To create an SGX enclave, we have to pass long ldflags:
-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
-Wl,--whole-archive -lsgx_tcmalloc -Wl,--no-whole-archive \
-Wl,--start-group -lsgx_tstdc -lsgx_tcxx -l$(Crypto_Library_Name) -l$(Service_Library_Name) -Wl,--end-group \
-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-Wl,-pie,-eenclave_entry -Wl,--export-dynamic \
-Wl,--defsym,__ImageBase=0 \
-Wl,--version-script=Enclave/Enclave.lds
All the other options are somewhat understood, but I don't get what does the -pie,-eenclave_entry do.
To my understanding, enclave_entry is an assembly routine defined in sdk/trts/linux/trts_pic.S
DECLARE_GLOBAL_FUNC enclave_entry
[...]
.cfi_startproc
/* Clear unused general registers */
xor %xdx, %xdx
add %xdx, %xdx /* OF = SF = AF = CF = 0; ZF = PF = 1 */
cld /* DF = 0 */
#if defined(LINUX64)
xor %r8, %r8
xor %r9, %r9
[...]
This routine somewhat finally invokes enter_enclave, which in turn dispatches enclave routines based on the leaf code.
I am struggling to know the meaning of the -e flag, and how does it come to play when transitioning into enclave.