모두의 코드
GETSEC[SENTER] (Intel x86/64 assembly instruction)

작성일 : 2020-09-01 이 글은 1024 번 읽혔습니다.

GETSEC[SENTER]

Enter a Measured Environment### Description

The GETSEC[SENTER] instruction initiates the launch of a measured environment and places the initiating logical processor (ILP) into the authenticated code execution mode. The SENTER leaf of GETSEC is selected with EAX set to 4 at execution. The physical base address of the AC module to be loaded and authenticated is specified in EBX. The size of the module in bytes is specified in ECX. EDX controls the level of functionality supported by the measured environment launch. To enable the full functionality of the protected environment launch, EDX must be initialized to zero.

The authenticated code base address and size parameters (in bytes) are passed to the GETSEC[SENTER] instruc-tion using EBX and ECX respectively. The ILP evaluates the contents of these registers according to the rules for the AC module address in GETSEC[ENTERACCS]. AC module execution follows the same rules, as set by GETSEC[ENTERACCS].

The launching software must ensure that the TPM.ACCESS0.activeLocality bit is clear before executing the GETSEC[SENTER] instruction.

There are restrictions enforced by the processor for execution of the GETSEC[SENTER] instruction:

  • Execution is not allowed unless the processor is in protected mode or IA-32e mode with CPL = 0 and EFLAGS.VM = 0.

  • Processor cache must be available and not disabled using the CR0.CD and NW bits.

  • For enforcing consistency of operation with numeric exception reporting using Interrupt 16, CR0.NE must be set.

  • An Intel TXT-capable chipset must be present as communicated to the processor by sampling of the power-on configuration capability field after reset.

  • The processor can not be in authenticated code execution mode or already in a measured environment (as launched by a previous GETSEC[ENTERACCS] or GETSEC[SENTER] instruction).

  • To avoid potential operability conflicts between modes, the processor is not allowed to execute this instruction if it currently is in SMM or VMX operation.

  • To insure consistent handling of SIPI messages, the processor executing the GETSEC[SENTER] instruction must also be designated the BSP (boot-strap processor) as defined by A32APICBASE.BSP (Bit 8).

  • EDX must be initialized to a setting supportable by the processor. Unless enumeration by the GETSEC[PARAM-ETERS] leaf reports otherwise, only a value of zero is supported.

Failure to abide by the above conditions results in the processor signaling a general protection violation.

This instruction leaf starts the launch of a measured environment by initiating a rendezvous sequence for all logical processors in the platform. The rendezvous sequence involves the initiating logical processor sending a message (by executing GETSEC[SENTER]) and other responding logical processors (RLPs) acknowledging the message, thus synchronizing the RLP(s) with the ILP.

In response to a message signaling the completion of rendezvous, RLPs clear the bootstrap processor indicator flag (IA32APICBASE.BSP) and enter an SENTER sleep state. In this sleep state, RLPs enter an idle processor condi-tion while waiting to be activated after a measured environment has been established by the system executive. RLPs in the SENTER sleep state can only be activated by the GETSEC leaf function WAKEUP in a measured environ-ment.

A successful launch of the measured environment results in the initiating logical processor entering the authenti-cated code execution mode. Prior to reaching this point, the ILP performs the following steps internally:

  • Inhibit processor response to the external events: INIT, A20M, NMI, and SMI.

  • Establish and check the location and size of the authenticated code module to be executed by the ILP.

  • Check for the existence of an Intel(R) TXT-capable chipset.

  • Verify the current power management configuration is acceptable.

  • Broadcast a message to enable protection of memory and I/O from activities from other processor agents.

  • Load the designated AC module into authenticated code execution area.

  • Isolate the content of authenticated code execution area from further state modification by external agents.

  • Authenticate the AC module.

  • Updated the Trusted Platform Module (TPM) with the authenticated code module's hash.

  • Initialize processor state based on the authenticated code module header information.

  • Unlock the Intel(R) TXT-capable chipset private configuration register space and TPM locality 3 space.

  • Begin execution in the authenticated code module at the defined entry point.

