Hello.

I'm now developing application with SGX features, but I have several questions about sealing/unsealing. I hardly understand how to treat those features, so please forgive my poor questions.

1. I would like to seal encryption key in enclave on my application. I (maybe) already succeeded to seal a value returned from ECALL function like this(written on untrusted code):

//ECALL. Pass pointer to std::vector<int> which already initialized and return their average as int with &retval.
int retval; //value to get return value from ECALL function
sgx_status_t status = AVG_IN_ENCLAVE(global_eid, &retval, (void*)dbvec_ptr, pass_test);

//
//omit unnecessary
//

//Sealing part. Here, I seals the value pointed by &retval. (At least I think so)
size_t sealed_size = sizeof(sgx_sealed_data_t) + sizeof(retval);
    uint8_t* sealed_data = (uint8_t*)malloc(sealed_size);

    sgx_status_t ecall_status;
    status = seal(global_eid, &ecall_status,
            (uint8_t*)&retval, sizeof(retval),
            (sgx_sealed_data_t*)sealed_data, sealed_size);

But eventually I'd like to seal value which never exit from enclave. In other words, I think if I return that secret value from enclave to untrusted area like above code, it can be seen by untrusted area. How can I seal such secret values? Is there any ways to call sealing function from ECALL function?

2. After unsealing, the decrypted data is on enclave? When I call the unsealing function like this(written on untrusted code)

int unsealed;
status = unseal(global_eid, &ecall_status,
            (sgx_sealed_data_t*)sealed_data, sealed_size,
            (uint8_t*)&unsealed, sizeof(unsealed));

the decrypted data can be gain by referring to "unsealed", but with this code, I think the decrypted value is on untrusted area. Is there any way to decrypt data on enclave and refer to that value from ECALL function?

Probably I'm writing very poor code and I still need to learn far more about SGX features, so any advice is welcome.

Thank you.