Closed GrosQuildu closed 2 months ago
Hi, sorry it took us so long to respond here. You are right, the lack of documentation around EIF is unfortunate and does not help with usability of enclaves. I am working towards getting a spec for EIF assembled and documented appropriately in this repository.
Once we have that we will ensure that the tooling in this repo is in accordance with that specification to ensure less confusion around this topic caused by lacking documentation.
To answer some of the questions (as you have already speculated given your experiments) before formalizing it into a spec:
EifHeader
and EifSectionHeader
must matchFor the other question I have to let you wait a little bit more, as I am working through this and get the format documented.
It took quite a while to get this all assembled - Thank you for your patience!. Please let us know which questions remain and where we can do better documenting how this all works.
Documentation is merged 😄
Hello. Is there a more formal specification for the EIF than the code in this repository? There are a few ambiguities with the format, e.g.:
EifSectionCmdline
orEifSectionKernel
sections in an EIF?EifHeader.section_offsets
array or the layout is fixed?EifHeader.section_offsets
is needed?EifReader.from_eif
function or following thesection_offsets
table?EifHeader.section_sizes
and in each section headerEifSectionHeader.section_size
?flags
fields in headers used for?arch
, and sections' headers are not used?EifSectionSignature
section is a vector of(certificate, signature)
tuples, where signature is computed overPCR's index, PCR's value
.Having a specification for EIF, or even a code that actually validates and parses them in Nitro Hypervisor, would be nice to have.