Secure Value Recovery Service (Beta)

Building the SGX enclave (optional)

Building reproducibly with Docker

Prerequisites:

• GNU Make
• Docker (able to run debian image)

$ make -C <repository_root>/enclave

The default docker-install target will create a reproducible build environment image using enclave/docker/Dockerfile, build the enclave inside a container based on the image, and install the resulting enclave into service/kbupd/res/enclave/. The Dockerfile will download a stock dated-snapshot debian Docker image. The Debian project builds their docker images reproducibly, based on the a snapshot of the debian repos on the date of the build from the Debian Snapshot Project. Make will then be run inside the newly built Docker Debian image as in the Building with Debian section below:

NB: the installed enclave will be signed with the SGX debug flag enabled by an automatically generated signing key. Due to Intel SGX licensing requirements, a debug enclave can currently only be run with SGX debugging enabled, allowing inspection of its encrypted memory, and invalidating its security properties. To use an enclave in production, provide the Intel-whitelisted signing key as enclave/libkbupd_enclave.hardened.key before building. Alternatively, the generated enclave/build/libkbupd_enclave.hardened.signdata file can be signed and saved as enclave/build/libkbupd_enclave.sig with corresponding public key at enclave/libkbupd_enclave.pub, and signed using make sign install.

Building with Debian

Prerequisites:

• GNU Make
• cmake
• ninja-build
• gcc
• ocaml-native-compilers
• ocamlbuild
• automake/autoconf/libtool/pkg-config
• libssl-dev
• libcurl4-openssl-dev
• protobuf-compiler
• libprotobuf-dev
• llvm-dev
• libclang-dev
• clang
• git
• devscripts/debhelper/fakeroot
• rust 1.37.0 toolchain from rustup
• Intel SGX SDK v2.7.1 SDK build dependencies

$ make -C <repository_root>/enclave debuild install

debuild is a debian tool used to build debian packages after it sanitizes the environment and installs build dependences. The primary advantage of using debian packaging tools in this case is to leverage the Reproducible Builds project. While building a debian package, debuild will record the names and versions of all detected build dependencies into a *.buildinfo file, for future reproducibility debugging.

The debuild target also builds parts needed from the Intel SGX SDK v2.7.1 after cloning it from github.

The install target copies the enclave to service/kbupd/res/enclave/, which should potentially be checked in to be used with the service.

The sign target may also be used as described in Building reproducibly with Docker to produce a release-mode enclave.

Building without Docker or Debian:

Prerequisites:

• GNU Make
• cmake
• ninja-build
• gcc
• ocaml-native-compilers
• ocamlbuild
• automake/autoconf/libtool/pkg-config
• libssl-dev
• libcurl4-openssl-dev
• protobuf-compiler
• libprotobuf-dev
• llvm-dev
• libclang-dev
• clang
• git
• rust 1.37.0 toolchain from rustup
• Intel SGX SDK v2.7.1 SDK build dependencies

$ make -C <repository_root>/enclave all install

The all target will probably fail to reproduce the same binary as above, but doesn't require Docker or Debian Linux.

The sign target may also be used as described in Building reproducibly with Docker to produce a release-mode enclave.

Building the service

Building with Docker

Prerequisites:

• GNU Make
• Docker (able to run ubuntu image)

$ make -C <repository_root>/service docker

Building without Docker

Prerequisites:

• GNU Make
• a C compiler
• rust toolchain (i.e. rustc, cargo)
• libsgx-enclave-common from source or prebuilt
• libssl-dev (OpenSSL)
• libseccomp-dev
• pkg-config
• protobuf-compiler
• Intel SGX SDK SDK headers (common/inc/sgx*.h) installed in a system include directory

$ make -C <repository_root>/service all

Running the service

Runtime requirements:

• libsgx-enclave-common >= 2.7.101 from source or prebuilt
• linux-sgx-driver >= 2.6.0 from source or prebuilt
• libssl1.1 (OpenSSL)
• libseccomp2
• libprotobuf10

$ service/build/target/release/kbupd help