- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Is there a way to make sure the same source code will always compile to the same binary with the same MR_ENCLAVE? In my experience, if I compile on the same platform for multiple times, the MR_ENCLAVE is indeed the same. But if I compile the same code on different machines (even if the kernel and packages are exactly the same, e.g. two containers from the same Docker image), the resultant MR_ENCLAVE is different. Why is that the case?
My goal is for the users of my enclave to be able to reproduce the same MR_ENCLAVE on their own platform, and say "oh that's indeed the source code I see that's running in the cloud". Isn't this one major use case of SGX?
Any clarification is appreciated. Thanks.
Fan
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are using Linux right?
Can you do a binary dump of both ELF files and then check for differences? I'm looking for which ELF sections contain differences.
Thanks,
Francisco
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, I will do it once I get to my workstation.
Just to clarify: it shouldn't matter if I'm building SIM or HW, DEBUG or not, right?
Francisco C. (Intel) wrote:
You are using Linux right?
Can you do a binary dump of both ELF files and then check for differences? I'm looking for which ELF sections contain differences.
Thanks,
Francisco
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The MRENCLAVE will be different for SIM vs HW, and Debug vs PreRelease will be diff as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Francisco C. (Intel) wrote:
The MRENCLAVE will be different for SIM vs HW, and Debug vs PreRelease will be diff as well.
Please find the diff of two enclaves at https://pastebin.com/XGBK8wQu
Both are compiled in Debug mode with SIM, using the same docker images (but two container instances).
Fan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you were to exclude the .sgxmeta section, you can see that the binaries differ slightly, and this is why the MRENCLAVE is different.
It's possible that this is an issue with the settings the SDK uses when in SIM mode. Are you also seeing the same issue if you were to build for HW mode?
Thanks,
Francisco
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Francisco D, how can i get the mrenclave and mrsigner reference value ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Answered in your other thread: https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/805220#comment-1934414
Regards.
Scott
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page