Intuitive SGX API Design with OOP

We package the seal and remote attestation functions in the SGX API to make them easier to accept and use.

Sealing (Secure Storage)

The following is an example of data sealing bound to the mrenclave. Only a specific enclave can unseal this ciphertext.

SealHandler sealer(SGX_KEYPOLICY_MRENCLAVE);

uint8_t mac_text[] = {5, 6, 7, 8};
sealer.SetAdditionalMacText(mac_text, sizeof(mac_text));

const char* raw_data = "Secure Data";
size_t data_len = strlen(raw_data);

// seal
auto sealed_data = sealer.SealData(reinterpret_cast<const uint8_t*>(raw_data), data_len);
if (!sealed_data.has_value()) return false;

// unseal
auto unsealed_data = sealer.UnsealData(sealed_data->data(), sealed_data->size());
if (!unsealed_data.has_value()) return false;

Remote Attestation

The remote authentication function has two functions:

Prove that the trusted execution environment currently running is secure and is the expected enclave.
Prove that the transmitted user info is indirectly authenticated by Intel and has not been tampered with.

RemoteAttestor attestor;
std::string quote_report;

// generate
attestor.CreateReport("user_info", quote_report);

// verify
std::string mr_enclave;
attestor.VerifyReport("user_info", quote_report, mr_enclave);

Sealing (Secure Storage)​

Remote Attestation​

Sealing (Secure Storage)

Remote Attestation