Skip to main content
CreateEnclave function

Creates a new uninitialized enclave. An enclave is an isolated region of code and data within the address space for an application. Only code that runs within the enclave can access data within the same enclave.

Syntax


PVOID WINAPI CreateEnclave(
  _In_      HANDLE  hProcess,
  _In_opt_  LPVOID  lpAddress,
  _In_      SIZE_T  dwSize,
  _In_      SIZE_T  dwInitialCommittment,
  _In_      DWORD   flEnclaveType,
  _In_      LPCVOID lpEnclaveInformation,
  _In_      DWORD   dwInfoLength,
  _Out_opt_ LPDWORD lpEnclaveError
);

Parameters

hProcess [in]

A handle to the process for which you want to create an enclave.

lpAddress [in, optional]

The preferred base address of the enclave. Specify NULL to have the operating system assign the base address.

dwSize [in]

The size of the enclave that you want to create, including the size of the code that you will load into the enclave, in bytes.

dwInitialCommittment [in]

The amount of memory to commit for the enclave, in bytes.

If the amount of enclave memory available is not sufficient to commit this number of bytes, enclave creation fails. Any memory that remains unused when you initialize the enclave by calling InitializeEnclave is returned to the list of free pages.

The value of the dwInitialCommittment parameter must not exceed the value of the dwSize parameter.

This parameter is not used for virtualization-based security (VBS) enclaves.

flEnclaveType [in]

The architecture type of the enclave that you want to create. To verify that an enclave type is supported, call IsEnclaveTypeSupported.

ValueMeaning
ENCLAVE_TYPE_SGX
0x00000001

An enclave for the Intel Software Guard Extensions (SGX) architecture extension.

ENCLAVE_TYPE_VBS
0x00000010

A VBS enclave.

 

lpEnclaveInformation [in]

A pointer to the architecture-specific information to use to create the enclave.

For the ENCLAVE_TYPE_SGX enclave type, you must specify a pointer to an ENCLAVE_CREATE_INFO_SGX structure.

For the ENCLAVE_TYPE_VBS enclave type, you must specify a pointer to an ENCLAVE_CREATE_INFO_VBS structure.

dwInfoLength [in]

The length of the structure that the lpEnclaveInformation parameter points to, in bytes. For the ENCLAVE_TYPE_SGX enclave type, this value must be 4096. For the ENCLAVE_TYPE_VBS enclave type, this value must be sizeof(ENCLAVE_CREATE_INFO_VBS), which is 36 bytes.

lpEnclaveError [out, optional]

An optional pointer to a variable that receives an enclave error code that is architecture-specific. For the ENCLAVE_TYPE_SGX and ENCLAVE_TYPE_VBS enclave types, the lpEnclaveError parameter is not used.

Return value

If the function succeeds, the return value is the base address of the created enclave.

If the function fails, the return value is NULL. To get extended error information, call GetLastError.

For a list of common error codes, see System Error Codes. The following error codes also apply for this function.

Return codeDescription
ERROR_NOT_SUPPORTED

An unsupported enclave type was specified.

ERROR_BAD_LENGTH

The value of the dwInfoLength parameter did not match the value expected based on the value specified for the lpEnclaveInformation parameter.

 

Remarks

To load data into an enclave after you create it, call LoadEnclaveData. To initialize the enclave after you load the data, call InitializeEnclave.

Windows 10, version 1709:  To delete the enclave when you finish using it, call DeleteEnclave. You cannot delete a VBS enclave by calling the VirtualFree or VirtualFreeEx function. You can still delete an SGX enclave by calling VirtualFree or VirtualFreeEx.

Windows 10, version 1507, Windows 10, version 1511, Windows 10, version 1607 and Windows 10, version 1703:  

To delete the enclave when you finish using it, call the VirtualFree or VirtualFreeEx function and specify the following values:

  • The base address of the enclave for the lpAddress parameter.
  • 0 for the dwSize parameter.
  • MEM_RELEASE for the dwFreeType parameter. The MEM_DECOMMIT value is not supported for enclaves.

For information about the Intel Software Guard Extensions (SGX) architecture extension, see Intel Software Guard Extensions.

Requirements

Minimum supported client

Windows 10 [desktop apps | UWP apps]

Minimum supported server

Windows Server 2016 [desktop apps | UWP apps]

Header

Enclaveapi.h (include Winbase.h)

Library

Kernel32.lib

DLL

Api-ms-win-core-enclave-l1-1-0.dll;
Kernel32.dll;
KernelBase.dll

See also

IsEnclaveTypeSupported
LoadEnclaveData
InitializeEnclave
VirtualFree
VirtualFreeEx
ENCLAVE_CREATE_INFO_SGX
ENCLAVE_CREATE_INFO_VBS