Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

How to set/unset TCS.FLAGS.DBGOPTIN

Urs_M_
Beginner
‎03-15-2017 07:03 AM
744 Views

In debug enclaves the TCS.FLAGS.DBGOPTIN flag can be either set to 0 or 1, referred to as Opt-in and Opt-out enclaves. My questions are:

1. How can I check the state of this flag? For instance, is there a way to see from the binary whether it is an Opt-in or Opt-out enclave?

2. How can I set this flag before the enclave is entered? Can I set this flag at compile time?

0 Kudos

Link Copied

2 Replies
Francisco_C_Intel
Employee
‎03-15-2017 09:52 AM
744 Views

Here's a reply relevant for Linux:

https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/705410#comment-1893286

For Windows you can use VTune. I think that attaching a debugger to the application process may also work, not sure though.

That's the how to enable part. The specific questions you asked:

1) The binary itself will tell you if it is allowed to be debugged. The binary (on disk) won't tell you the current state of whether each TCS is being debugged. You'll need to read the enclave and extract that information.

2) I think the easiest way is to profile it using VTune. I don't think you can set it to always be enabled at build-time.

0 Kudos
Copy link
Urs_M_
Beginner
‎03-16-2017 02:42 AM
744 Views

Hi Francisco,

thank you very much for your quick response, this helps.

I understand that TCS.FLAGS.DBGOPTIN defaults to 0 (i.e. it is disabled). More specifically, if I simply launch a debug enclave the flag is set to 0. Is this true?

*Edit: I think I have found the answer myself in the SDM Vol3, Section 43.1.2.

The TCS.FLAGS.DBGOPTIN bit controls interactions of certain debug and profiling features with enclaves, including
code/data breakpoints, TF, RF, monitor trap flag, BTF, LBRs, BTM, BTS, Intel Processor Trace, and performance
monitoring. This bit is forced to zero when EPC pages are added via EADD. A debugger can set this bit via EDBGWR
to the TCS of a debug enclave.
An enclave entry through a TCS with the TCS.FLAGS.DBGOPTIN set to 0 is called an opt-out entry. Conversely, an
enclave entry through a TCS with TCS.FLAGS.DBGOPTIN set to 1 is called an opt-in entry.

I understand that the TCS.FLAGS.DBGOPTIN is 0 when a debug enclave is launched without any debugging software attached.

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.