As far as I understood, uRTS code is readable from the untrusted memory. From the previous link, it looks like the TCS is passed to the ECALL, as also looks like here: https://github.com/intel/linux-sgx/blob/master/psw/urts/linux/enter_enclave.S#L36
So, what I am wondering is: is it possible to read the TCS from the untrusted memory region? Same for SECS.
Or else, did I totally misunderstand the code I posted above? :D