Like, does an SGX enclave attest that meltdown is patched in microcode? That's one way to pull the keys out.
The recentish work to get read write access to some Intel CPU's microcode can probably break SGX too. I wouldn't be surprised if the ME code execution flaws could be used that way too.