Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1427 Discussions

Export enclave

ssziy
Beginner
‎09-10-2019 12:57 AM
509 Views
Solved Jump to solution

Good morning,

Does Intel SGX SDK provides a way to clone enclaves? That is, being able to boot an enclave from a machine on another machine with exactly the same content / secrets.

0 Kudos
1 Solution
Scott_R_Intel
Employee
‎09-10-2019 05:55 AM
509 Views
Solved Jump to solution

Hi Stevie.

No, this is not supported, by design.  If you need to share secrets between enclaves between machines, one way to do so would be to use remote attestation to  both enclaves and provision a shared key directly to the enclaves to seal/unseal the secrets between the two enclaves.

Regards.

Scott

View solution in original post

0 Kudos
Copy link

Link Copied

4 Replies
Scott_R_Intel
Employee
‎09-10-2019 05:55 AM
510 Views
Solved Jump to solution

Hi Stevie.

No, this is not supported, by design.  If you need to share secrets between enclaves between machines, one way to do so would be to use remote attestation to  both enclaves and provision a shared key directly to the enclaves to seal/unseal the secrets between the two enclaves.

Regards.

Scott

0 Kudos
Copy link
ssziy
Beginner
‎09-10-2019 11:55 AM
509 Views
Solved Jump to solution

Thank you so much for answering my question.

Following your answer I would just like to ask you just one more question. In this case where we talk about sharing/copying secrets between different enclave machines we are also dealing with different enclaves. With this, it is possible to derive a key using the sgx_get_key function in one machine enclave and share it with the other machine enclave to seal and unseal the secrets?

0 Kudos
Copy link
Scott_R_Intel
Employee
‎09-10-2019 12:36 PM
509 Views
Solved Jump to solution

Hi again.

As mentioned in the post below, SGX keys are unique to each specific platform:

https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/705026

So, my previous answer still applies... you'd need to utilize SGX remote attestation to provision shared keys between your enclaves if on different machines.

Regards.

Scott

0 Kudos
Copy link
ssziy
Beginner
‎09-10-2019 01:34 PM
509 Views
Solved Jump to solution

Got it. Thanks again for taking your time to help me Scott. Rest of a good week.

Best regards.

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.