Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1493 Discussions

question about sealing policy

riclee
Beginner
‎10-07-2023 12:33 AM
691 Views

as I know , there is two sealing policy ,sealing to mrenclave or mrsigner. the sealing key is derived by root sealing key. If I seal data on one processor, I can not unseal the encrypted data on another processor.(read the link: https://community.intel.com/t5/Intel-Software-Guard-Extensions/Question-about-Sealing/m-p/1062514 ), I don`t know what is the usage about this two sealing policy(to mrenclave or mrsigner), the encrypted data can not be migrated to other platform, if I use my own key to encrypt data, I can decrypt it on the other machine, but this two sealing policy can only encrypt and decrypt data on one platform, what is the meaning ?

And , another question , we can use sgx_rijndael128GCM_encrypt which is sgx sdk's API  to encrypt data by our own key, what is the difference if I use my own method to encrypt data by my own key in enclave .

0 Kudos

Link Copied

2 Replies
Iffa_Intel
Moderator
‎10-11-2023 07:19 PM
624 Views

Hi,

 

The advantages of using the Intel SGX Sealing methods compared to others are, they are validated by Intel to be secure, as they are designed and tested to leverage established cryptographic algorithms and best practices.

Sealing methods like MRENCLAVE and MRSIGNER provide mechanisms to detect tampering in a compatible system.

Besides, SGX sealing methods leverage the hardware-based security features of SGX, especially for supported hardware.

 

These are some additional information regarding Intel SGX sealing policy:

  1. Introduction to Intel® SGX Sealing
  2. Intel SGX Sealing

 

 

Cordially,

Iffa

0 Kudos
Copy link
Iffa_Intel
Moderator
‎10-17-2023 05:44 PM
545 Views

Hi,


Intel will no longer monitor this thread since we have provided a solution. If you need any additional information from Intel, please submit a new question.



Cordially,

Iffa


0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.