Dice Question Streamline Icon: https://streamlinehq.com

Semantics of Exclaves_L4_MessageTag_t in endpoint calls

Derive the exact semantics of Exclaves_L4_MessageTag_t fields (message registers, capability registers, unwrapped capabilities, non_blocking bit, and label) as used in Exclaves endpoint calls, and specify how targets interpret these tags.

Information Square Streamline Icon: https://streamlinehq.com

Background

Exclaves endpoint calls set and read an Exclaves_L4_MessageTag_t in the IPC buffer, but the precise interpretation of its fields by targets is not fully understood.

This tag likely encodes operation information and resource references; clarifying its semantics would improve understanding of Exclaves RPC behavior.

References

Whilst the exact usage of the tag has not yet been fully reverse-engineered, we can assume the label of the tag works similarly to standard seL4 \gls{IPC} message tags.

Modern iOS Security Features -- A Deep Dive into SPTM, TXM, and Exclaves (2510.09272 - Steffin et al., 10 Oct 2025) in Section Exclaves IPC Buffer Usage — Userspace exclaves_endpoint_call wrapper