Open pchickey opened 6 months ago
Hi Pat,
thanks for bringing this up to us. We are currently working towards getting the whole story around EIF creation into better shape, with focusing on better documentation and reproducibility of the binaries we provide as part of the nitro-cli.
The point you are making is very valid and we will have a closer look at this.
In the meantime I am wondering if this field in particular should be that concerning. The metadata section is not part of the computation of any of the measurements (PCR values) for an image file. You should be able to verify the identity of the functional components of the EIF (kernel binary, kernel cmdline, ramdisk) through PCRs 0-2 and the signing certificate through PCR8.
The metadata section is there to identify specific build environments an image was build from. On the other hand I understand that if two builds are functionally identical there is no real value in having the build time and CRC be the only difference.
Thanks, I had not understood that the measurements for the image were of just certain sections. In that case, this build reproducible issue is only a concern for our build system and not attestation. We currently work around this problem with checks that check the image contents haven't changed by other means than the eif file staying the same, but it would be great to not have to maintain that whole extra set of checks.
@pchickey We've recently open sourced a nix-based EIF builder which might be of interest to you: https://github.com/monzo/aws-nitro-util
I am working on a project that builds an eif image, by way of the
nitro-cli build-enclave
CLI tool. I have determined that the reason our eif image build is not reproducible is that this crate sets thebuild_time
field inEifBuildInfo
toUTC::now
on each execution: https://github.com/aws/aws-nitro-enclaves-image-format/blob/main/src/utils/identity.rs#L21 . We want to have a reproducible build for our eif image because that is an important step in attestation that our system is running the desired code.Can you please provide some mechanism for overriding the value in this field, or leaving this build_time field out of the created eif binary? This could be as simple as checking for e.g. a
EIF_BUILD_TIME_OVERRIDE
environment variable and using that value instead, or any number of other mechanisms.