I've read the documentation and whitepaper on the SGX Attestation and it looks to me that it's more like a thing that myself (owner and runner of the code) can use to make sure my HW nor enclave had been tampered with, rather than being used as a way for my clients to be sure I'm not doing "evil" things (like running a different code than I should -- assuming it's public).
I like how SGX aids on preventing the code's memory from snooping. Is there any way for my end-user, assuming my code is public, to be able to build that same code, and somehow (hashing?) verify that it's the same code that's running on the enclave?
Thanks in advance!