<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: sealing to mrenclave question in Intel® Software Guard Extensions (Intel® SGX)</title>
    <link>https://community.intel.com/t5/Intel-Software-Guard-Extensions/sealing-to-mrenclave-question/m-p/1443889#M5618</link>
    <description>&lt;BLOCKQUOTE&gt;&lt;HR /&gt;&lt;a href="https://community.intel.com/t5/user/viewprofilepage/user-id/266481"&gt;@riclee&lt;/a&gt;&amp;nbsp;wrote:&lt;BR /&gt;
&lt;P&gt;If I take the 'sealing to mrenclave' policy to seal data on one computer , can i unseal the sealed data on the other computer with the same enclave code ?&amp;nbsp; I know the sealing key is derived from the root sealing key and mrenclave. If I unseal the sealed date on the other computer ,which means there is different root sealing key, because the RSK is related to the cpu which means different computer has different PSK , then the derivation sealing key could be different. So in my opinion , I think the other computer can not seal the sealed data even with the same enclave code ,&amp;nbsp; because the derivation sealing key is different, am I right? &lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;&lt;SPAN class="sub_section_element_selectors"&gt;Yes, you are correct. Sealing binds the sealed data to the processor whether the sealing policy is MRENCLAVE or MRSIGNER. This means only the sealing processor can unseal the data.&lt;BR /&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;If you want to seal data in Processor 1 and unseal that data in Processor 2 (where Processor 1 and Processor 2 are different) then you could encrypt the data using e.g. &lt;FONT face="courier new,courier"&gt;sgx_rijndael128GCM_encrypt&lt;/FONT&gt; in Processor 1 and somehow pass the encryption key to Processor 2.&lt;/P&gt;
&lt;P&gt;An alternative is using the Intel Protected File System library (with automatic keys) but this still has the problem that you are responsible for safely passing the encryption key from Processor 1 to Processor 2.&lt;/P&gt;</description>
    <pubDate>Wed, 04 Jan 2023 18:11:18 GMT</pubDate>
    <dc:creator>Daniel_ˢᵍˣ</dc:creator>
    <dc:date>2023-01-04T18:11:18Z</dc:date>
    <item>
      <title>sealing to mrenclave question</title>
      <link>https://community.intel.com/t5/Intel-Software-Guard-Extensions/sealing-to-mrenclave-question/m-p/1439623#M5599</link>
      <description>&lt;P&gt;If I take the 'sealing to mrenclave' policy to seal data on one computer , can i unseal the sealed data on the other computer with the same enclave code ?&amp;nbsp; I know the sealing key is derived from the root sealing key and mrenclave. If I unseal the sealed date on the other computer ,which means there is different root sealing key, because the RSK is related to the cpu which means different computer has different PSK , then the derivation sealing key could be different. So in my opinion , I think the other computer can not seal the sealed data even with the same enclave code ,&amp;nbsp; because the derivation sealing key is different, am I right?&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;the other question, I can not find example about function 'sgx_seal_data_ex', only find 'sgx_seal_data' usage on SealUnseal example, Could you please supply an example about the usage 'sgx_seal_data_ex' ?&lt;/P&gt;</description>
      <pubDate>Mon, 19 Dec 2022 03:56:03 GMT</pubDate>
      <guid>https://community.intel.com/t5/Intel-Software-Guard-Extensions/sealing-to-mrenclave-question/m-p/1439623#M5599</guid>
      <dc:creator>riclee</dc:creator>
      <dc:date>2022-12-19T03:56:03Z</dc:date>
    </item>
    <item>
      <title>Re: sealing to mrenclave question</title>
