Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Anandakumar
Beginner
163 Views

Question on SGX UnSealing after TCB recovery

Jump to solution

Hello All,

Does TCB recovery is needed for unsealing the data after BIOS update? 

"I am not sure that I formed above question correctly."

Is it required to retrive previous TCB's seal key to unseal the data after TCB recovery/BIOS update?

I couldn't get detailed informations on how to get previous TCB version seal key. So I want more references/documents on TCB recovery.

Any updates or info will be appreciated.

Thanks,

Anand

0 Kudos

Accepted Solutions
JesusG_Intel
Moderator
150 Views

Hello Anandakumar,


You do not need to worry about the TCB update if you use the sgx_seal_data, sgx_seal_data_ex, and sgx_unseal_data API to seal and unseal data. According to the Intel SGX Developer Reference Guide for Windows or Linux:


"The sealing data API generates a data blob (sgx_sealed_data_t), which contains all the necessary information to unseal the blob even after updating the platform firmware. Without this information, unsealing may fail."


Sincerely,

Jesus G.

Intel Customer Support


View solution in original post

8 Replies
JesusG_Intel
Moderator
151 Views

Hello Anandakumar,


You do not need to worry about the TCB update if you use the sgx_seal_data, sgx_seal_data_ex, and sgx_unseal_data API to seal and unseal data. According to the Intel SGX Developer Reference Guide for Windows or Linux:


"The sealing data API generates a data blob (sgx_sealed_data_t), which contains all the necessary information to unseal the blob even after updating the platform firmware. Without this information, unsealing may fail."


Sincerely,

Jesus G.

Intel Customer Support


JesusG_Intel
Moderator
150 Views

Hello Anandakumar,


You do not need to worry about the TCB update if you use the sgx_seal_data, sgx_seal_data_ex, and sgx_unseal_data API to seal and unseal data. According to the Intel SGX Developer Reference Guide for Windows or Linux:


"The sealing data API generates a data blob (sgx_sealed_data_t), which contains all the necessary information to unseal the blob even after updating the platform firmware. Without this information, unsealing may fail."


Sincerely,

Jesus G.

Intel Customer Support


JesusG_Intel
Moderator
151 Views

Hello Anandakumar,


You do not need to worry about the TCB update if you use the sgx_seal_data, sgx_seal_data_ex, and sgx_unseal_data API to seal and unseal data. According to the Intel SGX Developer Reference Guide for Windows or Linux:


"The sealing data API generates a data blob (sgx_sealed_data_t), which contains all the necessary information to unseal the blob even after updating the platform firmware. Without this information, unsealing may fail."


Sincerely,

Jesus G.

Intel Customer Support


View solution in original post

Anandakumar
Beginner
129 Views

Hi Jesus,

Thanks for your response. Now I undertood about the Sealing.

Regarding TCB Recovery/TCB update, What about the Remote attestation process after TCB update? 

Do we need to anything specific to recover attestation key?

 

JesusG_Intel
Moderator
115 Views

Hello Anand,


Attestation - SGX 101, https://sgx101.gitbook.io/sgx101/sgx-bootstrap/attestation#platform-provisioning, is a worthwhile read that will answer all of your questions. Excerpt:


"So how does QE obtain this attestation key in the first place? In this tutorial we explain the provisioning process in which an SGX platform receives its remote attestation key.


Provisioning is the process by which an SGX device demonstrates to Intel its authenticity as well as its CPU SVN and other system components attributes, in order to receive an appropriate attestation key reflecting its SGX genuinely and TCB version. Normally, provisioning is done during platform initial setup phase, but re-provisioning can also be performed after purchase due to update to crucial system components such as firmware, BIOS or microcode due to vulnerabilities. In such cases, the attestation key may be replaced to reflect platform renewed TCB security level."


Sincerely,

Jesus G.

Intel Customer Support


Anandakumar
Beginner
103 Views

Hi Jesus,

I just want to know whether the Report attestation key retrival process happens automatically or any human input needed.

 

Thanks 

Anand

JesusG_Intel
Moderator
91 Views

Hello Anand,


The generation of the new attestation key is done automatically by the AESMD. The user does not have to do anything specific.


Sincerely,

Jesus G.

Intel Customer Support


JesusG_Intel
Moderator
68 Views

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.