EWB — Invalidate an EPC Page and Write out to Main Memory

Opcode/Instruction Op/En 64/32 bit Mode Support CPUID Feature Flag Description
EAX = 0BH ENCLS[EWB] IR V/V SGX1 This leaf function invalidates an EPC page and writes it out to main memory.

Instruction Operand Encoding

Op/En EAX RBX RCX RDX
IR EWB (In) Error code (Out) Address of an PAGEINFO (In) Address of the EPC page (In) Address of a VA slot (In)

Description

This leaf function copies a page from the EPC to regular main memory. As part of the copying process, the page is cryptographically protected. This instruction can only be executed when current privilege level is 0.

The table below provides additional information on the memory parameter of EPA leaf function.

EWB Memory Parameter Semantics

PAGEINFO PAGEINFO.SRCPGE PAGEINFO.PCMD EPCPAGE VASLOT
Non-EPC R/W access Non-EPC R/W access Non-EPC R/W access EPC R/W access EPC R/W access

The error codes are:

Error Code (see Table 40-4) Description
No Error EWB successful.
SGX_PAGE_NOT_BLOCKED If page is not marked as blocked.
SGX_NOT_TRACKED If EWB is racing with ETRACK instruction.
SGX_VA_SLOT_OCCUPIED Version array slot contained valid entry.
SGX_CHILD_PRESENT Child page present while attempting to page out enclave.
Table 40-51. EWB Return Value in RAX

Concurrency Restrictions

Leaf Parameter Base Concurrency Restrictions
Access On Conflict SGX_CONFLICT VM Exit Qualification
EWB Source [DS:RCX] Exclusive #GP EPC_PAGE_CONFLICT_EXCEPTION
VA [DS:RDX] Shared #GP
Table 40-52. Base Concurrency Restrictions of EWB
Leaf Parameter Additional Concurrency Restrictions
vs. EACCEPT, EACCEPTCOPY, EMODPE, EMODPR, EMODT vs. EADD, EEXTEND, EINIT vs. ETRACK, ETRACKC
Access On Conflict Access On Conflict Access On Conflict
EWB Source [DS:RCX] Concurrent Concurrent Concurrent
VA [DS:RDX] Concurrent Concurrent Exclusive
Table 40-53. Additional Concurrency Restrictions of EWB

Operation

Temp Variables in EWB Operational Flow

Name Type Size (Bytes) Description
TMP_SRCPGE Memory page 4096
TMP_PCMD PCMD 128
TMP_SECS SECS 4096
TMP_BPEPOCH UINT64 8
TMP_BPREFCOUNT UINT64 8
TMP_HEADER MAC Header 128
TMP_PCMD_ENCLAVEID UINT64 8
TMP_VER UINT64 8
TMP_PK UINT128 16

IF ( (DS:RBX is not 32Byte Aligned) or (DS:RCX is not 4KByte Aligned) )

THEN #GP(0); FI;

IF (DS:RCX does not resolve within an EPC)

THEN #PF(DS:RCX); FI;

IF (DS:RDX is not 8Byte Aligned)

THEN #GP(0); FI;

IF (DS:RDX does not resolve within an EPC)

THEN #PF(DS:RDX); FI;

(* EPCPAGE and VASLOT should not resolve to the same EPC page*)

IF (DS:RCX and DS:RDX resolve to the same EPC page)

THEN #GP(0); FI;

TMP_SRCPGE ← DS:RBX.SRCPGE;

(* Note PAGEINFO.PCMD is overlaid on top of PAGEINFO.SECINFO *)

TMP_PCMD ← DS:RBX.PCMD;

If (DS:RBX.LINADDR ≠ 0) OR (DS:RBX.SECS ≠ 0)

THEN #GP(0); FI;

IF ( (DS:TMP_PCMD is not 128Byte Aligned) or (DS:TMP_SRCPGE is not 4KByte Aligned) )

THEN #GP(0); FI;

