Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1428 Discussions

sealing data with different system software

jamason
Beginner
‎11-29-2017 08:34 AM
562 Views
Solved Jump to solution

Hello,

I would like to get an opinion about the following scenario:

 

  1. Boot the system and launch a linux distribution
  2. start a process which starts an enclave which seals a piece of data to the MRSIGNER of the enclave.
  3. reboot the platform
  4. Boot this time into a windows distribution
  5. unseal the previously sealed data

Would the above scenario allow me to unseal the data, given of course that i am launching the same enclave with the same MRSIGNER into both the linux and windows distributions? 

thank you

 

0 Kudos
1 Solution
Juan_d_Intel
Employee
‎11-29-2017 12:24 PM
562 Views
Solved Jump to solution

Yes, that scenario would work because the sealing key doesn't depend on the OS.

View solution in original post

0 Kudos
Copy link

Link Copied

3 Replies
Juan_d_Intel
Employee
‎11-29-2017 12:24 PM
563 Views
Solved Jump to solution

Yes, that scenario would work because the sealing key doesn't depend on the OS.

0 Kudos
Copy link
jamason
Beginner
‎11-30-2017 01:44 AM
562 Views
Solved Jump to solution

thank you.

do you think that there would be a way to seal that piece of data to the MRENCLAVE.

an enclave library layout in linux and windows would be different, hence so would be the MRENCLAVE. but do you know if there would be a way to recognize that enclave as the same one when launched on different os, or at least enable it to seal the same data?

 

 

 

0 Kudos
Copy link
you_w_
New Contributor III
‎12-05-2017 11:35 PM
562 Views
Solved Jump to solution

Hi jamason:

Till now, this is impossible. With key strategy setting to MrEnclave, you can not unseal the sealed data under different OS.

Regards 

you 

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.