-
Notifications
You must be signed in to change notification settings - Fork 202
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Question] Reproducible builds #153
Comments
@lead4good You are absolutely correct. Ideally, we want a reproducible build of all parts of the SGX enclave, including the Gramine binaries themselves. @mkow @boryspoplawski @woju have more thoughts on this. Could you remind what is the the current state and whether we have plans to have reproducible builds of Gramine soon-ish? |
We plan to have reproducible builds, but the priority of this is uncertain yet. I'd like to have that for the next release, but we'll see. Also, contributions are welcome, if you have time to help :) |
What is important in reproducible builds is definition of expected build
environment (with supported variability) and thorough testing thereof. No-one
is working on this at the moment.
The best thing you can do at the moment is to use official packages. They
won't change a bit.
|
Yup, we'll definitely keep it open as we plan to introduce reproducible builds at some point ;) |
First step would be to build Gramine on a few different machines / OSes (but the same compiler version) and find all moving parts (e.g. timestamps embedded in some binary files). Then we'd need to fix them and also document the exact reproduction steps. We could also use some tool @woju mentioned which works a'la CI and can periodically check reproducibility. |
@woju might be referring to tools listed here: https://reproducible-builds.org/tools/ |
We were able to build Gramine on two machines with different CPU architecture and found no diffs between the builds. The diffs bash script and Dockerfiles can be found here. For the next steps, we are planning to diff the Gramine's official released binaries. Can I know the details of the machine used to build the official binaries and the process to build them? Are these built using CI scripts or some other ways? |
@lonerapier Thanks for these interesting experiments!
@woju should be able to provide these details.
The source code for the builds is found in our Gramine repo:
We run the CI on every commit/PR in Gramine, automatically building these packages (for testing):
|
Here's a Please share yours, I'd be happy to compare :) |
Thanks for the help. We built gramine manually in an Can't figure out what could have induced the changes in the binary, as all the steps followed were same as mentioned in the scripts except the All the diffs along with Dockerfile, buildinfo and other files can be found here. |
@lead4good: One difference I can see is that one
Most of other diffs may be a result of exactly this difference, because they are (all?) just shifted offsets. |
Or rather |
Just in case that this can help: https://medium.com/nttlabs/bit-for-bit-reproducible-builds-with-dockerfile-7cc2b9faed9f. My understanding was that bit-for-bit reproducible builds with docker was not even possible. The above link shows that it now is, with docker BuildKit v0.11, but nevertheless mentions that:
As an aside, up until now, we have used nix instead of docker for bit-for-bit reproducible builds, e.g.: sgx-sdk |
Thanks @sbellem for chiming in and providing your insight. I think it is important to clarify that we're not trying to reproduce the container image itself, but the actual gramine binaries. For this, docker is perfectly fine and we don't need to care about timestamps and other issues that stem from creating reproducible OCI images. I've thought about how to pin the installed packages to a specific version and I think However, I it would be a more sensible approach if the Gramine devs could agree to use a nix environment for their binary releases. |
@lead4good Cool, you're welcome!
Ah yes, that was also my assumption. My understanding was that with docker, the management of dependencies was tricky, such that pinning the entire dependency graph was cumbersome if at all possible. But when I was looking into this more closely I concluded that nix was better suited. If I find the time I will try building gramine with nix. |
It might be easier, but it's not sensible and we won't agree. Nix (the pkg manager) is half-solution to reproducibility like Docker, that is, we don't want to rely on special environments to achieve some form of reproducibility, because what about people who don't want or can't use those special environments (for example because they're packaging for another distro). The problems with reproducibility should be fixed where they are, i.e. in the source and/or in the buildsystem, for the benefit of all people who are building Gramine. IOW it should be use just our buildsystem to achieve reproducibility in any reasonable environment where you can pull specific versions of dependencies. This is also a issue of trust: you'll need to trust a set of nix packages on top of packages provided by distribution (assuming you're not using NixOS, where they're the same). It should be possible to use packages only from (supported) distro, because we strive to minimise TCB. That said, nothing prevents you from doing reproducible builds of Gramine in nix. But that won't be the project's strategy. |
Thanks @mkow, for looking into the diffs. My guess is this is mostly due to dependency version changes.
Best is to pin the dependencies to the older ones, as mentioned in the I also wanted to compare with a more recent package, can you point me to one? |
You mean
I did not know that reproducible builds could be achieved with In any case, I did start working on building gramine with nix, just for the fun of it. If anyone is interested feel free to reach out. |
I mean meson and everything that we put in "Reproducible builds" is not something that you can "achieve" by just applying a tool. It's a state of the project that needs to be kept. It's something similar to the statement that "the project can always be compiled" (== whichever commit from master branch you pick, it's buildable). For example, consider Depending on the specific reproducibility subproblem, there can be a simple tool to fix (like dh_strip_nondeterminism), it might be enough to flip some switch, or you might need to rethink your whole approach. It varies. |
@mkow @woju, can you help me to get a more recent package from CI/ your machine? so that I can compare with all the recent dependencies. Also, how should I identify specific dependencies that are required for Please correct me if I am wrong somewhere. |
I'll leave answering this to @woju ;) |
They're listed in Line 133 in 3c5272f
Also you need to consider toolchain, which of course also affects the binary result, but it's not explicitly listed there.
You generally do not. Compiler and linker probably need an exact version, but for usual dependencies there can be some range of versions that would result in identical ELFs. WRT recent debs, we can think of something. |
Hi, wondering what is the status on of providing reproducible builds for gramine. Thanks! |
I believe no specific actions towards verifying that Gramine builds reproducibly were done. Gramine should satisfy reproducible builds, but we don't have e.g. a CI pipeline that would verify this property for every commit of Gramine (at least not yet). |
One use case for gramine could be an open source application where - by knowing the MRENCLAVE and having all the enclaves source and configuration files - a third party would be able to rebuild the enclave and come to the same MRENCLAVE. Imagine e.g. a blockchain oracle running as an SGX enclave. Such an application could only be trusted by a 3rd party if it could reproducibly build the enclave.
Releasing prebuilt binaries signed by the project authors is already a good step towards that goal. Still it would be interesting to know whether there are plans to make building gramine completely reproducible?
The text was updated successfully, but these errors were encountered: