Community
cancel
Showing results for 
Search instead for 
Did you mean: 
AAhma10
Novice
274 Views

Query about EGETKEY

Jump to solution

Hi,

As far as I understand, the EGETKEY command which is used to get a bunch of different keys uses some sort of hardware key to generate the sub-keys? Is that correct? If yes, are the hardware keys the same for each SGX machine or are they different per-machine?

Thanks!

Adil

0 Kudos
1 Solution
Huorong_L_
New Contributor I
274 Views

Hi Adil,

AFAIK, all keys are device independent, i.e. on different machine(CPU) the same enclave will get different keys using EGETKEY.

View solution in original post

6 Replies
274 Views

Hi,

The Intel® SGX Architecture provides the hardware instructions, EREPORT and EGETKEY, to support attestation and sealing. The EREPORT instruction provides an evidence structure that is cryptographically bound to the hardware for consumption by attestation verifiers. EGETKEY provides enclave software with access to the “Report” and “Seal” keys used in the attestation and sealing process. EGETKEY provides access to persistent Sealing Keys that enclave software can use to encrypt and integrity-protect data.

When invoking EGETKEY, the enclave selects criteria, or a policy, for which enclaves may access this sealing key. These policies are useful for controlling the accessibility of sensitive data to future versions of the enclave.

Intel® SGX supports two policies for Seal Keys:
Sealing to the Enclave Identity
Sealing to the Sealing Identity

Please refer the below link for more information

-Surenthar

AAhma10
Novice
274 Views

Hi,

Thanks for the answer. Sorry if my question was unclear but I was wondering if one could get the same SGX seal key per different enclaves running on different SGX machines? I know that EGETKEY uses a hardware key to create its seal key alongwith either enclave information or signer's key. But is that hardware key different per machine or the same which could essentially mean that we can theoretically get the same key if we run the same enclave on different machines.

Thanks!

Adil

Huorong_L_
New Contributor I
275 Views

Hi Adil,

AFAIK, all keys are device independent, i.e. on different machine(CPU) the same enclave will get different keys using EGETKEY.

View solution in original post

274 Views

Hi Adil,

SGX seal keys are unique to the platform. Two different systems will not derive the same key from the same enclave.

-Surenthar

AAhma10
Novice
274 Views

Okay, that answers my question. Thanks a lot for the replies!

Adil 

Anandakumar
Beginner
274 Views

Hi @selvaraj,

While sgx_create_report, which key is used to generated sgx_msc_t (CMAC value of report data) ?

How QE(Quoting Enclave) Verifies the CMAC value!?

Is that key accessible to both app enclave and QE?

 

thanks!

 

Reply