Illegal Instructions within an Enclave

The following is a list of hardware instructions which are illegal within an enclave and will generate a #UD fault if executed:

  1. Instructions which may VMEXIT if executed inside an enclave. Since it is not permissible for the VMM to update the enclave, they are not allowed.

    CPUID, GETSEC, RDPMC, RDTSC, RDTSCP, SGDT, SIDT, SLDT, STR, VMCALL, VMFUNC.

  2. I/O instructions cannot be executed inside an enclave. These instructions could cause faults which cannot be handled by software.

    IN, INS/INSB/INSW/INSD, OUT, OUTS/OUTSB/OUTSW/OUTSD.

  3. Instructions that may require a change in privilege levels.

    Far call, Far jump, Far ret, INT n/INTO, IRET, LDS/LES/LFS/LGS/LSS, MOV to DS/ES/SS/FS/GS, POP DS/ES/SS/FS/GS, SYSCALL, SYSENTER.

Developers should consider these instructions with respect to standard I/O and system functions, which depend on these HW instructions for their underlying implementation. Functions which gather host system attributes, perform I/O, or require a higher privilege level should be performed outside an enclave. In some cases, a developer may have access to trusted alternatives such as trusted time and trusted I/O. This functionality however is not provided directly by the Intel SGX architecture and it is currently out of the scope of this document.

For more complete information about compiler optimizations, see our Optimization Notice.