• 04/09/2016
  • Public Content

The high level process for sealing data within an enclave is as follows:
  1. Allocate memory within the enclave for the encrypted data and the sealed data structure which includes the payload consisting of both the data to encrypt and the Additional Authentication Data (AAD). AAD refers to the additional data/text that will be part of the MAC calculation but will not be encrypted (for example, it will remain plain text/data in the seal data structure). The AAD may include information about the application enclave, version, data, and so on.
  2. Call the seal data API to perform the sealing operation. An example seal operation algorithm is:
    1. Verify the input parameters are valid. For instance, if a pointer to a sealed data structure is passed as a parameter, the buffer it points to must be inside the enclave.
    2. Instantiate and populate a key request structure used in the EGETKEY operation to obtain a seal key:
      1. Call EREPORT to obtain the ISV and TCB Security Version Numbers, which will be used in the key derivation.
      2. Key Name: Identifies the key required, which in this case is the seal key.
      3. Key Policy: Identifies the inputs required to be used in the key derivation. Use MRSIGNER to seal to the enclave’s author or MRENCLAVE to seal to the current enclave (enclave measurement). Reserved bits must be cleared.
      4. Key ID: Call RDRAND to obtain a random number for key wear-out protection.
      5. Attribute Mask: Bitmask indicating which attributes the seal key should be bound to. The recommendation is to set all the attribute flags, except Mode 64 bit, Provision Key and Launch key, and none of the XFRM attributes.
    3. Call EGETKEY with the key request structure from the previous step to obtain the seal key.
    4. Call the encryption algorithm to perform the seal operation with the seal key. It is recommended to utilize a function that performs AES-GCM* encryption/decryption, such as the Rijndael128GCM, which is available in Intel(R) IPP Crypto library.
    5. Delete the seal key from memory to prevent accidental leaks.
  3. Save the seal data structure (including the key request structure) to external memory for future use within an enclave. The key request structure will be used in future enclave instantiation(s) to obtain the seal key required for the decryption process.
The high level process for unsealing data within an enclave is as follows:
  1. Allocate memory for the decrypted data.
  2. Call the unseal data API to perform the unsealing operation. An example unseal operation algorithm is:
    1. Verify the input parameters are valid.
    2. Retrieve the key request structure used in conjunction with the seal data structure.
    3. Call EGETKEY with the key request structure to obtain the seal key.
    4. Call the decryption algorithm to perform the unseal operation with the seal key.
    5. Delete the seal key from memory to prevent accidental leaks.
    6. Confirm that the hash tag generated by the decryption algorithm matches the tag generated during encryption.

Product and Performance Information

1

Performance varies by use, configuration and other factors. Learn more at www.Intel.com/PerformanceIndex.