Open blenessy opened 1 week ago
Hi @blenessy,
Thanks for the suggestion, I'm pretty happy that you're taking Contrast for a spin and considering contributions!
I fear that a reduction in binary size does not necessarily imply a reduction in TCB. Even if you compile a small verify
binary and use it to get the Coordinator attestation doc and manifest, you still need to verify them. Things that come to mind:
TrustedMeasurement
hash.generate
or from somebody else's, but either way generate
is now part of your TCB.At the end of the day, the TCB is the transitive closure of all Contrast components and their dependencies. If the goal is to reduce the TCB, we should imho start by reducing dependencies overall.
That being said, I can imagine situations where a smaller verify
binary would be useful, even if the total TCB is unaffected. Built with the correct reference values and somehow equipped with a manifest through a side-channel, this could make verification feasible even on very constrained systems.
On the other hand, we still want to support the verify
subcommand in the main binary, and we're not really eager to maintain this functionality in two binaries. However, if this is useful to you and you see a low effort way to add and maintain that second binary, I'd be open to adding it to a contrib folder, for example.
There are three main contributors as far as I'm aware of (see table below):
genpolicy
tool These are all used by contrast generate
, so we can't avoid packaging these with the CLI.
Cheers, Markus
Thanks for the quick and very insightful response @burgerdev !
As you suspected, I was under the assumption contrast verify
+ the evidence downloaded (by contrast verify
) to the ./verify
directory is relatively easy to process. But it does sound like it is not as straight forwards as I anticipated :).
I will definitely start by exploring your concerns more in depth before moving forward with this.
contrast v0.7.0 is very big ~60 MB in size with DWARF and symbols removed.
I've tested breaking out the
verify
subcommand from thecontrast
CLI into its own binary (calledverify
). The size ofverify
is 9.7MB. I analysed the contents of this binary with GSA. I attached the html report so you can see for yourselves. Spoiler: bigger code chunk is related to the GRPC protocol.Do you guys think this is a good idea to do this (breaking out
verify
). Would you accept a PR with separatedverify
binary ?(FWIW. I would put in more effort to further minimise TCB of
verify
after the separation - I'm hoping to bring the size down to 4-5 MB).verify.html.gz