Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support of sealing key generation #1

Open
MoeMahhouk opened this issue Nov 21, 2024 · 1 comment
Open

Support of sealing key generation #1

MoeMahhouk opened this issue Nov 21, 2024 · 1 comment

Comments

@MoeMahhouk
Copy link

Hey folks, I've recently build a small PoC of generating a unique sealing key for TDX Apps based on their measurement (mrtd, rtmr0-3) and the ppid of the machine. Here is the link to the code repo https://github.com/MoeMahhouk/gramine-sealing-key-provider.

By using the ppid you can verify that both the SGX Sealing Key Provider as well as the TDX App are running on the same instance. However, the PoC is ofc far from production ready as it still needs quote verification and other features that some of them highlighted in the readme inside the repo.

Currently the PoC is relying on gramine to fetch the sealing and quote. However, I was wondering if you are planning to support the generation of the sealing key in your SGX SDK. This way, the sealing key service would benefit from the work of automata's onchain verification and other relevant work too.

Do you think it is feasible to include the ability to generate the sealing key from your SGX SDK too?

Much thanks

@melynx
Copy link

melynx commented Dec 9, 2024

Hey @MoeMahhouk , commit 23eba42 exposes the EGETKEY instruction via the get_key(key_request) function. This allow us to generate any key allowed by EGETKEY.

That said, I think it might be a little too low level for most developers. I'm thinking of wrapping it with opinionated / convenience functions like.... get_seal_key(), etc. Any other methods do you think you might need?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants