Dice Question Streamline Icon: https://streamlinehq.com

Purpose of Secure Kernel’s special SPTM gate calls

Determine the purpose and semantics of the Secure Kernel’s special SPTM gate invocations with x16 values 0xff00000000, 0xfe00000000, and 0xfd00000000, including the significance of the pre-call zeroing of general-purpose registers and NEON vectors.

Information Square Streamline Icon: https://streamlinehq.com

Background

The Secure Kernel issues HVC calls through both a main SPTM gate and a special gate. The special gate zeroes multiple registers and NEON vectors before invoking SPTM with specific x16 values, suggesting atypical behavior, possibly for error handling.

The authors could not determine the meaning of these calls without analyzing the SPTM-side handling.

References

Without examining the SPTM handling side of these calls, we cannot yet deduce any clear meaning from them.

Modern iOS Security Features -- A Deep Dive into SPTM, TXM, and Exclaves (2510.09272 - Steffin et al., 10 Oct 2025) in Section Calls from the Secure Kernel, paragraph “Special Secure Kernel SPTM Gate”