Dice Question Streamline Icon: https://streamlinehq.com

Exact behavior of SPTM GXF_entry_point handler on GENTER

Determine the exact operational behavior of the Secure Page Table Monitor (SPTM) handler function GXF_entry_point, which is referenced by the GXF_ENTRY_EL1 vector and invoked when XNU executes GENTER, including how it branches based on ESR_GL1 and how it processes GXF entry events rather than normal exception paths.

Information Square Streamline Icon: https://streamlinehq.com

Background

The paper identifies that SPTM sets GXF_ENTRY_EL1 to point to a function denoted GXF_entry_point, which performs context setting and conditional branching using ESR_GL1 before dispatching to genter_dispatch_entry. However, because GXF_entry_point is reached on guarded-level entry rather than a standard exception path, the authors cannot fully characterize its internal logic.

Clarifying this behavior is important for understanding how SPTM interprets and dispatches GENTER-based entries from XNU, and how ESR_GL1 is used in this non-standard context.

References

The exact working of this handling is unclear at present, as we do not expect the function to be called in a normal exception handling path, but rather only on GXF entry via GENTER.

Modern iOS Security Features -- A Deep Dive into SPTM, TXM, and Exclaves (2510.09272 - Steffin et al., 10 Oct 2025) in Section “SPTM Request Handling — GENTER” (label: GENTERHandling)