Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

A problem about the Seal key on multi-socket CPU

pp__monkeyking
Beginner
‎05-20-2020 03:15 AM
649 Views

Hello,

    I am trying to test sgx enclave's seal&unseal functions on Linux which is running on multi-socket CPU, E.g:

        Thread(s) per core:    2
        Core(s) per socket:    6
        Socket(s):             2

    If my seal key policy set to :

    uint16_t key_policy = SGX_KEYPOLICY_MRSIGNER; // SGX_KEYPOLICY_MRENCLAVE;

    then:

    if I seal data to /tmp/data1.dat by the Seal_App which just running on CPU-socket-1,

    can /tmp/data1.dat be unsealed by the UnSeal_App which just running on CPU-socket-2 ???

    Note: Seal_App and UnSeal_App are signed by the same enclave-SIGNER.

 

    And, Where can I find related instructions ???

0 Kudos

Link Copied

3 Replies
JesusG_Intel
Moderator
‎05-20-2020 01:36 PM
649 Views

Hello Monkeyking,

You don't have to worry about this. There is no dual-socket SGX-capable processor on the market.

Regards,

Jesus

Intel Customer Support

0 Kudos
Copy link
pp__monkeyking
Beginner
‎05-26-2020 08:40 PM
649 Views

Dear Jesus,

  First of all, thank you for your prompt reply.

  But, how about the Intel SGX Card ? (refer to https://www.securityweek.com/intel-sgx-card-extends-memory-protections-existing-cloud-servers)

  "The SGX Card, a device that can be attached to existing servers via PCI Express, contains three independent SGX-enabled Xeon E processors. Intel says up to four cards – totaling 12 SGX-enabled processors, can be added to a standard 2U Intel Xeon Scalable server".

   If our server attaches the Intel SGX Card with three independent SGX-enabled Xeon E processors, the Seal and UnSeal functions will work ok ?

0 Kudos
Copy link
JesusG_Intel
Moderator
‎05-27-2020 09:58 AM
649 Views

Hello Monkeyking,

Here is more detailed information on the Intel SGX Card. "Independent" means the processors act as completely separate systems with their own OS, memory, storage, etc. The processors do not share anything with each other. Each SGX processor behaves as a physically separate server so any interaction among the processors is carried out as if they were physically separate. You cannot seal/unseal directly using their individual sealing keys. If you wanted to Seal and Unseal using the different processors in the card, you would have to use remote attestation to hand out shared keys.

In short, the card does not make your server into a multi-processor system. It creates multiple, single processor systems that are completely independent from each other.

Regards,

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.