| Reading this: https://www.intel.com/content/www/us/en/developer/articles/t... What this seems to be is: - Intel CPUs with SGX have an additional CPU mode that understands and runs XuCode, "XuCode is implemented as a variant of 64-bit mode code, running from protected system memory, using a special execution mode of the CPU." -- I know that "ring" terminology is used to describe CPU modes, e.g. calling a hypervisor setup ring -1, SMM ring -2, and the Intel management engine ring -3. Seems like this mode is something like ring -2.5. - "It is authenticated and loaded as part of a microcode update and is installed into a Processor Reserved Memory (PRM) range, typically allocated by system firmware. The memory range itself is protected from software and direct memory accesses by the Processor Reserved Memory Range Registers (PRMRRs)." So the BIOS steals a bit of your RAM (which the ME already does), sets it up to be the PRM, and a microcode update unpacks XuCode now contained in the microcode data, and puts it in this PRM. I guess some SGX instructions are essentially a specialized form of INT instructions that "exception out" specifically to this special CPU mode/PRM space. So I'm under the impression XuCode is essentially called by the microcode when certain SGX instructions are encountered. Weird ... |