[Pal/Linux-SGX] enclave_entry.S: Reset FXSAVE extended state on EENTER

Previously, the FXSAVE extended state (ST, XMM, MXCSR registers) was not
cleared on EENTER (i.e., enclave-thread enter). This could lead to
maliciously crafted ST/XMM registers propagating into the enclave and
subverting execution. This commit resets FXSAVE on every EENTER to a
default mostly zero-byte state.

Note that this commit does not reset XSAVE state (YMM, ZMM registers).
This will be fixed in a future commit.

Pal/src/host/Linux-SGX/enclave_entry.S

@@ -91,6 +91,15 @@ enclave_entry:
 	xorq %r14, %r14
 	xorq %r15, %r15
 
+	# Clear "extended" state (FPU aka x87, SSE, AVX, ...).
+	# TODO: We currently clear only state covered by FXRSTOR but not by XRSTOR
+	#       (e.g., no clearing of YMM/ZMM regs). This is because we didn't read
+	#       the value of XFRM yet, so we don't know whether XRSTOR is safe at
+	#       this point.
+	leaq .Lxrstor_init_arg(%rip), %rax
+	fxrstor (%rax)
+	xorq %rax, %rax
+
 	# register states need to be carefully checked, so we move the handling
 	# to handle_ecall() in enclave_ecalls.c
 	callq handle_ecall