Support of sealing key generation

[MoeMahhouk]

Hey folks, I've recently build a small PoC of generating a unique sealing key for TDX Apps based on their measurement (mrtd, rtmr0-3) and the ppid of the machine. Here is the link to the code repo https://github.com/MoeMahhouk/gramine-sealing-key-provider.

By using the ppid you can verify that both the SGX Sealing Key Provider as well as the TDX App are running on the same instance. However, the PoC is ofc far from production ready as it still needs quote verification and other features that some of them highlighted in the readme inside the repo.

Currently the PoC is relying on gramine to fetch the sealing and quote. However, I was wondering if you are planning to support the generation of the sealing key in your SGX SDK. This way, the sealing key service would benefit from the work of automata's onchain verification and other relevant work too.

Do you think it is feasible to include the ability to generate the sealing key from your SGX SDK too?

Much thanks

[melynx]

Hey @MoeMahhouk , commit 23eba42 exposes the EGETKEY instruction via the get_key(key_request) function. This allow us to generate any key allowed by EGETKEY.

That said, I think it might be a little too low level for most developers. I'm thinking of wrapping it with opinionated / convenience functions like.... get_seal_key(), etc. Any other methods do you think you might need?