I am trying to understand how SGX works under the hood.
Reading the documentation and inspecting the SDK for Linux (https://github.com/intel/linux-sgx), I noticed something strange about TCS and SECS structures.
According to Overview of Intel (https://software.intel.com/en-us/blogs/2016/06/10/overview-of-intel-software-guard-extensions-instructions-and-data-structures), the last line asserts:
SECS, TCS and VA are initialized and manipulated by the hardware.
However, the TCS and SECS, which are described here (https://github.com/intel/linux-sgx/blob/master/common/inc/internal/arch.h), are commonly used in the uRTS. Especially TCS structures.
For instance in do_ecall() here: https://github.com/intel/linux-sgx/blob/master/psw/urts/linux/sig_handler.cpp#L238
As far as I understood, uRTS code is readable from the untrusted memory. From the previous link, it looks like the TCS is passed to the ECALL, as also looks like here: https://github.com/intel/linux-sgx/blob/master/psw/urts/linux/enter_enclave.S#L36
So, what I am wondering is: is it possible to read the TCS from the untrusted memory region? Same for SECS.
Or else, did I totally misunderstand the code I posted above? :D
Thanks in advance,