Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

Loading Sealed Data to an Enclave

Nazmus_S_
Beginner
‎08-08-2017 06:42 PM
828 Views

Hi,

According to the developer and reference guide, generally data sealed by an enclave resides in the disk. I went through the sample codes, and saw many use cases of data sealing. However, I could not find any example where the sealed data is loaded from the disk to an enclave. Can anyone discuss the detailed procedure of loading sealed data from the disk to an enclave?

Another thing is, if I seal a file of size say, 120 MB to disk, is the sealed file visible in the file system?

Thanks.

Nazmus

0 Kudos

Link Copied

6 Replies
you_w_
New Contributor III
‎08-14-2017 06:18 PM
828 Views

Hi:
Actually the sgx_seal_data() is encrypt function using AES, and the key is generated automatically(according to your cpu and certificate used to sign the enclave). The sample doesn't include the code to write the result to disk. But it’s easy to do this. You can just make an Ocall and use the file IO function to achieve this.

Regards

you

0 Kudos
Copy link
Nazmus_S_
Beginner
‎08-14-2017 08:55 PM
828 Views

Hi You.

Thanks a lot for your response.

So based on my understanding, at  first, we seal (apparently, which means encrypting) the sensitive data,  write the sealed/encrypted data to a text file (via OCALL), and then save this text file to the disk. So, this file containing sealed data, will be stored in the untrusted memory, and will be visible in the filesystem.

My concern is: in the context of an SGX-enabled cloud server, where the server is administered by a semi-honest administrator, is there is any major security threat on client's sensitive data. If so, what are the required steps that an application developer should follow to minimize the threat ?

Thanks.

Nazmus

0 Kudos
Copy link
you_w_
New Contributor III
‎08-14-2017 11:25 PM
828 Views

Hi Nazmus:

The sealed file is visible in the file system. Such a administrator can access that file but can't get useful information from that file. But he or she can destroy the sealed file by modify or delete  it. Now I have no idea about this. 

Kind regards

you

0 Kudos
Copy link
Nazmus_S_
Beginner
‎08-15-2017 11:23 AM
828 Views

That makes sense.

Thanks.

Nazmus
 

0 Kudos
Copy link
you_w_
New Contributor III
‎08-15-2017 08:15 PM
828 Views

Hi Nazmus:

You can refer this code from https://github.com/hyperledger/sawtooth-core/tree/master/consensus/poet/sgx/sawtooth_poet_sgx/libpoet_bridge.

 class SealedData
 {
        public:
            void Load(
                const std::string& fileName,
                size_t sealedSize
                );
            void Save();
            void Clear();

            uint8_t* Data() { return &this->data[0]; }; 
            size_t Length() { return this->data.size(); }; 
        private:
            std::string fileName;
            std::vector<uint8_t> data;
  };
void SealedData::Load(
            const std::string& fileName,
            size_t sealedLength
            )
        {
            this->fileName = fileName;
            std::ifstream stateFile(this->fileName, std::ios::binary);
            if(stateFile.good()) {
                this->data.clear();
                this->data.assign(
                    std::istreambuf_iterator<char>(stateFile), 
                    std::istreambuf_iterator<char>());
                stateFile.close();

                // if we have the wrong amount of data
                if (sealedLength != data.size()) {
                    // throw it away and start over
                    // in the future we will want a function 
                    // to convert the states if the versions
                    // change.
                    this->data.resize(sealedLength);
                    ZeroV(this->data);
                }
            } else {
                this->data.resize(sealedLength);
                ZeroV(this->data);
            }
        }// SealedData::Load

        // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        void SealedData::Save()
        {
            std::ofstream output(this->fileName, std::ios::binary );

            std::copy( 
                this->data.begin(), 
                this->data.end(),
                std::ostreambuf_iterator<char>(output));
            output.close();
        } // SealedData::Save

        // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        void SealedData::Clear()
        {
            ZeroV(this->data);
            this->data.clear();
            remove(this->fileName.c_str());
        } // SealedData::Clear

Regards

you

0 Kudos
Copy link
Nazmus_S_
Beginner
‎08-16-2017 10:41 AM
828 Views

Hi You.

Thanks a lot for sharing this. Very useful.

Nazmus

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.