How do I seal data inside using SGX in an app running in Graphene

[Chris Cassano]

Hi, 

First of all, thanks for this amazing project.  I really feel like I'm standing on the shoulders of giants using it.

I am porting an existing SGX app to Graphene that uses the SGX_KEYPOLICY_MRENCLAVE policy using the sgx_seal_data_ex() method.  I was looking into using Graphene's protected files as a replacement, but it seems that I must supply it with a secret wrap key to use to encrypt the files.  My application aims to be as decentralized as possible, so I would prefer to encrypt data in the manner of the built in SGX sealing functionality instead of via a secret supplied by me or the user.  This way, even the users running the application cannot manually unseal the data, and I cannot manually unseal it either.  Only the enclave should be able to unseal it.

Does Graphene have any way to do this?  Is it possible to use protected files and derive the wrap key from the enclave in the same manner as SGX_KEYPOLICY_MRENCLAVE?

Thank you

[Michał Kowalczyk]

Hi,

We don't support this at the moment, but you may want to take a look at this pull request: https://github.com/oscarlab/graphene/pull/2328 and provide some feedback :)

Best,
Michał

--
You received this message because you are subscribed to the Google Groups "Graphene Support Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graphene-suppo...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graphene-support/CAAjY7uGErFH6vewNCB7yKekXKhEy0sPLUwp_enMZtFaHb2Az2A%40mail.gmail.com.

[Chris Cassano]

Thanks for the quick response, Michał.  This is exactly what I was looking for.  I was able to merge it into master locally and fix merge commits and errors easily because of Dmitrii's very detailed commit messages.  I am going to use this PR until the finalized interface is ready :)

One thing that tripped me up that you might want to add to the docs on protected files is that you have to explicitly write and read, separately.  When I was trying to use SQLite and it opened the file with read/write, it was getting IO errors.

Thanks

[Michał Kowalczyk]

Hmm, I think this should work. We had a PF implementation in the past which didn't support R/W access, but I think the current one lifted this limitation.

Could you try running your app on a higher debug level and try to find the place where it fails? There should be a more detailed explanation around it in the logs.