Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

reproducible MR_ENCLAVE

Fan
Beginner
1,466 Views

Hi,

Is there a way to make sure the same source code will always compile to the same binary with the same MR_ENCLAVE? In my experience, if I compile on the same platform for multiple times, the MR_ENCLAVE is indeed the same. But if I compile the same code on different machines (even if the kernel and packages are exactly the same, e.g. two containers from the same Docker image), the resultant MR_ENCLAVE is different. Why is that the case?

My goal is for the users of my enclave to be able to reproduce the same MR_ENCLAVE on their own platform, and say "oh that's indeed the source code I see that's running in the cloud". Isn't this one major use case of SGX? 

Any clarification is appreciated. Thanks.

Fan

0 Kudos
7 Replies
Francisco_C_Intel
1,466 Views

You are using Linux right?

Can you do a binary dump of both ELF files and then check for differences? I'm looking for which ELF sections contain differences.

Thanks,

Francisco

 

0 Kudos
Fan
Beginner
1,466 Views

Thanks, I will do it once I get to my workstation.

Just to clarify: it shouldn't matter if I'm building SIM or HW, DEBUG or not, right?

Francisco C. (Intel) wrote:

You are using Linux right?

Can you do a binary dump of both ELF files and then check for differences? I'm looking for which ELF sections contain differences.

Thanks,

Francisco

 

0 Kudos
Francisco_C_Intel
1,466 Views

The MRENCLAVE will be different for SIM vs HW, and Debug vs PreRelease will be diff as well.

0 Kudos
Fan
Beginner
1,466 Views

Francisco C. (Intel) wrote:

The MRENCLAVE will be different for SIM vs HW, and Debug vs PreRelease will be diff as well.

Please find the diff of two enclaves at https://pastebin.com/XGBK8wQu

Both are compiled in Debug mode with SIM, using the same docker images (but two container instances).

Fan

0 Kudos
Francisco_C_Intel
1,466 Views

If you were to exclude the .sgxmeta section, you can see that the binaries differ slightly, and this is why the MRENCLAVE is different.

It's possible that this is an issue with the settings the SDK uses when in SIM mode. Are you also seeing the same issue if you were to build for HW mode?

Thanks,

Francisco

0 Kudos
Zhang__Huiqiang
Beginner
1,466 Views

@Francisco D, how can i get the mrenclave  and mrsigner reference value ?

0 Kudos
Scott_R_Intel
Employee
1,466 Views
0 Kudos
Reply