Certain computer processors support partitioning logical memory space into multiple partitions. For example, certain processors manufactured by Intel Corporation support a segmented memory model when operating in 32-bit mode. In those processors, a memory access instruction may specify a logical address (sometimes called a far pointer) that includes a segment selector and an effective address. The segment selector, which may be stored in a dedicated segment register (e.g., CS, SS, DS, ES, etc.) may be used to locate a segment descriptor. The segment descriptor includes a segment base and an effective limit. The processor adds the segment base to the effective address to generate a linear address. The processor may generate a general protection fault or other exception if the effective address exceeds the effective limit. The processor then uses a memory management unit and one or more page tables to translate the linear address into a physical memory address.
Most modern operating systems use a flat memory model, effectively disabling the segmentation features of the processor. For example, the operating system may treat the entire virtual memory space as a single segment. Additionally, support for memory segmentation is typically limited for processors operating in 64-bit mode. For example, in 64-bit mode the segment base for most segments is required to be zero, and the effective limit is not checked.
Current processors may provide support for a trusted execution environment such as a secure enclave. Secure enclaves include ranges of memory (including code and/or data) protected by the processor from unauthorized access including unauthorized reads and writes. In particular, certain processors may include Intel® Software Guard Extensions (SGX) to provide secure enclave support. SGX provides confidentiality, integrity, and replay-protection to the secure enclave data while the data is resident in the platform memory and thus provides protection against both software and hardware attacks. The on-chip boundary forms a natural security boundary, where data and code may be stored in plaintext and assumed to be secure. Current processors may not support certain segmentation features from within an SGX secure enclave. For example, certain processors may require the segment base to be set to zero for most segments within a secure enclave and may disallow instructions that manipulate segment registers (other than the FS and GS registers).