As an integrity check for proper processor hardware operation, execution of GETSEC[SENTER] will also check the contents of all the machine check status registers (as reported by the MSRs IA32MCiSTATUS) for any valid uncorrectable error condition. In addition, the global machine check status register IA32MCGSTATUS MCIP bit must be cleared and the IERR processor package pin (or its equivalent) must be not asserted, indicating that no machine check exception processing is currently in-progress. These checks are performed twice: once by the ILP prior to the broadcast of the rendezvous message to RLPs, and later in response to RLPs acknowledging the rendez-vous message. Any outstanding valid uncorrectable machine check error condition present in the machine check status registers at the first check point will result in the ILP signaling a general protection violation. If an outstanding valid uncorrectable machine check error condition is present at the second check point, then this will result in the corresponding logical processor signaling the more severe TXT-shutdown condition with an error code of 12.

Before loading and authentication of the target code module is performed, the processor also checks that the current voltage and bus ratio encodings correspond to known good values supportable by the processor. The MSR IA32PERFSTATUS values are compared against either the processor supported maximum operating target setting, system reset setting, or the thermal monitor operating target. If the current settings do not meet any of these criteria then the SENTER function will attempt to change the voltage and bus ratio select controls in a processor-specific manner. This adjustment may be to the thermal monitor, minimum (if different), or maximum operating target depending on the processor.

This implies that some thermal operating target parameters configured by BIOS may be overridden by SENTER. The measured environment software may need to take responsibility for restoring such settings that are deemed to be safe, but not necessarily recognized by SENTER. If an adjustment is not possible when an out of range setting is discovered, then the processor will abort the measured launch. This may be the case for chipset controlled settings of these values or if the controllability is not enabled on the processor. In this case it is the responsibility of the external software to program the chipset voltage ID and/or bus ratio select settings to known good values recognized by the processor, prior to executing SENTER.

NOTE

For a mobile processor, an adjustment can be made according to the thermal monitor operating target. For a quad-core processor the SENTER adjustment mechanism may result in a more conser-vative but non-uniform voltage setting, depending on the pre-SENTER settings per core.

The ILP and RLPs mask the response to the assertion of the external signals INIT#, A20M, NMI#, and SMI#. The purpose of this masking control is to prevent exposure to existing external event handlers until a protected handler has been put in place to directly handle these events. Masked external pin events may be unmasked conditionally or unconditionally via the GETSEC[EXITAC], GETSEC[SEXIT], GETSEC[SMCTRL] or for specific VMX related opera-tions such as a VM entry or the VMXOFF instruction (see respective GETSEC leaves and Intel(R) 64 and IA-32 Archi-tectures Software Developer's Manual, Volume 3C for more details). The state of the A20M pin is masked and forced internally to a de-asserted state so that external assertion is not recognized. A20M masking as set by GETSEC[SENTER] is undone only after taking down the measured environment with the GETSEC[SEXIT] instruc-tion or processor reset. INTR is masked by simply clearing the EFLAGS.IF bit. It is the responsibility of system soft-ware to control the processor response to INTR through appropriate management of EFLAGS.

To prevent other (logical) processors from interfering with the ILP operating in authenticated code execution mode, memory (excluding implicit write-back transactions) and I/O activities originating from other processor agents are blocked. This protection starts when the ILP enters into authenticated code execution mode. Only memory and I/O transactions initiated from the ILP are allowed to proceed. Exiting authenticated code execution mode is done by executing GETSEC[EXITAC]. The protection of memory and I/O activities remains in effect until the ILP executes GETSEC[EXITAC].

Once the authenticated code module has been loaded into the authenticated code execution area, it is protected against further modification from external bus snoops. There is also a requirement that the memory type for the authenticated code module address range be WB (via initialization of the MTRRs prior to execution of this instruc-tion). If this condition is not satisfied, it is a violation of security and the processor will force a TXT system reset (after writing an error code to the chipset LT.ERRORCODE register). This action is referred to as a Intel(R) TXT reset condition. It is performed when it is considered unreliable to signal an error through the conventional exception reporting mechanism.

