[Pal/Linux-SGX] Correctly clear registers in enclave_entry.S

Tiny bug fixes in enclave_entry.S to clear registers:
- Do not clear %r11 twice before EEXIT
- Simulate CLD (by manually clearing DF flag stored in SGX_GPR_RFLAGS)
  on interrupt just after EENTER returning from ocall
- Simulate CLD (by manually clearing DF flag stored in SGX_GPR_RFLAGS)
  on preparation for exception handler _DkExceptionHandler()

Pal/src/host/Linux-SGX/enclave_entry.S

@@ -282,7 +282,7 @@ enclave_entry:
 	movq %rsi, SGX_GPR_RSP(%rbx)
 	movq $0, %gs:SGX_STACK
 	movq $0, %gs:SGX_OCALL_PREPARED
-	xorq %r11, %r11
+	andq $(~RFLAGS_DF), SGX_GPR_RFLAGS(%rbx)
 	jmp .Leexit_exception
 
 .Lsetup_exception_handler:
@@ -365,8 +365,8 @@ enclave_entry:
 	subq $8, %rsi
 	movq %rsi, SGX_GPR_RSP(%rbx)
 
-	# clear rflags to conform the ABI which requires RFLAGS.DF = 0
-	movq $0, SGX_GPR_RFLAGS(%rbx)
+	# Clear RFLAGS.DF to conform to the SysV ABI.
+	andq $(~RFLAGS_DF), SGX_GPR_RFLAGS(%rbx)
 
 	# new RIP is the exception handler
 	leaq _DkExceptionHandler(%rip), %rdi

Pal/src/host/Linux-SGX/sgx_arch.h

@@ -288,4 +288,6 @@ typedef uint8_t sgx_arch_key128_t[16] __attribute__((aligned(16)));
 
 #define RETURN_FROM_OCALL 0xffffffffffffffff
 
+#define RFLAGS_DF (1<<10)
+
 #endif /* SGX_ARCH_H */