Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.

copy sealed data between different machines

Gross__Noam
Beginner
656 Views

hi,
i sealed data with enclave that use MRENCLAVE key policy, and save the sealed data into file (via ocall),
if i copy the sealed data to other machine and launch same encalve there - it should be unsealed the data ?

0 Kudos
4 Replies
Scott_R_Intel
Employee
656 Views

Hello.

No, the keys derived on one CPU using either MRENCLAVE or MRSIGNER policies will not be the same as keys on another CPU.  The sealing keys are CPU specific.  More info in this video:  https://software.intel.com/en-us/videos/how-to-seal-data-in-intel-sgx

To be able to seal sharable data blobs between two different CPUs would require the use of SGX remote attestation to provision shared key(s) to both enclaves that could then be used to seal/unseal the data.

Regards.

Scott

guoqing
Employee
493 Views

@Scott_R_Intel As you said, to unseal data on a different machine, we need firstly to provision a shared key by remote attestation, then use this to seal/unseal data, however i looked through sdk document,  both sgx_seal_data_ex and  sgx_unseal_data  has no parameter that we can input the shared key, how should we use the shared key? can we use protected file?

 

Thanks,

Meng Guo qing

Scott_R_Intel
Employee
451 Views

Hello again.

 

You are correct...  By design, the higher level seal/unseal functions in the SGX SDK all ultimately end up using the CPU specific sealing keys.  For example, if you follow the code flow for sgx_seal_data, you'll see it ultimately calls the EGETKEY wrapper function, called sgx_get_key.  To use a key you have provisioned yourself after a successful SGX remote attestation, one way would be to take this code and modify it in your own library to use that pre-provisioned key versus calling sgx_get_key.

 

Hope this helps.

 

Scott

Anandakumar
New Contributor II
426 Views

Hi,

 

I have been in a similar situation where I needed to share a common Key between two enclaves. 

My approach is that, each enclave has to create a Asymmetric key and in the attestation report you have an option to add some bytes of data in the report body. So add your pubkey in the report body. Now each enclave has to share their report with one another. After successful verification using the pub key in the report one enclave can encrypt the data and share it with respective enclave.

Here, IAS attestation verification need to be done at trusted part.

Reply