(* Check for concurrent Intel SGX instruction access to the page *)

IF (Other Intel SGX instruction is accessing page)

THEN

IF (<<VMX non-root operation>> AND <<ENABLE_EPC_VIRTUALIZATION_EXTENSIONS>>)

THEN

VMCS.Exit_reason ← SGX_CONFLICT;

VMCS.Exit_qualification.code ← EPC_PAGE_CONFLICT_EXCEPTION;

VMCS.Exit_qualification.error ← 0;

VMCS.Guest-physical_address←<< translation of DS:RCX produced by paging >>;

VMCS.Guest-linear_address ← DS:RCX;

Deliver VMEXIT;

ELSE

#GP(0);

FI;

FI;

(*Check if the VA Page is being removed or changed*)

IF (VA Page is being modified)

THEN #GP(0); FI;

(* Verify that EPCPAGE and VASLOT page are valid EPC pages and DS:RDX is VA *)

IF (EPCM(DS:RCX).VALID = 0)

THEN #PF(DS:RCX); FI;

IF ( (EPCM(DS:RDX & ~0FFFH).VALID = 0) or (EPCM(DS:RDX & ~FFFH).PT is not PT_VA) )

THEN #PF(DS:RDX); FI;

(* Perform page-type-specific exception checks *)

IF ( (EPCM(DS:RCX).PT is PT_REG) or (EPCM(DS:RCX).PT is PT_TCS) or (EPCM(DS:RCX).PT is PT_TRIM ) )

THEN

TMP_SECS = Obtain SECS through EPCM(DS:RCX)

(* Check that EBLOCK has occurred correctly *)

IF (EBLOCK is not correct)

THEN #GP(0); FI;

FI;

RFLAGS.ZF,CF,PF,AF,OF,SF ← 0;

RAX←0;

(* Perform page-type-specific checks *)

IF ( (EPCM(DS:RCX).PT is PT_REG) or (EPCM(DS:RCX).PT is PT_TCS) or (EPCM(DS:RCX).PT is PT_TRIM ))

THEN

(* check to see if the page is evictable *)

IF (EPCM(DS:RCX).BLOCKED = 0)

THEN

RAX←SGX_PAGE NOT_BLOCKED;

RFLAGS.ZF ← 1;

GOTO ERROR_EXIT;

FI;

(* Check if tracking done correctly *)

IF (Tracking not correct)

THEN

RAX ← SGX_NOT_TRACKED;

RFLAGS.ZF ← 1;

GOTO ERROR_EXIT;

FI;

(* Obtain EID to establish cryptographic binding between the paged-out page and the enclave *)

TMP_HEADER.EID ← TMP_SECS.EID;

(* Obtain EID as an enclave handle for software *)

TMP_PCMD_ENCLAVEID ← TMP_SECS.EID;

ELSE IF (EPCM(DS:RCX).PT is PT_SECS)

(*check that there are no child pages inside the enclave *)

IF (DS:RCX has an EPC page associated with it)

THEN

RAX ← SGX_CHILD_PRESENT;

RFLAGS.ZF ← 1;

GOTO ERROR_EXIT;

FI:

(* treat SECS as having a child page when VIRTCHILDCNT is non-zero *)

IF (<<in VMX non-root operation>> AND

<<ENABLE_EPC_VIRTUALIZATION_EXTENSIONS>> AND

(SECS(DS:RCX).VIRTCHILDCNT ≠ 0))

THEN

RFLAGS.ZF ← 1;

RAX ← SGX_CHILD_PRESENT;

GOTO ERROR_EXIT;

FI;

TMP_HEADER.EID ← 0;

(* Obtain EID as an enclave handle for software *)

TMP_PCMD_ENCLAVEID ← (DS:RCX).EID;

ELSE IF (EPCM(DS:RCX).PT is PT_VA)

TMP_HEADER.EID←0; // Zero is not a special value

(* No enclave handle for VA pages*)

