Hello Anandakumar,

You do not need to worry about the TCB update if you use the sgx_seal_data, sgx_seal_data_ex, and sgx_unseal_data API to seal and unseal data. According to the Intel SGX Developer Reference Guide for Windows or Linux:

"The sealing data API generates a data blob (sgx_sealed_data_t), which contains all the necessary information to unseal the blob even after updating the platform firmware. Without this information, unsealing may fail."

Sincerely,

Jesus G.

Intel Customer Support

Hello Anand,

Attestation - SGX 101, https://sgx101.gitbook.io/sgx101/sgx-bootstrap/attestation#platform-provisioning, is a worthwhile read that will answer all of your questions. Excerpt:

"So how does QE obtain this attestation key in the first place? In this tutorial we explain the provisioning process in which an SGX platform receives its remote attestation key.

Provisioning is the process by which an SGX device demonstrates to Intel its authenticity as well as its CPU SVN and other system components attributes, in order to receive an appropriate attestation key reflecting its SGX genuinely and TCB version. Normally, provisioning is done during platform initial setup phase, but re-provisioning can also be performed after purchase due to update to crucial system components such as firmware, BIOS or microcode due to vulnerabilities. In such cases, the attestation key may be replaced to reflect platform renewed TCB security level."

Sincerely,

Jesus G.

Intel Customer Support

Hello Anand,

The generation of the new attestation key is done automatically by the AESMD. The user does not have to do anything specific.

Sincerely,

Jesus G.

Intel Customer Support

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.