Skip to content

automata-network/tee-compile

Repository files navigation

TEE Compile

License

About

In the current technological landscape, there's a glaring absence of mechanisms to verify that an executable file has been compiled from a specific source code. This gap poses significant challenges in terms of security, transparency, and trust, as there is no definitive way to prove the authenticity of the compiled software.

To address this issue, we are introducing a method that involves standardizing the compilation process within an enclave environment. An enclave is a protected, isolated area of execution, where code can be run in confidentiality and integrity, safeguarded from potential tampering or unauthorized access.

Architecture

architecture

Usage

Github Runner

  1. Apply for a nitro enclave machine on AWS.
  2. Configure the GitHub runner:
    2.1. Settings → Actions → Runners → New self-hosted runner
    2.2. Follow the instructions to configure the GitHub Runner
  3. Download the Software Build Attestation Image.
  4. Download the Attestation Build Tool.

Github Action

Create build_attestation.yml under the project's .github/workflow directory

name: Software Build Attestation

on:
  release:
    types: [published]

jobs:
  build:
    permissions: write-all
    runs-on: [self-hosted]
    steps:
    - name: Checkout
      uses: actions/checkout@v2
    - name: Build
      run: |
        tee-compile build -output release.tar -nitro ~/ata-build-rust-latest.eif
    - name: Release
      uses: softprops/action-gh-release@v1
      with:
        files: release.tar

Create the build.json file in the project.

{
	"language": "rust",
	"input": {
		"cmd": "./scripts/build.sh",
		"vendor": "./scripts/vendor.sh"
	},
	"output": {
		"files": [
			"target/release/binary",
		]
	}
}

Enclave Images

See also

Contributing

Before You Contribute:

  • Raise an Issue: If you find a bug or wish to suggest a feature, please open an issue first to discuss it. Detail the bug or feature so we understand your intention.
  • Pull Requests (PR): Before submitting a PR, ensure:
    • Your contribution successfully builds.
    • It includes tests, if applicable.

License

Apache