To conform to the minimum granularity of MTRR MSRs for specifying the memory type, authenticated code RAM (ACRAM) is allocated to the processor in 4096 byte granular blocks. If an AC module size as specified in ECX is not a multiple of 4096 then the processor will allocate up to the next 4096 byte boundary for mapping as ACRAM with indeterminate data. This pad area will not be visible to the authenticated code module as external memory nor can it depend on the value of the data used to fill the pad area.

Once successful authentication has been completed by the ILP, the computed hash is stored in a trusted storage facility in the platform. The following trusted storage facility are supported:

  • If the platform register FTM_INTERFACE_ID.[bits 3:0] = 0, the computed hash is stored to the platform's TPM at PCR17 after this register is implicitly reset. PCR17 is a dedicated register for holding the computed hash of the authenticated code module loaded and subsequently executed by the GETSEC[SENTER]. As part of this process, the dynamic PCRs 18-22 are reset so they can be utilized by subsequently software for registration of code and data modules.

  • If the platform register FTM_INTERFACE_ID.[bits 3:0] = 1, the computed hash is stored in a firmware trusted module (FTM) using a modified protocol similar to the protocol used to write to TPM's PCR17.

After successful execution of SENTER, either PCR17 (if FTM is not enabled) or the FTM (if enabled) contains the measurement of AC code and the SENTER launching parameters.

After authentication is completed successfully, the private configuration space of the Intel(R) TXT-capable chipset is unlocked so that the authenticated code module and measured environment software can gain access to this normally restricted chipset state. The Intel(R) TXT-capable chipset private configuration space can be locked later by software writing to the chipset LT.CMD.CLOSE-PRIVATE register or unconditionally using the GETSEC[SEXIT] instruction.

The SENTER leaf function also initializes some processor architecture state for the ILP from contents held in the header of the authenticated code module. Since the authenticated code module is relocatable, all address refer-ences are relative to the base address passed in via EBX. The ILP GDTR base value is initialized to EBX + [GDTBa-sePtr] and GDTR limit set to [GDTLimit]. The CS selector is initialized to the value held in the AC module header field SegSel, while the DS, SS, and ES selectors are initialized to CS+8. The segment descriptor fields are initialized implicitly with BASE=0, LIMIT=FFFFFh, G=1, D=1, P=1, S=1, read/write/accessed for DS, SS, and ES, while execute/read/accessed for CS. Execution in the authenticated code module for the ILP begins with the EIP set to EBX + [EntryPoint]. AC module defined fields used for initializing processor state are consistency checked with a failure resulting in an TXT-shutdown condition.

Table 6-6 provides a summary of processor state initialization for the ILP and RLP(s) after successful completion of GETSEC[SENTER]. For both ILP and RLP(s), paging is disabled upon entry to the measured environment. It is up to the ILP to establish a trusted paging environment, with appropriate mappings, to meet protection requirements established during the launch of the measured environment. RLP state initialization is not completed until a subse-quent wake-up has been signaled by execution of the GETSEC[WAKEUP] function by the ILP.

Table 6-6. Register State Initialization after GETSEC[SENTER] and GETSEC[WAKEUP]

참고 사항

아래 표를 해석하는 방법은 x86-64 명령어 레퍼런스 읽는 법 글을 참조하시기 바랍니다.

Register State

ILP after GETSEC[SENTER]

RLP after GETSEC[WAKEUP]

CR0
CR4
EFLAGS
IA32_EFER
EIP
EBX
EDX
EBP
CS
DS, ES, SS
GDTR
DR7
IA32_DEBUGCTL
Performance counters and counter control registers
IA32_MISC_ENABLE
IA32_SMM_MONITOR_CTL

PG<-0, AM<-0, WP<-0; Others unchanged
00004000H
00000002H
0H
[EntryPoint from MLE header1 ]
Unchanged [SINIT.BASE]
SENTER control flags
SINIT.BASE
Sel=[SINIT SegSel], base=0, limit=FFFFFh, G=1, D=1, AR=9BH
Sel=[SINIT SegSel] +8, base=0, limit=FFFFFh, G=1, D=1, AR=93H
Base= SINIT.base (EBX) + [SINIT.GDTBasePtr], Limit=[SINIT.GDTLimit]
00000400H
0H
0H
See Table6-5
Bit 2<-0

