reproducible MR_ENCLAVE

reproducible MR_ENCLAVE

Hi,

Is there a way to make sure the same source code will always compile to the same binary with the same MR_ENCLAVE? In my experience, if I compile on the same platform for multiple times, the MR_ENCLAVE is indeed the same. But if I compile the same code on different machines (even if the kernel and packages are exactly the same, e.g. two containers from the same Docker image), the resultant MR_ENCLAVE is different. Why is that the case?

My goal is for the users of my enclave to be able to reproduce the same MR_ENCLAVE on their own platform, and say "oh that's indeed the source code I see that's running in the cloud". Isn't this one major use case of SGX? 

Any clarification is appreciated. Thanks.

Fan

6 posts / novo 0
Último post
Para obter mais informações sobre otimizações de compiladores, consulte Aviso sobre otimizações.

You are using Linux right?

Can you do a binary dump of both ELF files and then check for differences? I'm looking for which ELF sections contain differences.

Thanks,

Francisco

 

Thanks, I will do it once I get to my workstation.

Just to clarify: it shouldn't matter if I'm building SIM or HW, DEBUG or not, right?

Citação:

Francisco C. (Intel) escreveu:

You are using Linux right?

Can you do a binary dump of both ELF files and then check for differences? I'm looking for which ELF sections contain differences.

Thanks,

Francisco

 

The MRENCLAVE will be different for SIM vs HW, and Debug vs PreRelease will be diff as well.

Citação:

Francisco C. (Intel) escreveu:

The MRENCLAVE will be different for SIM vs HW, and Debug vs PreRelease will be diff as well.

Please find the diff of two enclaves at https://pastebin.com/XGBK8wQu

Both are compiled in Debug mode with SIM, using the same docker images (but two container instances).

Fan

If you were to exclude the .sgxmeta section, you can see that the binaries differ slightly, and this is why the MRENCLAVE is different.

It's possible that this is an issue with the settings the SDK uses when in SIM mode. Are you also seeing the same issue if you were to build for HW mode?

Thanks,

Francisco

Deixar um comentário

Faça login para adicionar um comentário. Não é membro? Inscreva-se hoje mesmo!