      <link>https://community.intel.com/t5/Intel-Software-Guard-Extensions/sealing-to-mrenclave-question/m-p/1440242#M5600</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;sgx_seal_data_ex is used in the tSeal sample in the SGX SDK: &lt;A href="https://github.com/intel/linux-sgx/blob/master/sdk/tseal/tSeal.cpp" target="_blank" rel="noopener"&gt;https://github.com/intel/linux-sgx/blob/master/sdk/tseal/tSeal.cpp&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;This is a link to the Developer Ref Guide which has more information and syntax about this function: &lt;A href="https://01.org/sites/default/files/documentation/intel_sgx_sdk_developer_reference_for_linux_os_pdf.pdf#page=140" target="_blank" rel="noopener"&gt;https://01.org/sites/default/files/documentation/intel_sgx_sdk_developer_reference_for_linux_os_pdf.pdf#page=140&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Sincerely,&lt;/P&gt;
&lt;P&gt;Sahira&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Wed, 28 Dec 2022 22:21:59 GMT</pubDate>
      <guid>https://community.intel.com/t5/Intel-Software-Guard-Extensions/sealing-to-mrenclave-question/m-p/1440242#M5600</guid>
      <dc:creator>Sahira_Intel</dc:creator>
      <dc:date>2022-12-28T22:21:59Z</dc:date>
    </item>
    <item>
      <title>Re: sealing to mrenclave question</title>
      <link>https://community.intel.com/t5/Intel-Software-Guard-Extensions/sealing-to-mrenclave-question/m-p/1440330#M5603</link>
      <description>&lt;P&gt;Thank you for supplying the example about sgx_seal_data_ex. Could you please answer the first question about sealing key?&lt;/P&gt;</description>
      <pubDate>Wed, 21 Dec 2022 02:56:34 GMT</pubDate>
      <guid>https://community.intel.com/t5/Intel-Software-Guard-Extensions/sealing-to-mrenclave-question/m-p/1440330#M5603</guid>
      <dc:creator>riclee</dc:creator>
      <dc:date>2022-12-21T02:56:34Z</dc:date>
    </item>
    <item>
      <title>Re: sealing to mrenclave question</title>
      <link>https://community.intel.com/t5/Intel-Software-Guard-Extensions/sealing-to-mrenclave-question/m-p/1441412#M5611</link>
      <description>&lt;P&gt;It is possible to unseal data that has been sealed using an enclave on a different computer, as long as the following conditions are met:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;
&lt;P&gt;The other computer must have an enclave with the same Mrenclave value as the one that was used to seal the data.&lt;/P&gt;
&lt;/LI&gt;
&lt;LI&gt;
&lt;P&gt;The other computer must have access to the same sealing key that was used to seal the data. This may require that the sealing key be stored in a secure location and provided to the other computer as needed.&lt;/P&gt;
&lt;/LI&gt;
&lt;LI&gt;
&lt;P&gt;The other computer must have the necessary software and hardware support for running enclaves and accessing sealed data.&lt;/P&gt;
&lt;/LI&gt;
&lt;/OL&gt;</description>
      <pubDate>Sat, 24 Dec 2022 00:53:06 GMT</pubDate>
      <guid>https://community.intel.com/t5/Intel-Software-Guard-Extensions/sealing-to-mrenclave-question/m-p/1441412#M5611</guid>
      <dc:creator>AnaWilliam850</dc:creator>
      <dc:date>2022-12-24T00:53:06Z</dc:date>
    </item>
    <item>
      <title>Re: sealing to mrenclave question</title>
      <link>https://community.intel.com/t5/Intel-Software-Guard-Extensions/sealing-to-mrenclave-question/m-p/1443515#M5615</link>
      <description>&lt;P&gt;sealing key is&amp;nbsp;&lt;SPAN&gt;derived from the root sealing key and mrenclave with the sealing to mrenclave policy.&amp;nbsp; Different computer has different root sealing key, which means even the other computer has the same mrenclave, the sealing key could be different (because the root sealing key is different). This is my opinion, but i don't know am I right？&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 03 Jan 2023 15:27:21 GMT</pubDate>
      <guid>https://community.intel.com/t5/Intel-Software-Guard-Extensions/sealing-to-mrenclave-question/m-p/1443515#M5615</guid>
      <dc:creator>riclee</dc:creator>
      <dc:date>2023-01-03T15:27:21Z</dc:date>
    </item>
    <item>
      <title>Re: sealing to mrenclave question</title>
      <link>https://community.intel.com/t5/Intel-Software-Guard-Extensions/sealing-to-mrenclave-question/m-p/1443517#M5616</link>
