geth-sgx-gramine
geth-sgx-gramine copied to clipboard
flashbots
Gramine Reproducible Builds
Gramine Reproducible Builds
- [ ] 1. Can the TCB (trusted computing base) of a Gramine enclave be built deterministically?
- [ ] 2. What are Gramines build dependencies? Can these be built deterministically?
1. Gramine enclave TCB
1.1 Replicability
- [x] Create a containerized build environment for gramine based on the official debian docker image
- [x] Build gramine within this image and export all the runtime dependencies (
meson install --no-rebuild --destdir/ ...) - [x] create two consecutive builds from scratch and compare the destdirs with diffoscope
- [x] try this on different hardware
Reproducible builds terminology: https://github.com/ethereum/go-ethereum/issues/18292#issuecomment-1155689987
Replicability (Different team, same experimental setup): The measurement can be obtained with stated precision by a different team using the same measurement procedure, the same measuring system, under the same operating conditions, in the same or a different location on multiple trials. For computational experiments, this means that an independent group can obtain the same result using the author's own artifacts.
Reproducibility (Different team, different experimental setup): The measurement can be obtained with stated precision by a different team, a different measuring system, in a different location on multiple trials. For computational experiments, this means that an independent group can obtain the same result using artifacts which they develop completely independently.
Upstream Issue: https://github.com/gramineproject/gramine/issues/153
Updates:
1.1 Replicability
- [x] Create a containerized build environment for gramine based on the official debian docker image
- [x] Build gramine within this image and export all the runtime dependencies (
meson install --no-rebuild --destdir/ ...)- [x] create two consecutive builds from scratch and compare the destdirs with diffoscope
- [ ] try this on different hardware
We have successfully built gramine twice and compared destdirs on same machine.
The experiment was done in two parts:
- Same distro (ubuntu:20.04)
- Different distro (ubuntu:20.04, ubuntu:22.04)
It included running a bash script that builds a docker image containing different builds for gramine and checking it with diffoscope container.
File result can be found here.
Note:
--exclude-directory-metadataflag is used to ignore timestamp diffs.
Next steps are to build gramine on different machines.
@lonerapier For the next step you could split the dockerfile in such way that gramine is built only one time on Machine A, then you copy the resulting image to Machine B, and there you use the copied image as Source image to complete the rest of the execution of the Dockerfile, i.e. build Gramine another time and diffoscope the result.
Next tasks:
- [ ] present your findings in the gramine ticket https://github.com/gramineproject/gramine/issues/153
- [ ] ask for details about the set up and config of the builder machine responsible for the published binaries - possibly some info can be found in https://github.com/gramineproject/gramine/tree/master/.ci and https://github.com/gramineproject/gramine/tree/master/.github