Reproducible Builds with Oyster and Sui

This guide demonstrates how to build bit-by-bit reproducible enclave images using Marlin Oyster and verify them on-chain with Sui. We use a price oracle as a practical example - the enclave fetches prices from CoinGecko, signs them inside a hardware-isolated environment, and submits them to the Sui blockchain for on-chain verification.

Source code: github.com/marlinprotocol/sui-oyster-demo

What You'll Learn

Create reproducible enclave builds using Nix
Deploy and verify enclave images on Oyster
Register enclave identity on-chain with Sui Move contracts
Verify enclave attestations and signatures on the blockchain

📄️ Step 1: Prerequisites

This tutorial assumes Ubuntu 20.04+ or macOS. If you're on a different OS, commands may need modification.

📄️ Step 2: Architecture Overview

Data Flow

📄️ Step 3: Build, Deploy & Register Enclave

The enclave is the core component that fetches prices and signs them. You can use Rust, Node.js, or Python - pick based on your preference.

📄️ Step 4: Deploy Application Contract

Deploy the oracle contract that receives and verifies price feeds. The enclave registry is already deployed on-chain — when you publish the Demo package, it automatically links to the existing registry.

📄️ Step 5: Verify Enclave Integrity

Enclave verification involves two separate checks:

📄️ Step 6: Operate the Oracle

With the enclave deployed, registered, and the contract published, you can now start submitting price updates.

📄️ Troubleshooting

PCR values don't match after deployment

What You'll Learn​