PG<-0, CD<-0, NW<-0, AM<-0, WP<-0; PE<-1, NE<-1
00004000H
00000002H
0
[LT.MLE.JOIN + 12]
Unchanged
Unchanged
Unchanged
Sel = [LT.MLE.JOIN + 8], base = 0, limit = FFFFFH, G = 1, D = 1, AR = 9BH
Sel = [LT.MLE.JOIN + 8] +8, base = 0, limit = FFFFFH, G = 1, D = 1, AR = 93H
Base = [LT.MLE.JOIN + 4], Limit = [LT.MLE.JOIN]
00000400H
0H
0H
See Table6-5
Bit 2<-0

  1. See Intel(R) Trusted Execution Technology Measured Launched Environment Programming Guide for MLE header format.

Segmentation related processor state that has not been initialized by GETSEC[SENTER] requires appropriate initialization before use. Since a new GDT context has been established, the previous state of the segment selector values held in FS, GS, TR, and LDTR may no longer be valid. The IDTR will also require reloading with a new IDT context after launching the measured environment before exceptions or the external interrupts INTR and NMI can be handled. In the meantime, the programmer must take care in not executing an INT n instruction or any other condition that would result in an exception or trap signaling.

Debug exception and trap related signaling is also disabled as part of execution of GETSEC[SENTER]. This is achieved by clearing DR7, TF in EFLAGs, and the MSR IA32_DEBUGCTL as defined in Table 6-6. These can be re-enabled once supporting exception handler(s), descriptor tables, and debug registers have been properly re-initial-ized following SENTER. Also, any pending single-step trap condition will be cleared at the completion of SENTER for both the ILP and RLP(s).

Performance related counters and counter control registers are cleared as part of execution of SENTER on both the ILP and RLP. This implies any active performance counters at the time of SENTER execution will be disabled. To reactive the processor performance counters, this state must be re-initialized and re-enabled.

Since MCE along with all other state bits (with the exception of SMXE) are cleared in CR4 upon execution of SENTER processing, any enabled machine check error condition that occurs will result in the processor performing the TXT-

shutdown action. This also applies to an RLP while in the SENTER sleep state. For each logical processor CR4.MCE must be reestablished with a valid machine check exception handler to otherwise avoid an TXT-shutdown under such conditions.

The MSR IA32_EFER is also unconditionally cleared as part of the processor state initialized by SENTER for both the ILP and RLP. Since paging is disabled upon entering authenticated code execution mode, a new paging environ-ment will have to be re-established if it is desired to enable IA-32e mode while operating in authenticated code execution mode.

The miscellaneous feature control MSR, IA32_MISC_ENABLE, is initialized as part of the measured environment launch. Certain bits of this MSR are preserved because preserving these bits may be important to maintain previ-ously established platform settings. See the footnote for Table 6-5 The remaining bits are cleared for the purpose of establishing a more consistent environment for the execution of authenticated code modules. Among the impact of initializing this MSR, any previous condition established by the MONITOR instruction will be cleared.

Effect of MSR IA32_FEATURE_CONTROL MSR

Bits 15:8 of the IA32_FEATURE_CONTROL MSR affect the execution of GETSEC[SENTER]. These bits consist of two fields:

  • Bit 15: a global enable control for execution of SENTER.

  • Bits 14:8: a parameter control field providing the ability to qualify SENTER execution based on the level of functionality specified with corresponding EDX parameter bits 6:0.

The layout of these fields in the IA32_FEATURE_CONTROL MSR is shown in Table 6-1.

Prior to the execution of GETSEC[SENTER], the lock bit of IA32_FEATURE_CONTROL MSR must be bit set to affirm the settings to be used. Once the lock bit is set, only a power-up reset condition will clear this MSR. The IA32_FEATURE_CONTROL MSR must be configured in accordance to the intended usage at platform initialization. Note that this MSR is only available on SMX or VMX enabled processors. Otherwise, IA32_FEATURE_CONTROL is treated as reserved.

