Whenever EENTER instruction gets called, It flushes TLB entries for addresses in the enclave’s ELRANGE? Can someone please explain the reasoning behind this?
- General Support
The answer to your question can be very complex. I will keep it short here and refer you to the paper, SGX Explained, for a more in-depth answer. The TLB gets flushed at every SGX context change, which includes EENTER, EEXIT, and ERESUME. One of the basic principles of SGX is that the host and system software are not trusted. However, under SGX, the operating system and hypervisor are still in full control of the pages tables and EPTs. Flushing the TLB between every context change, i.e. host to enclave, enclave to host, helps to mitigate address translation attacks. Please read the paper, SGX Explained, for a more in depth discussion on these attacks and how the SGX architecture and design aims to prevent them.