TMP_PCMD_ENCLAVEID ← 0;

FI;

(* Zero out TMP_HEADER*)

TMP_HEADER[ sizeof(TMP_HEADER)-1 : 0]←0;

TMP_HEADER.LINADDR ← EPCM(DS:RCX).ENCLAVEADDRESS;

TMP_HEADER.SECINFO.FLAGS.PT ← EPCM(DS:RCX).PT;

TMP_HEADER.SECINFO.FLAGS.RWX ← EPCM(DS:RCX).RWX;

TMP_HEADER.SECINFO.FLAGS.PENDING ← EPCM(DS:RCX).PENDING;

TMP_HEADER.SECINFO.FLAGS.MODIFIED ← EPCM(DS:RCX).MODIFIED;

TMP_HEADER.SECINFO.FLAGS.PR ← EPCM(DS:RCX).PR;

(* Encrypt the page, DS:RCX could be encrypted in place. AES-GCM produces 2 values, {ciphertext, MAC}. *)

(* AES-GCM input parameters: key, GCM Counter, MAC_HDR, MAC_HDR_SIZE, SRC, SRC_SIZE)*)

{DS:TMP_SRCPGE, DS:TMP_PCMD.MAC}←AES_GCM_ENC(CR_BASE_PK), (TMP_VER << 32),

TMP_HEADER, 128, DS:RCX, 4096);

(* Write the output *)

Zero out DS:TMP_PCMD.SECINFO

DS:TMP_PCMD.SECINFO.FLAGS.PT ← EPCM(DS:RCX).PT;

DS:TMP_PCMD.SECINFO.FLAGS.RWX ← EPCM(DS:RCX).RWX;

DS:TMP_PCMD.SECINFO.FLAGS.PENDING ← EPCM(DS:RCX).PENDING;

DS:TMP_PCMD.SECINFO.FLAGS.MODIFIED ← EPCM(DS:RCX).MODIFIED;

DS:TMP_PCMD.SECINFO.FLAGS.PR ← EPCM(DS:RCX).PR;

DS:TMP_PCMD.RESERVED ← 0;

DS:TMP_PCMD.ENCLAVEID ← TMP_PCMD_ENCLAVEID;

DS:RBX.LINADDR ← EPCM(DS:RCX).ENCLAVEADDRESS;

(*Check if version array slot was empty *)

IF ([DS.RDX])

THEN

RAX ← SGX_VA_SLOT_OCCUPIED

RFLAGS.CF ← 1;

FI;

(* Write version to Version Array slot *)

[DS.RDX] ← TMP_VER;

(* Free up EPCM Entry *)

EPCM.(DS:RCX).VALID ← 0;

ERROR_EXIT:

Flags Affected

ZF is set if page is not blocked, not tracked, or a child is present. Otherwise cleared.

CF is set if VA slot is previously occupied, Otherwise cleared.

Protected Mode Exceptions

#GP(0) If a memory operand effective address is outside the DS segment limit.
If a memory operand is not properly aligned.
If the EPC page and VASLOT resolve to the same EPC page.
If another Intel SGX instruction is concurrently accessing either the target EPC, VA, or SECS pages.
If the tracking resource is in use.
If the EPC page or the version array page is invalid.
If the parameters fail consistency checks.
#PF(error code) If a page fault occurs in accessing memory operands.
If a memory operand is not an EPC page.
If one of the EPC memory operands has incorrect page type.

64-Bit Mode Exceptions

#GP(0) If a memory operand is non-canonical form.
If a memory operand is not properly aligned.
If the EPC page and VASLOT resolve to the same EPC page.
If another Intel SGX instruction is concurrently accessing either the target EPC, VA, or SECS pages.
If the tracking resource is in use.
If the EPC page or the version array page in invalid.
If the parameters fail consistency checks.
#PF(error code) If a page fault occurs in accessing memory operands.
If a memory operand is not an EPC page.
If one of the EPC memory operands has incorrect page type.