- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
According to the developer and reference guide, generally data sealed by an enclave resides in the disk. I went through the sample codes, and saw many use cases of data sealing. However, I could not find any example where the sealed data is loaded from the disk to an enclave. Can anyone discuss the detailed procedure of loading sealed data from the disk to an enclave?
Another thing is, if I seal a file of size say, 120 MB to disk, is the sealed file visible in the file system?
Thanks.
Nazmus
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi:
Actually the sgx_seal_data() is encrypt function using AES, and the key is generated automatically(according to your cpu and certificate used to sign the enclave). The sample doesn't include the code to write the result to disk. But it’s easy to do this. You can just make an Ocall and use the file IO function to achieve this.
Regards
you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi You.
Thanks a lot for your response.
So based on my understanding, at first, we seal (apparently, which means encrypting) the sensitive data, write the sealed/encrypted data to a text file (via OCALL), and then save this text file to the disk. So, this file containing sealed data, will be stored in the untrusted memory, and will be visible in the filesystem.
My concern is: in the context of an SGX-enabled cloud server, where the server is administered by a semi-honest administrator, is there is any major security threat on client's sensitive data. If so, what are the required steps that an application developer should follow to minimize the threat ?
Thanks.
Nazmus
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Nazmus:
The sealed file is visible in the file system. Such a administrator can access that file but can't get useful information from that file. But he or she can destroy the sealed file by modify or delete it. Now I have no idea about this.
Kind regards
you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That makes sense.
Thanks.
Nazmus
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Nazmus:
You can refer this code from https://github.com/hyperledger/sawtooth-core/tree/master/consensus/poet/sgx/sawtooth_poet_sgx/libpoet_bridge.
class SealedData { public: void Load( const std::string& fileName, size_t sealedSize ); void Save(); void Clear(); uint8_t* Data() { return &this->data[0]; }; size_t Length() { return this->data.size(); }; private: std::string fileName; std::vector<uint8_t> data; };
void SealedData::Load( const std::string& fileName, size_t sealedLength ) { this->fileName = fileName; std::ifstream stateFile(this->fileName, std::ios::binary); if(stateFile.good()) { this->data.clear(); this->data.assign( std::istreambuf_iterator<char>(stateFile), std::istreambuf_iterator<char>()); stateFile.close(); // if we have the wrong amount of data if (sealedLength != data.size()) { // throw it away and start over // in the future we will want a function // to convert the states if the versions // change. this->data.resize(sealedLength); ZeroV(this->data); } } else { this->data.resize(sealedLength); ZeroV(this->data); } }// SealedData::Load // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX void SealedData::Save() { std::ofstream output(this->fileName, std::ios::binary ); std::copy( this->data.begin(), this->data.end(), std::ostreambuf_iterator<char>(output)); output.close(); } // SealedData::Save // XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX void SealedData::Clear() { ZeroV(this->data); this->data.clear(); remove(this->fileName.c_str()); } // SealedData::Clear
Regards
you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi You.
Thanks a lot for sharing this. Very useful.
Nazmus
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page