ENCLV

Execute an Enclave VMM Function of Specified Leaf Number

Opcode/InstructionOp/En64/32 bit Mode SupportCPUID Feature FlagDescription
NP 0F 01 C0 ENCLVZOV/VNAThis instruction is used to execute privileged SGX leaf functions that are reserved for VMM use. They are used for managing the enclaves.

Instruction Operand Encoding

Op/EnOperand 1Operand 2Operand 3Implicit Register Operands
ZONANANASee Section 38.3

Description

The ENCLV instruction invokes the virtualization SGX leaf functions for managing enclaves in a virtualized environment. Software specifies the leaf function by setting the appropriate value in the register EAX as input. The registers RBX, RCX, and RDX have leaf-specific purpose, and may act as input, as output, or may be unused. In non 64-bit mode, the instruction ignores upper 32 bits of the RAX register.

The ENCLV instruction produces an invalid-opcode exception (#​​​UD) if CR0.PE = 0 or RFLAGS.VM = 1, if it is executed in system-management mode (SMM), or not in VMX operation. Additionally, any attempt to execute the instruction when CPL > 0 results in #​​​UD. The instruction produces a general-protection exception (#​​​​GP) if CR0.PG = 0 or if an attempt is made to invoke an undefined leaf function.

Software in VMX root mode of operation can enable execution of the ENCLV instruction in VMX non-root mode by setting enable ENCLV execution control in the VMCS. If enable ENCLV execution control in the VMCS is clear, execution of the ENCLV instruction in VMX non-root mode results in #​​​UD.

When execution of ENCLV instruction in VMX non-root mode is enabled, software in VMX root operation can intercept the invocation of various ENCLV leaf functions in VMX non-root operation by setting the corresponding bits in the ENCLV-exiting bitmap.

Addresses and operands are 32 bits in 32-bit mode (IA32_EFER.LMA 0 || CS.L 0) and are 64 bits in 64-bit mode (IA32_EFER.LMA 1 && CS.L 1). CS.D value has no impact on address calculation.

Segment override prefixes and address-size override prefixes are ignored, as is the REX prefix in 64-bit mode.

Operation

IF TSX_ACTIVE
            THEN GOTO TSX_ABORT_PROCESSING; FI;
IF CR0.PE = 0 or RFLAGS.VM = 1 or in SMM or CPUID.SGX_LEAF.0:EAX.OSS = 0
            THEN #​​​UD; FI;
IF not in VMX Operation or (IA32_EFER.LMA = 1 and CS.L = 0)
            THEN #​​​UD; FI;
IF (CPL > 0)
            THEN #​​​UD; FI;
IF in VMX non-root operation
    IF “enable ENCLV exiting“ VM-execution control is 1
                THEN
                    IF EAX < 63 and ENCLV_exiting_bitmap[EAX] = 1 or EAX> 62 and ENCLV_exiting_bitmap[63] = 1
                        THEN VM exit;
                    FI;
        ELSE
                #​​​UD; FI;
FI;
IF IA32_FEATURE_CONTROL.LOCK = 0 or IA32_FEATURE_CONTROL.SGX_ENABLE = 0
            THEN #​​​​GP(0); FI;
IF (EAX is an invalid leaf number)
            THEN #​​​​GP(0); FI;
IF CR0.PG = 0
            THEN #​​​​GP(0); FI;
(* DS must not be an expanded down segment *)
IF not in 64-bit mode and DS.Type is expand-down data
            THEN #​​​​GP(0); FI;
Jump to leaf specific flow

Flags Affected

See individual leaf functions.

Protected Mode Exceptions

#​​​UDIf any of the LOCK/66H/REP/VEX prefixes are used.
If current privilege level is not 0.
If CPUID.(EAX=12H,ECX=0):EAX.OSS [bit 5] = 0.
If logical processor is in SMM.
#​​​​GP(0)If IA32_FEATURE_CONTROL.LOCK = 0.
If IA32_FEATURE_CONTROL.SGX_ENABLE = 0.
If input value in EAX encodes an unsupported leaf.
If data segment expand down.
If CR0.PG=0.

Real-Address Mode Exceptions

#​​​UDENCLV is not recognized in real mode.

Virtual-8086 Mode Exceptions

#​​​UDENCLV is not recognized in virtual-8086 mode.

Compatibility Mode Exceptions

Same exceptions as in protected mode.

64-Bit Mode Exceptions

#​​​UDIf any of the LOCK/66H/REP/VEX prefixes are used.
If current privilege level is not 0.
If CPUID.(EAX=12H,ECX=0):EAX.OSS [bit 5] = 0.
If logical processor is in SMM.
#​​​​GP(0)If IA32_FEATURE_CONTROL.LOCK = 0.
If IA32_FEATURE_CONTROL.SGX_ENABLE = 0.
If input value in EAX encodes an unsupported leaf.

This UNOFFICIAL, mechanically-separated, non-verified reference is provided for convenience, but it may be incomplete or broken in various obvious or non-obvious ways. Refer to Intel® 64 and IA-32 Architectures Software Developer’s Manual for anything serious.