Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Elephant
Beginner
103 Views

Clarification About the Key Used in sgx_seal_data

Hi, 

I am using and running my SGX sample codes in linux.  I've read from the Developer Reference that for sgx_seal_data, it uses the MRSIGNER policy.  However, the sample code's Makefiles for DEBUG/PRERELEASE mode use the 1-step process for signing enclaves, i.e. using the ISV-provided private key.  The confusion that I am having now is that, in DEBUG/PRERELEASE modes, there were no public keys provided when the signing happens, so how does the sgx_seal_data in MRSIGNER policy without the public key?  I understand that the MRSIGNER should be the hash of the public key?

Here's the experiment that I did:

  • I tried to sign my sealing/unsealing enclave with Enclave_private1.pem.  
  • I ran the sealing application and then generated a sealed file.
  • I then signed my sealing/unsealing enclave with Enclave_private2.pem.
  • I then ran the unsealing application using the previously saved sealed file
  • RESULT:  I CAN unseal the sealed file!  I was expecting otherwise.

What am I missing here?

Thanks a lot for your help!

Regards,

Elephant

0 Kudos
4 Replies
103 Views

Hi,

One clarification: Whether 2 keys Enclave_private1.pem and Enclave_private2 .pem are from different enclaves or the same Enclave ?

I did the same steps as you mentioned, but i used the key's from different enclave for the 2nd step , but couldn't unseal the application.

Regards

Shivananda

Elephant
Beginner
103 Views

Hi Shivananda,

Thanks for taking the time to test this out.  I have actually verified that we are using THE SAME private key file with different filenames on the SAME enclave.  It is a fault on my part because I was using a different filenames without verifying the contents.

Also, regarding the PRIVATE key on MRENCLAVE, the PEM file is actually a key-pair.  So I am guessing that SGX automatically extracts the public key and SHA256 hash it and saving it on the MRENCLAVE register/field, then use that information to derive the sealing key.  Is this a correct assumption? 

Thanks!

Kind Regards,

Elephant

Shivananda H. (Intel) wrote:

Hi,

One clarification: Whether 2 keys Enclave_private1.pem and Enclave_private2 .pem are from different enclaves or the same Enclave ?

I did the same steps as you mentioned, but i used the key's from different enclave for the 2nd step , but couldn't unseal the application.

Regards

Shivananda

Anusha_K_Intel
Employee
103 Views

Hi,

What you have assumed is correct. In the 1-step signing process the public key is extracted by the enclave.

Regards,

Anusha

you_w_
New Contributor III
103 Views

Hi: Shivananda HAnushaElephant

I think this topic  is helpful for understand the sealing key. Thank you. I am about to get more info from the SGX source code.

Regards 

you