Lack of EIF specification

[GrosQuildu]

Hello. Is there a more formal specification for the EIF than the code in this repository? There are a few ambiguities with the format, e.g.:

1. Can you have multiple EifSectionCmdline or EifSectionKernel sections in an EIF?
   • code in this repo accepts such EIFs, but the real Nitro Hypervisor seems to not boot from them
2. Are sections offsets taken from the EifHeader.section_offsets array or the layout is fixed?
   • code in this repo assumes a fixed layout, but if that's the case then why EifHeader.section_offsets is needed?
   • how are PCRs and CRC32 computed: same as in EifReader.from_eif function or following the section_offsets table?
3. Is a truncated (corrupted) CPIO archive allowed as a customer app ramdisk?
   • seems that such CPIOs are accepted by Hypervisor
4. What is the reason for having section sizes repeated in two places: in EifHeader.section_sizes and in each section header EifSectionHeader.section_size?
5. For what are the flags fields in headers used for?
   • Seems that the main header's flags are only for arch, and sections' headers are not used?
6. The EifSectionSignature section is a vector of (certificate, signature) tuples, where signature is computed over PCR's index, PCR's value.
   • Why the section holds a vector instead of just the tuple? Only the first tuple from the vector seems to be used for anything.
   • Can you store signature for PCR other than PCR-0 if the section (as the index is signed along the value)? Will such EIF be accepted by the Hypervisor?

Having a specification for EIF, or even a code that actually validates and parses them in Nitro Hypervisor, would be nice to have.

[foersleo]

Hi, sorry it took us so long to respond here. You are right, the lack of documentation around EIF is unfortunate and does not help with usability of enclaves. I am working towards getting a spec for EIF assembled and documented appropriately in this repository.

Once we have that we will ensure that the tooling in this repo is in accordance with that specification to ensure less confusion around this topic caused by lacking documentation.

To answer some of the questions (as you have already speculated given your experiments) before formalizing it into a spec:

• EIF needs exactly one Kernel section
• EIF needs exactly one Cmdline section
• Offsets are taken from the section_offsets array. The layout is not strictly fixed, but there is some constraints (more on that once the spec is ready)
• sizes in EifHeader and EifSectionHeader must match

For the other question I have to let you wait a little bit more, as I am working through this and get the format documented.

[foersleo]

It took quite a while to get this all assembled - Thank you for your patience!. Please let us know which questions remain and where we can do better documenting how this all works.

[agraf]

Documentation is merged 😄