Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

About Power Transition

Mashiro_M_1
Beginner
1,142 Views

Hi,

According to https://01.org/sites/default/files/documentation/intel_sgx_developer_guide_pdf.pdf

"Enclaves that wish to preserve secrets across S3, S4, and S5 must save state information on disk."

 

Does this mean that SGx enclave recovery doesn't include support for power state Mechanical Off state (G3)?

So when the system with an enclave gets shutdown, it won't be possible anymore to resume enclave processes?

 

Thanks.

 

0 Kudos
1 Solution
PadmaPriya_M_Intel
1,142 Views

Hi,

SGX also supports G3 state. When the system gets shutdown, the application may register a callback function for such events. When the callback function is invoked then the application may call the enclave specifically to save secret state to disk for preservation. However, the operating system does not guarantee that the enclave will be given enough time to seal all its internal state. Enclaves that wish to preserve state across power transition events must periodically seal enclave state data outside the enclave (on disk or the cloud). On re-instantiation of the application, the enclave is rebuilt from scratch and the enclave must retrieve its protected state (from disk or the cloud) inside the enclave.


 

View solution in original post

0 Kudos
3 Replies
PadmaPriya_M_Intel
1,143 Views

Hi,

SGX also supports G3 state. When the system gets shutdown, the application may register a callback function for such events. When the callback function is invoked then the application may call the enclave specifically to save secret state to disk for preservation. However, the operating system does not guarantee that the enclave will be given enough time to seal all its internal state. Enclaves that wish to preserve state across power transition events must periodically seal enclave state data outside the enclave (on disk or the cloud). On re-instantiation of the application, the enclave is rebuilt from scratch and the enclave must retrieve its protected state (from disk or the cloud) inside the enclave.


 

0 Kudos
Mashiro_M_1
Beginner
1,142 Views

 

Thank you for the answer Padma!
Marked that as the best reply!

To summarize my understanding, and please correct me if I am wrong somewhere:
For example, the secret is a simple text phrase randomly generated inside an enclave, and I would want to retain it even after the platform shuts down (G3). 
So in my enclave, I would... 
    + invoke sgx_seal_data() for that text phrase to be sealed, 
    + then I would have the now sealed phrase saved to a (maybe a .txt) file outside my enclave and into the hard-disk...
so that the next time that an enclave gets instantiated, I would not have to generate a random word anymore, but rather 
    + read on that file, 
    + extract the sealed text phrase, 
    + and do sgx_unseal_data() upon it to be able to have the secret text again.

Lastly, would the data stored in the hard-disk be safe from any forced-decryption? Or is it outside the scope anymore of the SGx?

0 Kudos
PadmaPriya_M_Intel
1,142 Views

Hi,

Please refer the section no:7.2 about Sealing and Unsealing Process(page.no:23) in the attached document for your clear understanding.

-Thanks

0 Kudos
Reply