Community
cancel
Showing results for 
Search instead for 
Did you mean: 
pp__monkeyking
Beginner
237 Views

A problem about the Seal key on multi-socket CPU

Hello,

    I am trying to test sgx enclave's seal&unseal functions on Linux which is running on multi-socket CPU, E.g:

        Thread(s) per core:    2
        Core(s) per socket:    6
        Socket(s):             2

    If my seal key policy set to :

    uint16_t key_policy = SGX_KEYPOLICY_MRSIGNER; // SGX_KEYPOLICY_MRENCLAVE;

    then:

    if I seal data to /tmp/data1.dat by the Seal_App which just running on CPU-socket-1,

    can /tmp/data1.dat be unsealed by the UnSeal_App which just running on CPU-socket-2 ???

    Note: Seal_App and UnSeal_App are signed by the same enclave-SIGNER.

 

    And, Where can I find related instructions ???

0 Kudos
3 Replies
JesusG_Intel
Moderator
237 Views

Hello Monkeyking,

You don't have to worry about this. There is no dual-socket SGX-capable processor on the market.

Regards,

Jesus

Intel Customer Support

pp__monkeyking
Beginner
237 Views

Dear Jesus,

  First of all, thank you for your prompt reply.

  But, how about the Intel SGX Card ? (refer to https://www.securityweek.com/intel-sgx-card-extends-memory-protections-existing-cloud-servers)

  "The SGX Card, a device that can be attached to existing servers via PCI Express, contains three independent SGX-enabled Xeon E processors. Intel says up to four cards – totaling 12 SGX-enabled processors, can be added to a standard 2U Intel Xeon Scalable server".

   If our server attaches the Intel SGX Card with three independent SGX-enabled Xeon E processors, the Seal and UnSeal functions will work ok ?

JesusG_Intel
Moderator
237 Views

Hello Monkeyking,

Here is more detailed information on the Intel SGX Card. "Independent" means the processors act as completely separate systems with their own OS, memory, storage, etc. The processors do not share anything with each other. Each SGX processor behaves as a physically separate server so any interaction among the processors is carried out as if they were physically separate. You cannot seal/unseal directly using their individual sealing keys. If you wanted to Seal and Unseal using the different processors in the card, you would have to use remote attestation to hand out shared keys.

In short, the card does not make your server into a multi-processor system. It creates multiple, single processor systems that are completely independent from each other.

Regards,

Reply