A hierarchy of enclaves

I have been categorizing enclaves into a hierarchy:

• Level 0 (secret storage): allows you to store and retrieve the secret
• Level 1 (identity verification): checks who you are, then performs an operation on the secret
• Level 2 (policy enforcement): checks who you are, what you are doing, and then performs an operation on the secret

In general, each of the levels should be separate, so that it is possible to make frequent changes to a Level 2 enclave, without ever needing to touch the Level 1 enclave that it sits on. And oftentimes the corresponding Level 0 enclave shouldn’t be accessible to the software engineering team at all. This is true when using physical HSMs or key management services from cloud providers, since they are (at least) Level 1 enclaves that hide away the associated Level 0 enclave.