Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1521 Discussions

Query about EGETKEY

AAhma10
Novice
‎12-09-2016 12:19 AM
2,295 Views
Solved Jump to solution

Hi,

As far as I understand, the EGETKEY command which is used to get a bunch of different keys uses some sort of hardware key to generate the sub-keys? Is that correct? If yes, are the hardware keys the same for each SGX machine or are they different per-machine?

Thanks!

Adil

0 Kudos
1 Solution
Huorong_L_
New Contributor I
‎12-13-2016 12:40 AM
2,295 Views
Solved Jump to solution

Hi Adil,

AFAIK, all keys are device independent, i.e. on different machine(CPU) the same enclave will get different keys using EGETKEY.

View solution in original post

0 Kudos
Copy link

Link Copied

6 Replies
Surenthar_S_Intel
Employee
‎12-11-2016 08:55 PM
2,295 Views
Solved Jump to solution

Hi,

The Intel® SGX Architecture provides the hardware instructions, EREPORT and EGETKEY, to support attestation and sealing. The EREPORT instruction provides an evidence structure that is cryptographically bound to the hardware for consumption by attestation verifiers. EGETKEY provides enclave software with access to the “Report” and “Seal” keys used in the attestation and sealing process. EGETKEY provides access to persistent Sealing Keys that enclave software can use to encrypt and integrity-protect data.

When invoking EGETKEY, the enclave selects criteria, or a policy, for which enclaves may access this sealing key. These policies are useful for controlling the accessibility of sensitive data to future versions of the enclave.

Intel® SGX supports two policies for Seal Keys:
Sealing to the Enclave Identity
Sealing to the Sealing Identity

Please refer the below link for more information

-Surenthar

0 Kudos
Copy link
AAhma10
Novice
‎12-12-2016 10:26 PM
2,295 Views
Solved Jump to solution

Hi,

Thanks for the answer. Sorry if my question was unclear but I was wondering if one could get the same SGX seal key per different enclaves running on different SGX machines? I know that EGETKEY uses a hardware key to create its seal key alongwith either enclave information or signer's key. But is that hardware key different per machine or the same which could essentially mean that we can theoretically get the same key if we run the same enclave on different machines.

Thanks!

Adil

0 Kudos
Copy link
Huorong_L_
New Contributor I
‎12-13-2016 12:40 AM
2,296 Views
Solved Jump to solution

Hi Adil,

AFAIK, all keys are device independent, i.e. on different machine(CPU) the same enclave will get different keys using EGETKEY.

0 Kudos
Copy link
Surenthar_S_Intel
Employee
‎12-14-2016 07:03 PM
2,295 Views
Solved Jump to solution

Hi Adil,

SGX seal keys are unique to the platform. Two different systems will not derive the same key from the same enclave.

-Surenthar

0 Kudos
Copy link
AAhma10
Novice
‎12-14-2016 07:48 PM
2,295 Views
Solved Jump to solution

Okay, that answers my question. Thanks a lot for the replies!

Adil 

0 Kudos
Copy link
Anandakumar
New Contributor II
‎08-08-2019 04:02 AM
2,295 Views
Solved Jump to solution

Hi @selvaraj,

While sgx_create_report, which key is used to generated sgx_msc_t (CMAC value of report data) ?

How QE(Quoting Enclave) Verifies the CMAC value!?

Is that key accessible to both app enclave and QE?

 

thanks!

 

0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.