Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Beginner
43 Views

Question about Sealing

Jump to solution

Hi,

As "Intel® Software Guard Extensions - Developer Guide" describes:

"

In order to
protect and preserve the data, a mechanism is in place which allows enclave software to
retrieve a key unique to that enclave. This key can only be generated by that enclave on that
particular platform. 

 

"

So my question is :

If the sealed data is stored in hard disk on platform A(intel chip A), then the platform A is replaced with platform B(another intel chip B).Can sealed data stored in the same hard disk be unsealed by the platform B?

If the platform B can unseal the data sealed by platform A, how to implement?

Thanks

0 Kudos

Accepted Solutions
Highlighted
43 Views

Hi Nia,

The “back end server” would be a remote attestation service. Please refer the Remote attestation section in user guide document

Thanks and Reagrds,
Surenthar Selvaraj

- Surenthar Selvaraj

View solution in original post

0 Kudos
5 Replies
Highlighted
43 Views

Hi Nia,

There are two types of Enclave sealing options for the sealing data:

Sealing to Current Enclave :
This uses the current version of enclave measurement(MRENCLAVE), taken when enclave is created. So slight modification in enclave data prevents to get the sealing key and it's unsealed data.Only an enclave with the same MRENCLAVE measurement will be able to unseal the data.

Sealing to Enclave Author:
Sealing to the enclave author uses the identity of enclave author, which cpu stores in the MRSIGNER register at enclave initialization time, and binds this value to the key used by the seal data function. This type of "sealing the data" helps to unseal the data sealed by the same "Enclave Author" irrespective of measurement(MRENCLAVE) value. It helps the enclaves from the same author to share  the sealed data. This allows for enclave up-gradation and unsealing the sealed data with respect to earlier version number.

But If an application is moved from an old Intel SGX system to a new Intel SGX system(platform upgrade) or from one processor to another(CPU replacement in a system or load balancing in a cloud environment) the enclave will not be able to unseal the data in the new platform.Data migration typically requires a back-end server that verifies the identity of the enclave on the old system and the enclave on the new system,and facilitates the key exchange between the two systems to share the data

Thanks and Regards,
Surenthar Selvaraj

- Surenthar Selvaraj
0 Kudos
Highlighted
Beginner
43 Views

Hi Surenthar,

Thanks for your detailed reply.

"Data migration typically requires a back-end server that verifies the identity of the enclave on the old system and the enclave on the new system,and facilitates the key exchange between the two systems to share the data"

Could Intel provide some services like the back-end server ? That's the real use case when we may happen from end customers. 

0 Kudos
Highlighted
43 Views

Hi Nia,

Before the Intel SGX technology, the hardware platform was never part of the TCB for encrypting user data. This allowed the user to easily migrate their data, even if it was encrypted, from one platform to another. Now the CPU is used to help determine the enclave’s sealing key. Therefore, migrating a user’s data from one platform to the next now requires careful planning.
If an application is moved from an old Intel SGX system to a new Intel SGX system (platform upgrade) or from one processor to another (CPU replacement in a system or load balancing in a cloud environment) the enclave will not be able to unseal the data in the new platform. Data migration typically requires a back-end server that verifies the identity of the enclave on the old system and the enclave on the new system, and facilitates the key exchange between the two systems to share the data.

Regardless of the specific method that an ISV uses to migrate data, the seal key should not be shared outside an enclave because it could compromise all data previously sealed by the enclave

Thanks and Regards,
Surenthar Selvaraj

- Surenthar Selvaraj
0 Kudos
Highlighted
Beginner
43 Views

Hi Surenthar,

I just want to know how to build the back-end server,which can be used to verify the identity of the enclave on the old system and the enclave on the new system, and facilitate the key exchange between the two systems to share the data.

Could you provide some guidelines to implement this back-end server?

Thanks

 

0 Kudos
Highlighted
44 Views

Hi Nia,

The “back end server” would be a remote attestation service. Please refer the Remote attestation section in user guide document

Thanks and Reagrds,
Surenthar Selvaraj

- Surenthar Selvaraj

View solution in original post

0 Kudos