USE_OPT_LIBS=0 "Please run download_prebuilt.sh"

[omartijn]

Trying to built without downloading prebuild headers fails. USE_OPT_LIBS=0 does not make any difference.

• Debian Stretch
• Clang 6.0
• 4.9.0-8

[lzha101]

Yes. Running "download_prebuilt.sh" is a prerequisite to build SGX SDK and PSW just as the README.md mentions. So please run this script first and then start your build.
USE_OPT_LIBS=0 would switch your SGX SDK to non-optimized string/math/IPP crypto version. This is the difference.

[omartijn]

I just find it strange - isn't it supposed to be open-source? Why would I need to download prebuilt libraries?

[andyzyb]

The pre-built binaries includes some optimized math/string libraries and Intel Enclaves. Optimized math/string libraries are not open sourced, but we provide a non-optimized version in the repo. Intel Enclaves need to be signed by Intel, it cannot be signed during build process so we provide the pre-built version for download and source code in the repo.

[omartijn]

Ah, that makes some sense, it'd be nice to have this explained in the README, though.

Would it be possible to have a signed, non-optimized, prebuilt version available? We can then check the source, compile it, and then verify whether the signature matches. This way, we could verify that the prebuilt binaries match the actual source code.

[andyzyb]

This is not in the plan at this point. Currently we only provide what will be ended up in the product, apparently non-optimized version is not recommended in product.

[omartijn]

OK, so the project is not open source then. We must include closed-source components. Noted, thanks!

[thiagomacieira]

Please provide a way to build without downloading non-OSS components.

[deeglaze]

I must agree that any trusted binary must be reproducible from source that is open for inspection.

[lzha101]

Thanks for the advice. There is no way temporarily to build without downloading non-OSS components, as the SgxSSL based SDK build also depends on the IPP crypto header files. We will try to improve it as well as the reproducibility in future release.

[omartijn]

Has any progress been made on this? I'm still really interested in trying out SGX, but our security policies prevent this since it's not open source.

[andyzyb]

We are working on using Open Source IPP, but it will take some time to get it ready to publish.

[sbellem]

Hi,
I am new to this issue and wonder whether the concerns regarding reproducible open source software expressed by @omartijn, @thiagomacieira, and @deeglaze are addressed in https://github.com/intel/linux-sgx/tree/master/linux/reproducibility.
Thanks.

[thiagomacieira]

It might, but that's not what I was asking for. I don't care about reproducing the binaries made by someone else. I just want to build from source from all-open-source components.

[sbellem]

I think that what cannot be built from source are the enclaves signed by Intel. One can build the same enclaves, but unsigned, and then signed them with one's own private key and verify the associated metadata against the metadata of Intel's signed enclaves.

I think it would be useful to have documentation clarifying what is closed source, and why. Also what can be done with the strictly open source components.

[sbellem]

Hi @lzha101 and @andyzyb, could you please provide us with some update on the following two comments:

#363 (comment)

Thanks for the advice. There is no way temporarily to build without downloading non-OSS components, as the SgxSSL based SDK build also depends on the IPP crypto header files. We will try to improve it as well as the reproducibility in future release.

#363 (comment)

We are working on using Open Source IPP, but it will take some time to get it ready to publish.

From what I understand it is now possible to build the ipp binaries, as one can reproduce them (e.g.:

linux-sgx/linux/reproducibility/start_build.sh.tmp

Lines 75 to 86 in 33f4499

	build_ipp()
	{
	local ipp_out="$build_out/ipp"
	pushd .
	cd $sgx_repo/external/ippcp_internal/
	make clean; make
	make clean; make MITIGATION-CVE-2020-0551=LOAD
	make clean; make MITIGATION-CVE-2020-0551=CF
	mkdir -p "$ipp_out"
	cp -r $sgx_repo/external/ippcp_internal/lib/linux/intel64/* "$ipp_out"
	popd
	}

).

If one can indeed produce the binaries, then it seems to me that the current Makefile could be updated accordingly. Could then one build the SDK (with sgxssl or ipp) from fully open source code? Are the prebuilt signed AEs only for the PSW, or are they needed for the SDK? Clarifying such details would be helpful!

[lzha101]

We are still providing the prebuilt IPP library but users could reproduce this prebuilt library. The main reason is that IPP crypto has the requirement for the build toolchain version, while not all the official supported OSes for SGX meet this requirement.
https://github.com/intel/ipp-crypto/blob/develop/BUILD.md#linux-os
If you don't want the prebuilt IPP library, you can firstly build the IPP crypto from OpenSource under external/ippcp_internal folder and then go to the top folder to build SGX.

The prebuilt signed AEs are part of the PSW, not needed for the SDK.

[sbellem]

If you don't want the prebuilt IPP library, you can firstly build the IPP crypto from OpenSource under external/ippcp_internal folder and then go to the top folder to build SGX.

This does not work as of now due to the missing header file sgx_ippcp.h. See issue #719.