The Intel(R) Trusted Execution Technology Measured Launched Environment Programming Guide provides additional details and requirements for programming measured environment software to launch in an Intel TXT platform

Operation in a Uni-Processor Platform

(* The state of the internal flag ACMODEFLAG and SENTERFLAG persist across instruction boundary *)

GETSEC[SENTER] (ILP only):

IF (CR4.SMXE=0)

THEN #UD;

ELSE IF (in VMX non-root operation)

THEN VM Exit (reason="GETSEC instruction");

ELSE IF (GETSEC leaf unsupported)

THEN #UD;

ELSE IF ((in VMX root operation) or

(CR0.PE=0) or (CR0.CD=1) or (CR0.NW=1) or (CR0.NE=0) or

(CPL>0) or (EFLAGS.VM=1) or

(IA32_APIC_BASE.BSP=0) or (TXT chipset not present) or

(SENTERFLAG=1) or (ACMODEFLAG=1) or (IN_SMM=1) or

(TPM interface is not present) or

(EDX -> (SENTER_EDX_support_mask & EDX)) or

(IA32_FEATURE_CONTROL[0]=0) or (IA32_FEATURE_CONTROL[15]=0) or

((IA32_FEATURE_CONTROL[14:8] & EDX[6:0]) -> EDX[6:0]))

THEN #GP(0);

IF (GETSEC[PARAMETERS].Parameter_Type = 5, MCA_Handling (bit 6) = 0)

FOR I = 0 to IA32_MCG_CAP.COUNT-1 DO

IF IA32_MC[I]_STATUS = uncorrectable error

THEN #GP(0);

FI;

OD;

FI;

IF (IA32_MCG_STATUS.MCIP=1) or (IERR pin is asserted)

THEN #GP(0);

ACBASE<- EBX;

ACSIZE<- ECX;

IF (((ACBASE MOD 4096) -> 0) or ((ACSIZE MOD 64) -> 0 ) or (ACSIZE < minimum

module size) or (ACSIZE > AC RAM capacity) or ((ACBASE+ACSIZE) > (2^32 -1)))

THEN #GP(0);

Mask SMI, INIT, A20M, and NMI external pin events;

SignalTXTMsg(SENTER);

DO

WHILE (no SignalSENTER message);

TXT_SENTER__MSG_EVENT (ILP & RLP):

Mask and clear SignalSENTER event;

Unmask SignalSEXIT event;

IF (in VMX operation)

THEN TXT-SHUTDOWN(#IllegalEvent);

FOR I = 0 to IA32_MCG_CAP.COUNT-1 DO

IF IA32_MC[I]_STATUS = uncorrectable error

THEN TXT-SHUTDOWN(#UnrecovMCError);

FI;

OD;

IF (IA32_MCG_STATUS.MCIP=1) or (IERR pin is asserted)

THEN TXT-SHUTDOWN(#UnrecovMCError);

IF (Voltage or bus ratio status are NOT at a known good state)

THEN IF (Voltage select and bus ratio are internally adjustable)

THEN

Make product-specific adjustment on operating parameters;

ELSE

TXT-SHUTDOWN(#IIlegalVIDBRatio);

FI;

IA32_MISC_ENABLE<- (IA32_MISC_ENABLE & MASK_CONST*)

(* The hexadecimal value of MASK_CONST may vary due to processor implementations *)

A20M<- 0;

IA32_DEBUGCTL<- 0;

Invalidate processor TLB(s);

Drain outgoing transactions;

Clear performance monitor counters and control;

SENTERFLAG<- 1;

SignalTXTMsg(SENTERAck);

IF (logical processor is not ILP)

THEN GOTO RLP_SENTER_ROUTINE;

(* ILP waits for all logical processors to ACK *)

DO

DONE<- TXT.READ(LT.STS);

WHILE (not DONE);

SignalTXTMsg(SENTERContinue);

SignalTXTMsg(ProcessorHold);

FOR I=ACBASE to ACBASE+ACSIZE-1 DO

ACRAM[I-ACBASE].ADDR<- I;

