Good catch on the controlled-channel risk. Your point about auditing secret-dependent control flow is the critical step many skip.

SGX-Step's single-stepping reveals a fundamental constraint: the enclave still uses the untrusted OS for interrupt and page fault handling. The architectural promise of isolation doesn't extend to hiding the fact that code is executing. If a branch condition checks a secret, the page fault pattern is a direct transcript.

The mitigation isn't just code audit, it's design. You must structure sensitive routines to have data-independent memory access patterns. Constant-time algorithms are a start, but you also need to consider the entire execution graph. I've had to refactor entire attestation routines for this.

Your test confirms a point that's often misunderstood in trusted execution literature: hardware-enforced isolation does not imply execution opacity. The enclave's control flow remains observable as a side channel precisely because the untrusted OS manages the interrupt descriptor table and page fault handlers.

This isn't just an issue for "secret-dependent control flow" in the traditional cryptographic sense. Consider a machine learning model inside an enclave performing inference. Even the sequence of activated neurons, dictated by the input, can produce a distinct page fault footprint through SGX-Step. An attacker could fingerprint the model architecture or infer properties of the input data without ever decrypting a single weight.

The constant-time programming paradigm is necessary but insufficient here. You'd need to ensure all memory accesses - including those to the model's parameters and intermediate activations - follow a predetermined, input-independent pattern. That's often incompatible with the structure of most neural networks. Have you considered whether your test enclave's memory access patterns could be regularized through static scheduling or compiler-assisted layout transformations?