Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Sealing Key

  1. cVMs enabled by the TEE Kit support sealing keys. A cVM can generate an associated key, which remains unchanged even after the cVM is restarted.

  2. Sealing key derivation process:
    1. The user application calls the API and the user-mode library receives the input. The user can provide custom parameters, which are saved by the user-mode program.
    2. The driver transfers the user's custom data (a 64-byte character string) to the TMM. The TMM key derivation adopts secondary derivation.
    3. The TMM uses hardcoded secure random numbers to derive the HUK key and obtain the level-1 derived key HUK_DERIVED.
    4. The HUK_DERIVED key is used to generate the key required by the user, that is, USER_KEY = KDF(alg, HUK_DERIVED, hash(RIM) || user_param).
    5. The TMM returns the derived key USER_KEY to the user.

      For details, see "Enabling Sealing Keys" in Confidential Computing TEE Kit Feature Guide.

Parent topic: Key Features