ACRAM[I-ACBASE].DATA<- LOAD(I);

OD;

IF (ACRAM memory type -> WB)

THEN TXT-SHUTDOWN(#BadACMMType);

IF (AC module header version is not supported) OR (ACRAM[ModuleType] -> 2)

THEN TXT-SHUTDOWN(#UnsupportedACM);

KEY<- GETKEY(ACRAM, ACBASE);

KEYHASH<- HASH(KEY);

CSKEYHASH<- LT.READ(LT.PUBLIC.KEY);

IF (KEYHASH -> CSKEYHASH)

THEN TXT-SHUTDOWN(#AuthenticateFail);

SIGNATURE<- DECRYPT(ACRAM, ACBASE, KEY);

(* The value of SIGNATURE_LEN_CONST is implementation-specific*)

FOR I=0 to SIGNATURE_LEN_CONST - 1 DO

ACRAM[SCRATCH.I]<- SIGNATURE[I];

COMPUTEDSIGNATURE<- HASH(ACRAM, ACBASE, ACSIZE);

FOR I=0 to SIGNATURE_LEN_CONST - 1 DO

ACRAM[SCRATCH.SIGNATURE_LEN_CONST+I]<- COMPUTEDSIGNATURE[I];

IF (SIGNATURE -> COMPUTEDSIGNATURE)

THEN TXT-SHUTDOWN(#AuthenticateFail);

ACMCONTROL<- ACRAM[CodeControl];

IF ((ACMCONTROL.0 = 0) and (ACMCONTROL.1 = 1) and (snoop hit to modified line detected on ACRAM load))

THEN TXT-SHUTDOWN(#UnexpectedHITM);

IF (ACMCONTROL reserved bits are set)

THEN TXT-SHUTDOWN(#BadACMFormat);

IF ((ACRAM[GDTBasePtr] < (ACRAM[HeaderLen] * 4 + Scratch_size)) OR

((ACRAM[GDTBasePtr] + ACRAM[GDTLimit]) >= ACSIZE))

THEN TXT-SHUTDOWN(#BadACMFormat);

IF ((ACMCONTROL.0 = 1) and (ACMCONTROL.1 = 1) and (snoop hit to modified

line detected on ACRAM load))

THEN ACEntryPoint<- ACBASE+ACRAM[ErrorEntryPoint];

ELSE

ACEntryPoint<- ACBASE+ACRAM[EntryPoint];

IF ((ACEntryPoint >= ACSIZE) or (ACEntryPoint < (ACRAM[HeaderLen] * 4 + Scratch_size)))

THEN TXT-SHUTDOWN(#BadACMFormat);

IF ((ACRAM[SegSel] > (ACRAM[GDTLimit] - 15)) or (ACRAM[SegSel] < 8))

THEN TXT-SHUTDOWN(#BadACMFormat);

IF ((ACRAM[SegSel].TI=1) or (ACRAM[SegSel].RPL-> 0))

THEN TXT-SHUTDOWN(#BadACMFormat);

IF (FTM_INTERFACE_ID.[3:0] = 1 ) (* Alternate FTM Interface has been enabled *)

THEN (* TPM_LOC_CTRL_4 is located at 0FED44008H, TMP_DATA_BUFFER_4 is located at 0FED44080H *)

WRITE(TPM_LOC_CTRL_4) <- 01H; (* Modified HASH.START protocol *)

(* Write to firmware storage *)

WRITE(TPM_DATA_BUFFER_4) <- SIGNATURE_LEN_CONST + 4;

FOR I=0 to SIGNATURE_LEN_CONST - 1 DO

WRITE(TPM_DATA_BUFFER_4 + 2 + I )<- ACRAM[SCRATCH.I];

WRITE(TPM_DATA_BUFFER_4 + 2 + SIGNATURE_LEN_CONST) <- EDX;

WRITE(FTM.LOC_CTRL) <- 06H; (* Modified protocol combining HASH.DATA and HASH.END *)

ELSE IF (FTM_INTERFACE_ID.[3:0] = 0 ) (* Use standard TPM Interface *)

