https://community.intel.com/t5/Intel-Software-Guard-Extensions/A-problem-about-the-Seal-key-on-multi-socket-CPU/m-p/1184829#M3654 <P>Dear&nbsp;Jesus，</P><P>&nbsp;&nbsp;First of all, thank you for your prompt reply.</P><P>&nbsp; But, how about the Intel SGX Card ? (refer to <A href="https://www.securityweek.com/intel-sgx-card-extends-memory-protections-existing-cloud-servers)" target="_blank">https://www.securityweek.com/intel-sgx-card-extends-memory-protections-existing-cloud-servers)</A></P><P>&nbsp; "The SGX Card, a device that can be attached to existing servers via PCI Express, contains three independent SGX-enabled Xeon E processors. Intel says up to four cards – totaling 12 SGX-enabled processors, can be added to a standard 2U Intel Xeon Scalable server".</P><P>&nbsp; &nbsp;If our server&nbsp;attaches&nbsp;the Intel SGX Card with&nbsp;three independent SGX-enabled Xeon E processors, the Seal and UnSeal functions will work ok ?</P> Wed, 27 May 2020 03:40:00 GMT pp__monkeyking 2020-05-27T03:40:00Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/A-problem-about-the-Seal-key-on-multi-socket-CPU/m-p/1184827#M3652 <P>Hello,</P><P>&nbsp; &nbsp; I am trying to test sgx enclave's seal&amp;unseal functions on Linux which is running on&nbsp;multi-socket CPU， E.g:</P><P>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;Thread(s) per core: &nbsp; &nbsp;2<BR />&nbsp; &nbsp; &nbsp; &nbsp; Core(s) per socket: &nbsp; &nbsp;6<BR />&nbsp; &nbsp; &nbsp; &nbsp; Socket(s): &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 2</P><P>&nbsp; &nbsp; If my seal key policy set to :</P><P>&nbsp; &nbsp;&nbsp;uint16_t key_policy = SGX_KEYPOLICY_MRSIGNER; // SGX_KEYPOLICY_MRENCLAVE;</P><P>&nbsp; &nbsp; then:</P><P>&nbsp; &nbsp; if I seal data to /tmp/data1.dat by the Seal_App which just running on CPU-socket-1,</P><P>&nbsp; &nbsp; can&nbsp;/tmp/data1.dat be unsealed&nbsp;by the UnSeal_App which just running on CPU-socket-2 ???</P><P>&nbsp; &nbsp; Note:&nbsp;Seal_App and&nbsp;UnSeal_App are signed by the same enclave-SIGNER.</P><P>&nbsp;</P><P>&nbsp; &nbsp; And, Where can I find related instructions ???</P> Wed, 20 May 2020 10:15:49 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/A-problem-about-the-Seal-key-on-multi-socket-CPU/m-p/1184827#M3652 pp__monkeyking 2020-05-20T10:15:49Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/A-problem-about-the-Seal-key-on-multi-socket-CPU/m-p/1184828#M3653 <P>Hello Monkeyking,</P><P>You don't have to worry about this. There is no dual-socket SGX-capable processor on the market.</P><P>Regards,</P><P>Jesus</P><P>Intel Customer Support</P> Wed, 20 May 2020 20:36:42 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/A-problem-about-the-Seal-key-on-multi-socket-CPU/m-p/1184828#M3653 JesusG_Intel 2020-05-20T20:36:42Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/A-problem-about-the-Seal-key-on-multi-socket-CPU/m-p/1184829#M3654 <P>Dear&nbsp;Jesus，</P><P>&nbsp;&nbsp;First of all, thank you for your prompt reply.</P><P>&nbsp; But, how about the Intel SGX Card ? (refer to <A href="https://www.securityweek.com/intel-sgx-card-extends-memory-protections-existing-cloud-servers)" target="_blank">https://www.securityweek.com/intel-sgx-card-extends-memory-protections-existing-cloud-servers)</A></P><P>&nbsp; "The SGX Card, a device that can be attached to existing servers via PCI Express, contains three independent SGX-enabled Xeon E processors. Intel says up to four cards – totaling 12 SGX-enabled processors, can be added to a standard 2U Intel Xeon Scalable server".</P><P>&nbsp; &nbsp;If our server&nbsp;attaches&nbsp;the Intel SGX Card with&nbsp;three independent SGX-enabled Xeon E processors, the Seal and UnSeal functions will work ok ?</P> Wed, 27 May 2020 03:40:00 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/A-problem-about-the-Seal-key-on-multi-socket-CPU/m-p/1184829#M3654 pp__monkeyking 2020-05-27T03:40:00Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/A-problem-about-the-Seal-key-on-multi-socket-CPU/m-p/1184830#M3655 <P>Hello Monkeyking,</P><P>Here is more detailed information on the&nbsp;<A href="https://software.intel.com/content/www/us/en/develop/articles/getting-started-with-the-intel-software-guard-extensions-card.html">Intel SGX Card</A>. "Independent" means the processors act as completely separate systems with their own OS, memory, storage, etc. The processors do not share anything with each other. Each SGX processor behaves as a physically separate server so any interaction among the processors is carried out as if they were physically separate. You cannot seal/unseal directly using their individual sealing keys. If you wanted to Seal and Unseal using the different processors in the card, you would have to use remote attestation to hand out shared keys.</P><P>In short, the card does not make your server into a multi-processor system. It creates multiple, single processor systems that are completely independent from each other.</P><P>Regards,</P> Wed, 27 May 2020 16:58:39 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/A-problem-about-the-Seal-key-on-multi-socket-CPU/m-p/1184830#M3655 JesusG_Intel 2020-05-27T16:58:39Z