Lines Matching full:an
15 * Unprivileged (ring-3) ENCLU functions allow an application to enter and
18 These memory regions are called enclaves. An enclave can be only entered at a
37 SGX utilizes an *Enclave Page Cache (EPC)* to store pages that are associated
38 with an enclave. It is contained in a BIOS-reserved region of physical memory.
42 Only a CPU executing inside an enclave can directly access enclave memory.
43 However, a CPU executing inside an enclave may access normal memory outside the
56 Regular EPC pages contain the code and data of an enclave.
59 Thread Control Structure pages define the entry points to an enclave and
60 track the execution state of an enclave thread.
70 *Enclave Page Cache Map (EPCM)*. The EPCM contains an entry for each EPC page
75 kernel from, for instance, allowing writes to data which an enclave wishes to
81 handle an EPCM fault at any time. In practice, this can happen on events like
92 executed (entered). The first step in building an enclave is opening the
108 adding and removing of enclave pages. When an enclave accesses an address
121 Entering an enclave can only be done through SGX-specific EENTER and ERESUME
123 transitioning to and from an enclave, enclaves typically utilize a library to
151 use since the reset, enclave pages may be in an inconsistent state. This might
174 EINIT function takes an RSA-3072 signature of the enclave measurement. The function
188 memory controller has an encryption engine to transparently encrypt and decrypt
199 MEE. TME-based SGX implementations do not have an integrity Merkle tree, which
215 into an enclave. The application can then make individual function calls into
223 An application may be loaded into a container enclave which is specially
236 "EREMOVE returned ... and an EPC page was leaked. SGX may become unusable..."
238 This is effectively a kernel use-after-free of an EPC page, and due
258 in guests. Unlike the SGX driver, an EPC page allocated by the virtual
269 Architectural behavior is to restore all EPC pages to an uninitialized
297 twice: an initial set of calls to remove child pages and a subsequent