ACRAM[SCRATCH.SIGNATURE_LEN_CONST]<- EDX;

WRITE(TPM.HASH.START)<- 0;

FOR I=0 to SIGNATURE_LEN_CONST + 3 DO

WRITE(TPM.HASH.DATA)<- ACRAM[SCRATCH.I];

WRITE(TPM.HASH.END)<- 0;

FI;

ACMODEFLAG<- 1;

CR0.[PG.AM.WP]<- 0;

CR4<- 00004000h;

EFLAGS<- 00000002h;

IA32_EFER<- 0;

EBP<- ACBASE;

GDTR.BASE<- ACBASE+ACRAM[GDTBasePtr];

GDTR.LIMIT<- ACRAM[GDTLimit];

CS.SEL<- ACRAM[SegSel];

CS.BASE<- 0;

CS.LIMIT<- FFFFFh;

CS.G<- 1;

CS.D<- 1;

CS.AR<- 9Bh;

DS.SEL<- ACRAM[SegSel]+8;

DS.BASE<- 0;

DS.LIMIT<- FFFFFh;

DS.G<- 1;

DS.D<- 1;

DS.AR<- 93h;

SS<- DS;

ES<- DS;

DR7<- 00000400h;

IA32_DEBUGCTL<- 0;

SignalTXTMsg(UnlockSMRAM);

SignalTXTMsg(OpenPrivate);

SignalTXTMsg(OpenLocality3);

EIP<- ACEntryPoint;

END;

RLP_SENTER_ROUTINE: (RLP only)

Mask SMI, INIT, A20M, and NMI external pin events

Unmask SignalWAKEUP event;

Wait for SignalSENTERContinue message;

IA32_APIC_BASE.BSP<- 0;

GOTO SENTER sleep state;

END;

Flags Affected

All flags are cleared.

Use of Prefixes

LOCK Causes #UD.

REP* Cause #UD (includes REPNE/REPNZ and REP/REPE/REPZ).

Operand size Causes #UD.

Segment overrides Ignored.

Address size Ignored.

REX Ignored.

Protected Mode Exceptions

#UD

  • If CR4.SMXE = 0.

  • If GETSEC[SENTER] is not reported as supported by GETSEC[CAPABILITIES].

#GP(0)

  • If CR0.CD = 1 or CR0.NW = 1 or CR0.NE = 0 or CR0.PE = 0 or CPL > 0 or EFLAGS.VM = 1.

  • If in VMX root operation.

  • If the initiating processor is not designated as the bootstrap processor via the MSR bit IA32_APIC_BASE.BSP.

  • If an Intel(R) TXT-capable chipset is not present.

  • If an Intel(R) TXT-capable chipset interface to TPM is not detected as present.

  • If a protected partition is already active or the processor is already in authenticated code mode.

  • If the processor is in SMM.

  • If a valid uncorrectable machine check error is logged in IA32_MC[I]_STATUS.

  • If the authenticated code base is not on a 4096 byte boundary.

  • If the authenticated code size > processor's authenticated code execution area storage capacity.

  • If the authenticated code size is not modulo 64.

Real-Address Mode Exceptions

#UD

  • If CR4.SMXE = 0.

  • If GETSEC[SENTER] is not reported as supported by GETSEC[CAPABILITIES].

#GP(0)

  • GETSEC[SENTER] is not recognized in real-address mode.

Virtual-8086 Mode Exceptions

#UD

  • If CR4.SMXE = 0.

  • If GETSEC[SENTER] is not reported as supported by GETSEC[CAPABILITIES].

#GP(0)

  • GETSEC[SENTER] is not recognized in virtual-8086 mode.

Compatibility Mode Exceptions

#GP

  • IF AC code module does not reside in physical address below 2^32 -1.

64-Bit Mode Exceptions

#GP

  • IF AC code module does not reside in physical address below 2^32 -1.

    VM-Exit Condition

Reason (GETSEC) IF in VMX non-root operation.

첫 댓글을 달아주세요!
프로필 사진 없음
강좌에 관련 없이 궁금한 내용은 여기를 사용해주세요

    댓글을 불러오는 중입니다..