Auditor example with Remote Attestation #9
Description
- Figure out how to install the PSW in the nix environment -- currently running into issues to build the installer (
make psw_install_pkgfails with-lpthreadnot available) -- see issue Reproducible builds for the PSW intel/linux-sgx#645 to follow. - Use an example that has remote attestation (e.g. remoteattestation, or something else)
- Provide a simple demo script that would be use by an auditor.
auditor script
inputs:
- a signed enclave (
enclave.signed.so) to be checked for its reproducibility, and enclave.so(optional)- the source code to reproduce the build
- maybe: an attestation verification report from Intel -- from the
enclave.signed.sothe MRSIGNER can be extracted and compared against the one in the report -- hence, if theenclave.signed.socan be reproduced, and its MRSIGNER matches the one in the report, and the code "passes" the audit, thenenclave.signed.socan be "trusted"
outputs:
true/success- meaning it is reproducible and "trusted", ORfalse/failingotherwise, with the reason (unreproducible, MRSIGNER and/or MRENCLAVE mismatch)
verbose/debug info:
- the sha256sum of the metadata of the
enclave.signed.sofile under audit (the one given as input) - the sha256sum of the metadata of the built and signed enclave (built by the script) -- the sha256sums should match if the script outputs
true/successfor reproducibility - MRSIGNER extracted from
enclave.signed.so - MRSIGNER extracted from report
- MRENCLAVE extracted from report
Notes about MRSIGNER
See https://github.com/intel/sgx-ra-sample/blob/master/Makefile.am#L97-L100 for an example on how to extract the MRSIGNER from a signed enclave .so file.