g2flyer
commented
5 years ago Some pointers to reproducible build (admittedly, collected a while ago, so not necessarily latest state-of-the-art and/or complete):
Best resource I know is https://reproducible-builds.org/. Debianseems most active in this community, they have a list with issues and potential solutions and they claim they have most packages covered However, Fedora, Chromium, Qubes,.. also have related efforts but none has a complete set. The only tools I know which claim to have it are Bitcoin and Tor, afaik both based on Gitian (a virtualized system trying to normalize the environment although it seems there are still quite a few limitiations). If you are interested in related talks, there is one by the a guy from debian and a bitcoin/tor/gitian related one.
Also potentially relevant is the in-toto work presented at UXSEC'19:.
Given our multi-party settings, no single entity can be trusted to build the enclaves which are attested to. Assuming open source, the easiest approach is reproducible build. SGX SDK 2.6, has started to add support to build SDK and samples reproducibly based, see https://github.com/intel/linux-sgx/tree/master/linux/docker. Hopefully we will be able to leverage that to reproducibly build