- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello.
I'm now developing application with SGX features, but I have several questions about sealing/unsealing. I hardly understand how to treat those features, so please forgive my poor questions.
1. I would like to seal encryption key in enclave on my application. I (maybe) already succeeded to seal a value returned from ECALL function like this(written on untrusted code):
//ECALL. Pass pointer to std::vector<int> which already initialized and return their average as int with &retval. int retval; //value to get return value from ECALL function sgx_status_t status = AVG_IN_ENCLAVE(global_eid, &retval, (void*)dbvec_ptr, pass_test); // //omit unnecessary // //Sealing part. Here, I seals the value pointed by &retval. (At least I think so) size_t sealed_size = sizeof(sgx_sealed_data_t) + sizeof(retval); uint8_t* sealed_data = (uint8_t*)malloc(sealed_size); sgx_status_t ecall_status; status = seal(global_eid, &ecall_status, (uint8_t*)&retval, sizeof(retval), (sgx_sealed_data_t*)sealed_data, sealed_size);
But eventually I'd like to seal value which never exit from enclave. In other words, I think if I return that secret value from enclave to untrusted area like above code, it can be seen by untrusted area. How can I seal such secret values? Is there any ways to call sealing function from ECALL function?
2. After unsealing, the decrypted data is on enclave? When I call the unsealing function like this(written on untrusted code)
int unsealed; status = unseal(global_eid, &ecall_status, (sgx_sealed_data_t*)sealed_data, sealed_size, (uint8_t*)&unsealed, sizeof(unsealed));
the decrypted data can be gain by referring to "unsealed", but with this code, I think the decrypted value is on untrusted area. Is there any way to decrypt data on enclave and refer to that value from ECALL function?
Probably I'm writing very poor code and I still need to learn far more about SGX features, so any advice is welcome.
Thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi:
1. You should provision the key though an secure way to the enclave.
2. If you don't want to expose your key, you can only use the key inside enclave. That means your encrypt implementation should inside enclave;
3. You can write three Ecall functions like this:
//put key into enclave
provision_key(key){
sealed_key = sealed(key);
}
//encrypt data with you key
encrypt(data, sealed_key, encrypted)
{
key = unseal(sealed_key);
encrpyted_data = encrppt(data, key);
}
//decrypt encrypted_data with your key
decrypt(encrypted_data, sealed_key, data)
{
key = unseal(sealed key);
data = decrypt(encrypted_data, key);
}
Hope you can understand,
Regards
you
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi:
1. You should provision the key though an secure way to the enclave.
2. If you don't want to expose your key, you can only use the key inside enclave. That means your encrypt implementation should inside enclave;
3. You can write three Ecall functions like this:
//put key into enclave
provision_key(key){
sealed_key = sealed(key);
}
//encrypt data with you key
encrypt(data, sealed_key, encrypted)
{
key = unseal(sealed_key);
encrpyted_data = encrppt(data, key);
}
//decrypt encrypted_data with your key
decrypt(encrypted_data, sealed_key, data)
{
key = unseal(sealed key);
data = decrypt(encrypted_data, key);
}
Hope you can understand,
Regards
you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd suggest looking at the SealedData sample code included in the SGX SDK.
It shows how to perform sealing/unsealing operations within an enclave applying difference policies.
The Developer Reference describes what the sample code does.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for replying.
I didn't notice that I can call another function in enclave from enclave function... Now maybe I can implement those secure sealing/unsealing features. Thanks for noticing me.

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page