Solved: Generating key for writing protected file

Santos__Ricardo · ‎08-28-2019

Hi folks!

TD;DR: can I generate the same key with sgx_get_key on different machines?

I've been trying out the PFS API's sgx_fopen for exporting a configuration file and later importing on a different machine but I don't think I quote understood cpu_svn and isv_svn... I tried generating a key without setting them with the following code and I got different keys on different machines, is it right? I'd really appreciate if anybody could point me in the right direction...

sgx_cpu_svn_t cpu_svn = {0};
sgx_isv_svn_t isv_svn = {0};
sgx_key_request_t request = { SGX_KEYSELECT_SEAL, SGX_KEYPOLICY_MRENCLAVE, isv_svn, 0, cpu_svn , NULL, 0, NULL, 0 };
sgx_status_t status = sgx_get_key(&request, key);

Thanks in advance,

Ricardo

Scott_R_Intel · ‎09-03-2019

Hi Ricardo.

As mentioned in the post below, SGX keys are unique to each specific platform.

https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/705026

If you require sealing/unsealing data on multiple platforms, you would need to utilize SGX remote attestation to provision common sealing/unsealing keys securely to those platforms. For more info, see the white paper below:

https://software.intel.com/en-us/articles/code-sample-intel-software-guard-extensions-remote-attesta...

Regards.

Scott

View solution in original post

Scott_R_Intel · ‎09-03-2019