As far as I understand, the EGETKEY command which is used to get a bunch of different keys uses some sort of hardware key to generate the sub-keys? Is that correct? If yes, are the hardware keys the same for each SGX machine or are they different per-machine?
The Intel® SGX Architecture provides the hardware instructions, EREPORT and EGETKEY, to support attestation and sealing. The EREPORT instruction provides an evidence structure that is cryptographically bound to the hardware for consumption by attestation verifiers. EGETKEY provides enclave software with access to the “Report” and “Seal” keys used in the attestation and sealing process. EGETKEY provides access to persistent Sealing Keys that enclave software can use to encrypt and integrity-protect data.
When invoking EGETKEY, the enclave selects criteria, or a policy, for which enclaves may access this sealing key. These policies are useful for controlling the accessibility of sensitive data to future versions of the enclave.
Intel® SGX supports two policies for Seal Keys:
Sealing to the Enclave Identity
Sealing to the Sealing Identity
Please refer the below link for more information
Thanks for the answer. Sorry if my question was unclear but I was wondering if one could get the same SGX seal key per different enclaves running on different SGX machines? I know that EGETKEY uses a hardware key to create its seal key alongwith either enclave information or signer's key. But is that hardware key different per machine or the same which could essentially mean that we can theoretically get the same key if we run the same enclave on different machines.
While sgx_create_report, which key is used to generated sgx_msc_t (CMAC value of report data) ?
How QE(Quoting Enclave) Verifies the CMAC value!?
Is that key accessible to both app enclave and QE?