Local sealing keys

[bokdeuk-jeong]

Regarding my question about the local sealing key, Jonh (@jlmucb) has provided the following answer.

We provide a seal and unseal which uses the platform primitives. Since you did the interface for islet, you would have retrieved the key. We never use the key directly but use it to seal a symmetric key which is used to seal locally. This level of indirection allows people to share a local sealing key. Having said all that, we can provide such an interface but islet would need to give us an API to retrieve the key.

Islet platfom now provides a sealing key for each cVM(a.k.a realm in ARM CCA).
Previously, islet_Seal() which is called at

certifier-framework-for-confidential-computing/src/certifier.cc

Line 503 in 20f9e79

bool certifier::framework::Seal(const string &enclave_type,

has encrypted 'in' using a hardcoded key within the islet_Seal() function. We are going to update the function into encrypting the 'in' argument with a platform-generated sealing key.

I have further questions from your answer, regarding below.

We never use the key directly but use it to seal a symmetric key which is used to seal locally.

Q1: Where is the symmetric key retrieved from? Could you locate the corresponding source code?

Q2: Does this mean that the symmetric key that is used to seal data locally is sealed via calling the function certifier::framework::Seal()?
(i.e., Is the symmetric key (== local sealing key) the argument of 'in' for certifier::framework::Seal()?)