Skip to main content

Reproducible Builds

Remote attestations let you check what PCRs and by extension, the EIF that an enclave is running. But it does not tell you what specific code was used to derive the EIF, without which it is very hard to reason about the behaviour of the TEE. Enter reproducible builds, they give you a process by which anybody can reconstruct a bit-for-bit identical EIF from some given inputs.

Reproducible builds are therefore a crucial companion to remote attestations.

Benefits

Attestation verification

The most obvious benefit is mentioned above - letting you verify remote attestations against code. However, reproducible builds also provide a lot of other benefits as well.

Consistency

Reproducible builds ensure code mostly behaves the same across different environments and machines. It makes software consistent and eliminates an entire class of "works on my machine" style issues.

Resilience

Security tooling and researchers are easily able to reproduce the exact piece of software you are running, thereby increasing eyes on your code and its resilience to attacks.

Reproducibility in Oyster

The Oyster platform takes reproducibility very seriously. Its tool of choice is Nix, a popular tool for creating reproducible builds. In addition, it ships with a wide variety of official and community maintained packages for most common tools so you don't have to package them yourself. And that's not all, it also hosts a free public cache with a large number of packages so you don't have to build the universe from scratch yourself.

The oyster-monorepo contains a Nix flake at the root that can build almost everything in the monorepo reproducibly and can be used as a starting point for users interested in making their own artifacts reproducible. This includes enclave image files which are built using a custom Nix based build pipeline instead of the official nitro-cli tool provided by AWS. It also includes templates for users to build their own enclaves reproducibly, for example, the oyster-cvm cli tool uses the docker-enclave SDK to make its EIF reproducible.