How to securely provision/generate a simple secret string inside the enclave?

[jogi343]

Hi All,

I have a question regarding provisioning/generating a secret key (a string) inside the enclave and later using it.

I am writing a simple Javascript function called receiveFromOutside which runs inside the enclave using Gramine on an untrusted machine. During execution, this function receives an encrypted parameter param from outside of the enclave and then it decrypts it using a key (which is already inside the enclave). Like this:

function receiveFromOutside(param) {
  const key = // access some key placed inside the enclave
  AES.decrypt(param, key)
  ...
}

My questions are:

1. Is there any way to securely provision some secret key inside the enclave (either during enclave start-up or later whichever is easier)
   so that it can be accessed in the second line of the code above? If yes, how can it be done?

2. I looked through this secret provisioning article, and I think my scenario is very similar to this, quoting from this article:

Sometimes all the TEE application needs is a couple secrets provisioning into it and nothing more.
E.g., an image recognition application may only need a single encryption key to decrypt the inputs
(model file, classification file, image file) and the same key to encrypt the outputs.

So as mentioned in the article, I think I can just read the environment variable SECRET_PROVISION_SECRET_STRING in the second line in the code above. But I don't know how to set SECRET_PROVISION_SECRET_STRING in the first place.

Currently, my application is run exactly as described in this Gramine nodejs example.
In order to provision/generate the secret key, what changes should I do in my nodejs.manifest.template file or in any other files? Or do I need to make any changes in the overall application flow?

Let me know if I understand something wrongly here.

Thank you in advance.

[mkow]

Please take a look at https://github.com/gramineproject/gramine/tree/master/CI-Examples/ra-tls-secret-prov, these examples in our repository are doing exactly this ;)

[dimakuv]

Yep, as @mkow mentioned, please take a look at the example. In particular, take a look at the secret_prov_minimal example, this should be most useful for your Javascript workload.

I also really like the Edgeless Marblerun solution, and I recommend to read about it and experiment with it (it integrates with Gramine): https://www.edgeless.systems/products/marblerun/. Marblerun also serves the purpose of attestation and secret provisioning.

[jogi343]

Thank you @mkow and @dimakuv . secret_prov_minimal suits my use case.