Gramine Reproducible Builds

[fnerdman]

Gramine Reproducible Builds

• [ ] 1. Can the TCB (trusted computing base) of a Gramine enclave be built deterministically?
• [ ] 2. What are Gramines build dependencies? Can these be built deterministically?

1. Gramine enclave TCB

1.1 Replicability

• [x] Create a containerized build environment for gramine based on the official debian docker image
• [x] Build gramine within this image and export all the runtime dependencies (meson install --no-rebuild --destdir/ ...)
• [x] create two consecutive builds from scratch and compare the destdirs with diffoscope
• [x] try this on different hardware

Reproducible builds terminology: https://github.com/ethereum/go-ethereum/issues/18292#issuecomment-1155689987

Replicability (Different team, same experimental setup): The measurement can be obtained with stated precision by a different team using the same measurement procedure, the same measuring system, under the same operating conditions, in the same or a different location on multiple trials. For computational experiments, this means that an independent group can obtain the same result using the author's own artifacts.

Reproducibility (Different team, different experimental setup): The measurement can be obtained with stated precision by a different team, a different measuring system, in a different location on multiple trials. For computational experiments, this means that an independent group can obtain the same result using artifacts which they develop completely independently.

Upstream Issue: https://github.com/gramineproject/gramine/issues/153

[lonerapier]

Updates:

1.1 Replicability

• [x] Create a containerized build environment for gramine based on the official debian docker image
• [x] Build gramine within this image and export all the runtime dependencies (meson install --no-rebuild --destdir/ ...)
• [x] create two consecutive builds from scratch and compare the destdirs with diffoscope
• [ ] try this on different hardware

We have successfully built gramine twice and compared destdirs on same machine.

The experiment was done in two parts:

1. Same distro (ubuntu:20.04)
2. Different distro (ubuntu:20.04, ubuntu:22.04)

It included running a bash script that builds a docker image containing different builds for gramine and checking it with diffoscope container.

File result can be found here.

Note: --exclude-directory-metadata flag is used to ignore timestamp diffs.

Next steps are to build gramine on different machines.

[fnerdman]

@lonerapier For the next step you could split the dockerfile in such way that gramine is built only one time on Machine A, then you copy the resulting image to Machine B, and there you use the copied image as Source image to complete the rest of the execution of the Dockerfile, i.e. build Gramine another time and diffoscope the result.

[fnerdman]

Next tasks:

• [ ] present your findings in the gramine ticket https://github.com/gramineproject/gramine/issues/153
• [ ] ask for details about the set up and config of the builder machine responsible for the published binaries - possibly some info can be found in https://github.com/gramineproject/gramine/tree/master/.ci and https://github.com/gramineproject/gramine/tree/master/.github