      <description>&lt;P&gt;&lt;SPAN&gt;sealing key is&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN class="sub_section_element_selectors"&gt;derived from the root sealing key and mrenclave with the sealing to mrenclave policy.&amp;nbsp; Different computer has different root sealing key, which means even the other computer has the same mrenclave, the sealing key could be different (because the root sealing key is different). This is my opinion, but i don't know am I right？&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 03 Jan 2023 15:27:46 GMT</pubDate>
      <guid>https://community.intel.com/t5/Intel-Software-Guard-Extensions/sealing-to-mrenclave-question/m-p/1443517#M5616</guid>
      <dc:creator>riclee</dc:creator>
      <dc:date>2023-01-03T15:27:46Z</dc:date>
    </item>
    <item>
      <title>Re: sealing to mrenclave question</title>
      <link>https://community.intel.com/t5/Intel-Software-Guard-Extensions/sealing-to-mrenclave-question/m-p/1443889#M5618</link>
      <description>&lt;BLOCKQUOTE&gt;&lt;HR /&gt;&lt;a href="https://community.intel.com/t5/user/viewprofilepage/user-id/266481"&gt;@riclee&lt;/a&gt;&amp;nbsp;wrote:&lt;BR /&gt;
&lt;P&gt;If I take the 'sealing to mrenclave' policy to seal data on one computer , can i unseal the sealed data on the other computer with the same enclave code ?&amp;nbsp; I know the sealing key is derived from the root sealing key and mrenclave. If I unseal the sealed date on the other computer ,which means there is different root sealing key, because the RSK is related to the cpu which means different computer has different PSK , then the derivation sealing key could be different. So in my opinion , I think the other computer can not seal the sealed data even with the same enclave code ,&amp;nbsp; because the derivation sealing key is different, am I right? &lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;&lt;SPAN class="sub_section_element_selectors"&gt;Yes, you are correct. Sealing binds the sealed data to the processor whether the sealing policy is MRENCLAVE or MRSIGNER. This means only the sealing processor can unseal the data.&lt;BR /&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;If you want to seal data in Processor 1 and unseal that data in Processor 2 (where Processor 1 and Processor 2 are different) then you could encrypt the data using e.g. &lt;FONT face="courier new,courier"&gt;sgx_rijndael128GCM_encrypt&lt;/FONT&gt; in Processor 1 and somehow pass the encryption key to Processor 2.&lt;/P&gt;
&lt;P&gt;An alternative is using the Intel Protected File System library (with automatic keys) but this still has the problem that you are responsible for safely passing the encryption key from Processor 1 to Processor 2.&lt;/P&gt;</description>
      <pubDate>Wed, 04 Jan 2023 18:11:18 GMT</pubDate>
      <guid>https://community.intel.com/t5/Intel-Software-Guard-Extensions/sealing-to-mrenclave-question/m-p/1443889#M5618</guid>
      <dc:creator>Daniel_ˢᵍˣ</dc:creator>
      <dc:date>2023-01-04T18:11:18Z</dc:date>
    </item>
    <item>
      <title>Re: sealing to mrenclave question</title>
      <link>https://community.intel.com/t5/Intel-Software-Guard-Extensions/sealing-to-mrenclave-question/m-p/1444048#M5619</link>
      <description>&lt;P&gt;You mean if I want to seal data in processor1 and unseal the data in processor2, I should use the sgx sdk api&amp;nbsp;&lt;SPAN&gt;sgx_rijndael128GCM_encrypt with my own seal key. If using the seal policy Mernclave or Mrsigner , the sealing key binds to the processor , so processor2 can not unseal the data sealed by processor1.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Thank you for your answer , I got it!&lt;/P&gt;</description>
      <pubDate>Thu, 05 Jan 2023 06:30:48 GMT</pubDate>
      <guid>https://community.intel.com/t5/Intel-Software-Guard-Extensions/sealing-to-mrenclave-question/m-p/1444048#M5619</guid>
      <dc:creator>riclee</dc:creator>
      <dc:date>2023-01-05T06:30:48Z</dc:date>
    </item>
  </channel>
</rss>

