Re: Assistance regarding reproducing Enclave Hash for Gramine applications

11 views
Skip to first unread message

Michał Kowalczyk

unread,
Dec 12, 2024, 12:48:50 PM12/12/24
to Anirban Chakraborty, Yuval Yarom, Ghassan Karame, Annika Wilde, gramin...@googlegroups.com
Hi,

Are all the versions of the software you use to build Gramine exactly the same in both cases? E.g. gcc version. Different GCC versions produce different binary code (and same for all other tools used to build Gramine).

ps. Please don't use security@, it's used only for reporting of security vulnerabilities. I added gramine-users@ to CC and removed security@.

Best,
Michał

On 12/9/24 20:12, Anirban Chakraborty wrote:

Dear Gramine team,


We hope this message finds you well.

We are a group of researchers from Ruhr University Bochum, Germany, working on a project involving Gramine. As part of our research, we are attempting to compile the project and reproduce the enclave hash on Intel SGX machine (Intel i7-9750H), running on Ubuntu 22.04.

We built the helloworld.c program using two instances of gramine - (1) pre-installed gramine from the provided docker image at https://hub.docker.com/r/gramineproject/gramine and (2) gramine built from source (https://github.com/gramineproject/gramine).

The measurements of the binaries in the two instances did not match. We are following the instructions outlined in the https://gramine.readthedocs.io/en/stable/run-sample-application.html documentation. Furthermore, we did not make any changes to the source codes.

The two output are shown below.

* Gramine built from source:

$ make SGX=1
cc -Wall -Wextra -O3   -c -o helloworld.o helloworld.c
cc   helloworld.o   -o helloworld
gramine-manifest \
    -Dlog_level=error \
    helloworld.manifest.template helloworld.manifest
gramine-manifest-check helloworld.manifest
gramine-sgx-sign \
    --manifest helloworld.manifest \
    --output helloworld.manifest.sgx
Attributes (required for enclave measurement):
    size:        0x10000000
    edmm:        False
    max_threads: 4
SGX remote attestation:
    None
Memory:
    000000000fffd000-0000000010000000 [REG:R--] (manifest) measured
    000000000ffdd000-000000000fffd000 [REG:RW-] (ssa) measured
    000000000ffd9000-000000000ffdd000 [TCS:---] (tcs) measured
    000000000ffd5000-000000000ffd9000 [REG:RW-] (tls) measured
    000000000ff95000-000000000ffd5000 [REG:RW-] (stack) measured
    000000000ff55000-000000000ff95000 [REG:RW-] (stack) measured
    000000000ff15000-000000000ff55000 [REG:RW-] (stack) measured
    000000000fed5000-000000000ff15000 [REG:RW-] (stack) measured
    000000000fec5000-000000000fed5000 [REG:RW-] (sig_stack) measured
    000000000feb5000-000000000fec5000 [REG:RW-] (sig_stack) measured
    000000000fea5000-000000000feb5000 [REG:RW-] (sig_stack) measured
    000000000fe95000-000000000fea5000 [REG:RW-] (sig_stack) measured
    000000000fe3d000-000000000fe8c000 [REG:R-X] (code) measured
    000000000fe8c000-000000000fe95000 [REG:RW-] (data) measured
    0000000000010000-000000000fe3d000 [REG:RWX] (free)
Measurement:
    0589da732e5dc02a4416318ef247403e091bc4eda414942a54ef687936facad2
gramine-manifest-check helloworld.manifest.sgx


* Gramine from the docker:

root@ac0de516f9ea:~/gramine/CI-Examples/helloworld# make SGX=1
cc -Wall -Wextra -O3   -c -o helloworld.o helloworld.c
cc   helloworld.o   -o helloworld
gramine-manifest \
    -Dlog_level=error \
    helloworld.manifest.template helloworld.manifest
gramine-manifest-check helloworld.manifest
gramine-sgx-sign \
    --manifest helloworld.manifest \
    --output helloworld.manifest.sgx
Attributes (required for enclave measurement):
    size:        0x10000000
    edmm:        False
    max_threads: 4
SGX remote attestation:
    None
Memory:
    000000000fffd000-0000000010000000 [REG:R--] (manifest) measured
    000000000ffdd000-000000000fffd000 [REG:RW-] (ssa) measured
    000000000ffd9000-000000000ffdd000 [TCS:---] (tcs) measured
    000000000ffd5000-000000000ffd9000 [REG:RW-] (tls) measured
    000000000ff95000-000000000ffd5000 [REG:RW-] (stack) measured
    000000000ff55000-000000000ff95000 [REG:RW-] (stack) measured
    000000000ff15000-000000000ff55000 [REG:RW-] (stack) measured
    000000000fed5000-000000000ff15000 [REG:RW-] (stack) measured
    000000000fec5000-000000000fed5000 [REG:RW-] (sig_stack) measured
    000000000feb5000-000000000fec5000 [REG:RW-] (sig_stack) measured
    000000000fea5000-000000000feb5000 [REG:RW-] (sig_stack) measured
    000000000fe95000-000000000fea5000 [REG:RW-] (sig_stack) measured
    000000000fe3d000-000000000fe8c000 [REG:R-X] (code) measured
    000000000fe8c000-000000000fe95000 [REG:RW-] (data) measured
    0000000000010000-000000000fe3d000 [REG:RWX] (free)
Measurement:
    96e97ef9679d01a111c0dbb1221899e46e83584a1ed77c0ae95d331eb6caaaf7
gramine-manifest-check helloworld.manifest.sgx


We are reaching out to ask if there are additional steps or considerations we may have missed that could explain the discrepancy in the measurements of the two binaries. Any guidance or insights you can provide would be greatly appreciated.

Thank you for your time and support.


Kind Regards,

Anirban


OpenPGP_signature.asc

Wojtek Porczyk

unread,
Dec 12, 2024, 1:10:48 PM12/12/24
to Anirban Chakraborty, Michał Kowalczyk, Yuval Yarom, Ghassan Karame, Annika Wilde, gramin...@googlegroups.com
On Thu, Dec 12, 2024 at 06:48:40PM +0100, Michał Kowalczyk wrote:
> Are all the versions of the software you use to build Gramine exactly the
> same in both cases? E.g. gcc version. Different GCC versions produce
> different binary code (and same for all other tools used to build Gramine).

There's virtually no chance there are the same versions, unless you did some
serious version adjusting. Packages are built on earliest supported Debian
versions (1.8 was built on bookworm with backports). Biggest change is
probably GCC version, as Michał guessed: Ubuntu 22.04 has GCC 12.x and Debian
11 has GCC 10.x. All other variability is probably minor compared to that.
I'm attaching .buildinfo file for 1.8 packages, HTH. I'm sure you already know
(or your academic advisor will tell you in short order) that you don't need
exactly the same versions as in .buildinfo, there's probably a range of valid
versions for each of the packages, but no-one tests for that variability. In
any case, I think it would be a good idea to start with plain Debian 11,
enable backports and just build .deb package. It might just work.


--
pozdrawiam / best regards
Wojtek Porczyk
Gramine / Invisible Things Lab

I do not fear computers,
I fear lack of them.
-- Isaac Asimov
gramine_1.8_amd64.buildinfo
signature.asc

Anirban Chakraborty

unread,
Dec 15, 2024, 6:34:07 PM12/15/24
to wo...@invisiblethingslab.com, Michał Kowalczyk, Yuval Yarom, Ghassan Karame, Annika Wilde, gramin...@googlegroups.com
Hi Wojtek,


Thank your for the information.


Thanks,

Anirban
Reply all
Reply to author
Forward
0 new messages