Attestation & Sealing with Software Guard Extensions

Once you have instantiated a secured software environment (known as an enclave) with the new instructions from the Intel(r) Software Guard Extensions (SGX) you are now ready to load secrets into it for processing and storing on the platform. This is the purpose of the attestation and sealing features in SGX.

The SGX attestation architecture provides an enclave on the platform a mechanism to 'strongly authenticate' that it exists.  This authentication can then form the basis of a secret delivery protocol between the enclave and a local entity (i.e another enclave running on the same platform) or a remote entity (a service in the cloud). For now think of it as being able to terminate an SSL like session protocol inside the enclave, where the enclave is using client authentication mode.

Once the enclave has been authenticated as existing and a secret has been delivered, the enclave would now like to persist this secret locally on the platform. This is purpose of the sealing architecture.This architecture relies on the programmer to perform the work of protecting your secrets and storing them on the platform, the hardware provides you with a 128-bit enclave specific key to protect your data.

More details can be found in the white paper we have written to explain these important features of the SGX architecture.

I hope you find this info useful and any feedback or questions you may have regarding the white paper or the attestation and sealing features in general can be posted as a comment to this blog entry.

Para obtener información más completa sobre las optimizaciones del compilador, consulte nuestro Aviso de optimización.