- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am trying to test sgx enclave's seal&unseal functions on Linux which is running on multi-socket CPU, E.g:
Thread(s) per core: 2
Core(s) per socket: 6
Socket(s): 2
If my seal key policy set to :
uint16_t key_policy = SGX_KEYPOLICY_MRSIGNER; // SGX_KEYPOLICY_MRENCLAVE;
then:
if I seal data to /tmp/data1.dat by the Seal_App which just running on CPU-socket-1,
can /tmp/data1.dat be unsealed by the UnSeal_App which just running on CPU-socket-2 ???
Note: Seal_App and UnSeal_App are signed by the same enclave-SIGNER.
And, Where can I find related instructions ???
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Monkeyking,
You don't have to worry about this. There is no dual-socket SGX-capable processor on the market.
Regards,
Jesus
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Jesus,
First of all, thank you for your prompt reply.
But, how about the Intel SGX Card ? (refer to https://www.securityweek.com/intel-sgx-card-extends-memory-protections-existing-cloud-servers)
"The SGX Card, a device that can be attached to existing servers via PCI Express, contains three independent SGX-enabled Xeon E processors. Intel says up to four cards – totaling 12 SGX-enabled processors, can be added to a standard 2U Intel Xeon Scalable server".
If our server attaches the Intel SGX Card with three independent SGX-enabled Xeon E processors, the Seal and UnSeal functions will work ok ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Monkeyking,
Here is more detailed information on the Intel SGX Card. "Independent" means the processors act as completely separate systems with their own OS, memory, storage, etc. The processors do not share anything with each other. Each SGX processor behaves as a physically separate server so any interaction among the processors is carried out as if they were physically separate. You cannot seal/unseal directly using their individual sealing keys. If you wanted to Seal and Unseal using the different processors in the card, you would have to use remote attestation to hand out shared keys.
In short, the card does not make your server into a multi-processor system. It creates multiple, single processor systems that are completely independent from each other.
Regards,
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page