- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello All,
Does TCB recovery is needed for unsealing the data after BIOS update?
"I am not sure that I formed above question correctly."
Is it required to retrive previous TCB's seal key to unseal the data after TCB recovery/BIOS update?
I couldn't get detailed informations on how to get previous TCB version seal key. So I want more references/documents on TCB recovery.
Any updates or info will be appreciated.
Thanks,
Anand
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Anandakumar,
You do not need to worry about the TCB update if you use the sgx_seal_data, sgx_seal_data_ex, and sgx_unseal_data API to seal and unseal data. According to the Intel SGX Developer Reference Guide for Windows or Linux:
"The sealing data API generates a data blob (sgx_sealed_data_t), which contains all the necessary information to unseal the blob even after updating the platform firmware. Without this information, unsealing may fail."
Sincerely,
Jesus G.
Intel Customer Support
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Anandakumar,
You do not need to worry about the TCB update if you use the sgx_seal_data, sgx_seal_data_ex, and sgx_unseal_data API to seal and unseal data. According to the Intel SGX Developer Reference Guide for Windows or Linux:
"The sealing data API generates a data blob (sgx_sealed_data_t), which contains all the necessary information to unseal the blob even after updating the platform firmware. Without this information, unsealing may fail."
Sincerely,
Jesus G.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Anandakumar,
You do not need to worry about the TCB update if you use the sgx_seal_data, sgx_seal_data_ex, and sgx_unseal_data API to seal and unseal data. According to the Intel SGX Developer Reference Guide for Windows or Linux:
"The sealing data API generates a data blob (sgx_sealed_data_t), which contains all the necessary information to unseal the blob even after updating the platform firmware. Without this information, unsealing may fail."
Sincerely,
Jesus G.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Anandakumar,
You do not need to worry about the TCB update if you use the sgx_seal_data, sgx_seal_data_ex, and sgx_unseal_data API to seal and unseal data. According to the Intel SGX Developer Reference Guide for Windows or Linux:
"The sealing data API generates a data blob (sgx_sealed_data_t), which contains all the necessary information to unseal the blob even after updating the platform firmware. Without this information, unsealing may fail."
Sincerely,
Jesus G.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jesus,
Thanks for your response. Now I undertood about the Sealing.
Regarding TCB Recovery/TCB update, What about the Remote attestation process after TCB update?
Do we need to anything specific to recover attestation key?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Anand,
Attestation - SGX 101, https://sgx101.gitbook.io/sgx101/sgx-bootstrap/attestation#platform-provisioning, is a worthwhile read that will answer all of your questions. Excerpt:
"So how does QE obtain this attestation key in the first place? In this tutorial we explain the provisioning process in which an SGX platform receives its remote attestation key.
Provisioning is the process by which an SGX device demonstrates to Intel its authenticity as well as its CPU SVN and other system components attributes, in order to receive an appropriate attestation key reflecting its SGX genuinely and TCB version. Normally, provisioning is done during platform initial setup phase, but re-provisioning can also be performed after purchase due to update to crucial system components such as firmware, BIOS or microcode due to vulnerabilities. In such cases, the attestation key may be replaced to reflect platform renewed TCB security level."
Sincerely,
Jesus G.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jesus,
I just want to know whether the Report attestation key retrival process happens automatically or any human input needed.
Thanks
Anand
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Anand,
The generation of the new attestation key is done automatically by the AESMD. The user does not have to do anything specific.
Sincerely,
Jesus G.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page