You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Figure out how to install the PSW in the nix environment -- currently running into issues to build the installer (make psw_install_pkg fails with -lpthread not available) -- see issue Reproducible builds for the PSW intel/linux-sgx#645 to follow.
Use an example that has remote attestation (e.g. remoteattestation, or something else)
Provide a simple demo script that would be use by an auditor.
auditor script
inputs:
a signed enclave (enclave.signed.so) to be checked for its reproducibility, and
enclave.so (optional)
the source code to reproduce the build
maybe: an attestation verification report from Intel -- from the enclave.signed.so the MRSIGNER can be extracted and compared against the one in the report -- hence, if the enclave.signed.so can be reproduced, and its MRSIGNER matches the one in the report, and the code "passes" the audit, then enclave.signed.so can be "trusted"
outputs:
true/success - meaning it is reproducible and "trusted", OR false/failing otherwise, with the reason (unreproducible, MRSIGNER and/or MRENCLAVE mismatch)
verbose/debug info:
the sha256sum of the metadata of the enclave.signed.so file under audit (the one given as input)
the sha256sum of the metadata of the built and signed enclave (built by the script) -- the sha256sums should match if the script outputs true/success for reproducibility
make psw_install_pkg
fails with-lpthread
not available) -- see issue Reproducible builds for the PSW intel/linux-sgx#645 to follow.auditor script
inputs:
enclave.signed.so
) to be checked for its reproducibility, andenclave.so
(optional)enclave.signed.so
the MRSIGNER can be extracted and compared against the one in the report -- hence, if theenclave.signed.so
can be reproduced, and its MRSIGNER matches the one in the report, and the code "passes" the audit, thenenclave.signed.so
can be "trusted"outputs:
true
/success
- meaning it is reproducible and "trusted", ORfalse
/failing
otherwise, with the reason (unreproducible, MRSIGNER and/or MRENCLAVE mismatch)verbose/debug info:
enclave.signed.so
file under audit (the one given as input)true
/success
for reproducibilityenclave.signed.so
Notes about MRSIGNER
See https://github.com/intel/sgx-ra-sample/blob/master/Makefile.am#L97-L100 for an example on how to extract the MRSIGNER from a signed enclave
.so
file.The text was updated successfully, but these errors were encountered: