Understanding reproducible enclave builds with linux-sgx

[sbellem]

This issue is meant to lay out questions and explanations that may arise when one is trying to understand what are reproducible enclave builds, how they are obtained and verified, etc, in the context of linux-sgx.

Working from https://github.com/intel/linux-sgx/tree/master/linux/reproducibility.

[sbellem]

Just some rough note:

Their build process could be said to be mainly in 2 main parts:

1. Download/prepare all the code necessary to build the software packages. This is done via cloning the linux-sgx repo, and running scripts from that repo, that may itself download prebuilt installers, binaries, etc.
2. Build a docker image that has nix inside, with which dependencies to build are installed, and mount the code prepared in step 1 into a running container to build the software.

It's important to note that linux-sgx comprises many sub-packages, and that it also can be used for both DCAP and EPID -based purposes. It's a bit confusing to know what one needs, and what one does not need.

[sbellem]

576b765df10f375a3427fef8e44a5048fe77b3017922d27c2caee594aad3f1a6