i sealed data with enclave that use MRENCLAVE key policy, and save the sealed data into file (via ocall),
if i copy the sealed data to other machine and launch same encalve there - it should be unsealed the data ?
No, the keys derived on one CPU using either MRENCLAVE or MRSIGNER policies will not be the same as keys on another CPU. The sealing keys are CPU specific. More info in this video: https://software.intel.com/en-us/videos/how-to-seal-data-in-intel-sgx
To be able to seal sharable data blobs between two different CPUs would require the use of SGX remote attestation to provision shared key(s) to both enclaves that could then be used to seal/unseal the data.
@Scott_R_Intel As you said, to unseal data on a different machine, we need firstly to provision a shared key by remote attestation, then use this to seal/unseal data, however i looked through sdk document, both sgx_seal_data_ex and sgx_unseal_data has no parameter that we can input the shared key, how should we use the shared key? can we use protected file?
Meng Guo qing
You are correct... By design, the higher level seal/unseal functions in the SGX SDK all ultimately end up using the CPU specific sealing keys. For example, if you follow the code flow for sgx_seal_data, you'll see it ultimately calls the EGETKEY wrapper function, called sgx_get_key. To use a key you have provisioned yourself after a successful SGX remote attestation, one way would be to take this code and modify it in your own library to use that pre-provisioned key versus calling sgx_get_key.
Hope this helps.
I have been in a similar situation where I needed to share a common Key between two enclaves.
My approach is that, each enclave has to create a Asymmetric key and in the attestation report you have an option to add some bytes of data in the report body. So add your pubkey in the report body. Now each enclave has to share their report with one another. After successful verification using the pub key in the report one enclave can encrypt the data and share it with respective enclave.
Here, IAS attestation verification need to be done at trusted part.