Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Fan
Beginner
151 Views

reproducible MR_ENCLAVE

Hi,

Is there a way to make sure the same source code will always compile to the same binary with the same MR_ENCLAVE? In my experience, if I compile on the same platform for multiple times, the MR_ENCLAVE is indeed the same. But if I compile the same code on different machines (even if the kernel and packages are exactly the same, e.g. two containers from the same Docker image), the resultant MR_ENCLAVE is different. Why is that the case?

My goal is for the users of my enclave to be able to reproduce the same MR_ENCLAVE on their own platform, and say "oh that's indeed the source code I see that's running in the cloud". Isn't this one major use case of SGX? 

Any clarification is appreciated. Thanks.

Fan

0 Kudos
7 Replies
151 Views

You are using Linux right?

Can you do a binary dump of both ELF files and then check for differences? I'm looking for which ELF sections contain differences.

Thanks,

Francisco

 

Fan
Beginner
151 Views

Thanks, I will do it once I get to my workstation.

Just to clarify: it shouldn't matter if I'm building SIM or HW, DEBUG or not, right?

Francisco C. (Intel) wrote:

You are using Linux right?

Can you do a binary dump of both ELF files and then check for differences? I'm looking for which ELF sections contain differences.

Thanks,

Francisco

 

151 Views

The MRENCLAVE will be different for SIM vs HW, and Debug vs PreRelease will be diff as well.

Fan
Beginner
151 Views

Francisco C. (Intel) wrote:

The MRENCLAVE will be different for SIM vs HW, and Debug vs PreRelease will be diff as well.

Please find the diff of two enclaves at https://pastebin.com/XGBK8wQu

Both are compiled in Debug mode with SIM, using the same docker images (but two container instances).

Fan

151 Views

If you were to exclude the .sgxmeta section, you can see that the binaries differ slightly, and this is why the MRENCLAVE is different.

It's possible that this is an issue with the settings the SDK uses when in SIM mode. Are you also seeing the same issue if you were to build for HW mode?

Thanks,

Francisco

Zhang__Huiqiang
Beginner
151 Views

@Francisco D, how can i get the mrenclave  and mrsigner reference value ?

Scott_R_Intel
Employee
151 Views

Reply