foersleo
commented
2 months ago Hi Pat,
thanks for bringing this up to us. We are currently working towards getting the whole story around EIF creation into better shape, with focusing on better documentation and reproducibility of the binaries we provide as part of the nitro-cli.
The point you are making is very valid and we will have a closer look at this.
In the meantime I am wondering if this field in particular should be that concerning. The metadata section is not part of the computation of any of the measurements (PCR values) for an image file. You should be able to verify the identity of the functional components of the EIF (kernel binary, kernel cmdline, ramdisk) through PCRs 0-2 and the signing certificate through PCR8.
The metadata section is there to identify specific build environments an image was build from. On the other hand I understand that if two builds are functionally identical there is no real value in having the build time and CRC be the only difference.
pchickey
dinofizz
I am working on a project that builds an eif image, by way of the
nitro-cli build-enclaveCLI tool. I have determined that the reason our eif image build is not reproducible is that this crate sets thebuild_timefield inEifBuildInfotoUTC::nowon each execution: https://github.com/aws/aws-nitro-enclaves-image-format/blob/main/src/utils/identity.rs#L21 . We want to have a reproducible build for our eif image because that is an important step in attestation that our system is running the desired code.Can you please provide some mechanism for overriding the value in this field, or leaving this build_time field out of the created eif binary? This could be as simple as checking for e.g. a
EIF_BUILD_TIME_OVERRIDEenvironment variable and using that value instead, or any number of other mechanisms.