An application running under Intel SGX can invoke EGETKEY to obtain an encryption key from the CPU HW. The same key will be obtained each time the application is run. This allows the application to encrypt data with the key (a/k/a seal it to the SGX enclave), exit, restart, and then decrypt the data again. However, since nothing outside that particular SGX enclave can obtain the key, nothing outside the enclave can access the data. Thus, securely saving persistent data across separate invocations of an SGX enclave is possible.
Is there any equivalent to this with AMD's SEV? I can't find one:-(
It seems that AMD's SEV model is a little different from SGX; rather than the encrypted VM being able to obtain a persistent key from the HW, some remote/external entity would provide any required crypto keys to the VM over a trusted channel after verifying the HW's attestation that the expected code is running inside the VM. However, I'd like to create a VM that's self-contained, and can manage its own data encryption/sealing without requiring an external entity to know/store/provide the key, as is possible with SGX. Is this possible?
Notes on rejected possibilities:
- Embedding the key into the VM image will not solve the issue; an external entity could simply examine the VM image and extract the key.
- Storing the key in a TPM won't help; any other software on the host could make use of the same key in the TPM, since the TPM doesn't distinguish between different (different pieces of software) clients on the same system, and so would allow any software to use the key, not just the one VM that "owns" the key. While TPM keys can have authorizations (essentially passwords) attached to them, this would create a circular issue; how to provide the authorization value solely to the one VM.