Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Loading Sealed Data to an Enclave

Nazmus_S_
Beginner
1,179 Views

Hi,

According to the developer and reference guide, generally data sealed by an enclave resides in the disk. I went through the sample codes, and saw many use cases of data sealing. However, I could not find any example where the sealed data is loaded from the disk to an enclave. Can anyone discuss the detailed procedure of loading sealed data from the disk to an enclave?

Another thing is, if I seal a file of size say, 120 MB to disk, is the sealed file visible in the file system?

Thanks.

Nazmus

0 Kudos
6 Replies
you_w_
New Contributor III
1,179 Views

Hi:
Actually the sgx_seal_data() is encrypt function using AES, and the key is generated automatically(according to your cpu and certificate used to sign the enclave). The sample doesn't include the code to write the result to disk. But it’s easy to do this. You can just make an Ocall and use the file IO function to achieve this.

Regards

you

0 Kudos
Nazmus_S_
Beginner
1,179 Views

Hi You.

Thanks a lot for your response.

So based on my understanding, at  first, we seal (apparently, which means encrypting) the sensitive data,  write the sealed/encrypted data to a text file (via OCALL), and then save this text file to the disk. So, this file containing sealed data, will be stored in the untrusted memory, and will be visible in the filesystem.

My concern is: in the context of an SGX-enabled cloud server, where the server is administered by a semi-honest administrator, is there is any major security threat on client's sensitive data. If so, what are the required steps that an application developer should follow to minimize the threat ?

Thanks.

Nazmus

0 Kudos
you_w_
New Contributor III
1,179 Views

Hi Nazmus:

The sealed file is visible in the file system. Such a administrator can access that file but can't get useful information from that file. But he or she can destroy the sealed file by modify or delete  it. Now I have no idea about this. 

Kind regards

you

0 Kudos
Nazmus_S_
Beginner
1,179 Views

That makes sense.

Thanks.

Nazmus
 

0 Kudos
you_w_
New Contributor III
1,179 Views

Hi Nazmus:

You can refer this code from https://github.com/hyperledger/sawtooth-core/tree/master/consensus/poet/sgx/sawtooth_poet_sgx/libpoet_bridge.

 class SealedData
 {
        public:
            void Load(
                const std::string& fileName,
                size_t sealedSize
                );
            void Save();
            void Clear();

            uint8_t* Data() { return &this->data[0]; }; 
            size_t Length() { return this->data.size(); }; 
        private:
            std::string fileName;
            std::vector<uint8_t> data;
  };
void SealedData::Load(
            const std::string& fileName,
            size_t sealedLength
            )
        {
            this->fileName = fileName;
            std::ifstream stateFile(this->fileName, std::ios::binary);
            if(stateFile.good()) {
                this->data.clear();
                this->data.assign(
                    std::istreambuf_iterator<char>(stateFile), 
                    std::istreambuf_iterator<char>());
                stateFile.close();

                // if we have the wrong amount of data
                if (sealedLength != data.size()) {
                    // throw it away and start over
                    // in the future we will want a function 
                    // to convert the states if the versions
                    // change.
                    this->data.resize(sealedLength);
                    ZeroV(this->data);
                }
            } else {
                this->data.resize(sealedLength);
                ZeroV(this->data);
            }
        }// SealedData::Load

        // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        void SealedData::Save()
        {
            std::ofstream output(this->fileName, std::ios::binary );

            std::copy( 
                this->data.begin(), 
                this->data.end(),
                std::ostreambuf_iterator<char>(output));
            output.close();
        } // SealedData::Save

        // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        void SealedData::Clear()
        {
            ZeroV(this->data);
            this->data.clear();
            remove(this->fileName.c_str());
        } // SealedData::Clear

Regards

you

0 Kudos
Nazmus_S_
Beginner
1,179 Views

Hi You.

Thanks a lot for sharing this. Very useful.

Nazmus

0 Kudos
Reply