Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.

How to set/unset TCS.FLAGS.DBGOPTIN


In debug enclaves the TCS.FLAGS.DBGOPTIN flag can be either set to 0 or 1, referred to as Opt-in and Opt-out enclaves. My questions are:

1. How can I check the state of this flag? For instance, is there a way to see from the binary whether it is an Opt-in or Opt-out enclave?

2. How can I set this flag before the enclave is entered? Can I set this flag at compile time?

0 Kudos
2 Replies

Here's a reply relevant for Linux:

For Windows you can use VTune. I think that attaching a debugger to the application process may also work, not sure though.

That's the how to enable part. The specific questions you asked:

1) The binary itself will tell you if it is allowed to be debugged. The binary (on disk) won't tell you the current state of whether each TCS is being debugged. You'll need to read the enclave and extract that information.

2) I think the easiest way is to profile it using VTune. I don't think you can set it to always be enabled at build-time.


Hi Francisco,

thank you very much for your quick response, this helps.

I understand that TCS.FLAGS.DBGOPTIN defaults to 0 (i.e. it is disabled). More specifically, if I simply launch a debug enclave the flag is set to 0. Is this true?

*Edit: I think I have found the answer myself in the SDM Vol3, Section 43.1.2.

The TCS.FLAGS.DBGOPTIN bit controls interactions of certain debug and profiling features with enclaves, including
code/data breakpoints, TF, RF, monitor trap flag, BTF, LBRs, BTM, BTS, Intel Processor Trace, and performance
monitoring. This bit is forced to zero when EPC pages are added via EADD. A debugger can set this bit via EDBGWR
to the TCS of a debug enclave.
An enclave entry through a TCS with the TCS.FLAGS.DBGOPTIN set to 0 is called an opt-out entry. Conversely, an
enclave entry through a TCS with TCS.FLAGS.DBGOPTIN set to 1 is called an opt-in entry.

I understand that the TCS.FLAGS.DBGOPTIN is 0 when a debug enclave is launched without any debugging software attached.