flow | ||
| ENCLU[EENTER] | ℹ️ | Enter an Enclave |
| ENCLU[ERESUME] | ℹ️ | Re-enter an Enclave |
| ENCLU[EEXIT] | ℹ️ | Exit an Enclave |
| Memory Control | ||
| ENCLU[EACCEPT] | ℹ️ | Accept changes to an EPC page |
| ENCLU[EACCEPTCOPY] | ℹ️ | Initialize a pending page |
| ENCLU[EMODPE] | ℹ️ | Extend an EPC page permissions |
| Security | ||
| ENCLU[EREPORT] | ℹ️ | Create a cryptographic report |
| ENCLU[EGETKEY] | ℹ️ | Create a cryptographic key |
VMM Instructions
| Instruction | 📄 | Meaning |
|---|---|---|
| ENCLV[EDECVIRTCHILD] | ℹ️ | Decrement VIRTCHILDCNT in SECS |
| ENCLV[EINCVIRTCHILD] | ℹ️ | Increment VIRTCHILDCNT in SECS |
| ENCLV[ESETCONTEXT] | ℹ️ | Set the ENCLAVECONTEXT field in SECS |