WORK IN PROGRESS -- Don't trust!

auditee is a tool to help verifying the reproducibility of Intel SGX enclave builds. This can be helpful to assess if a given signed enclave build and/or remote attestation report correspond to some source code.

Although currently focused on Intel SGX, some concepts may be applicable to other trusted execution environments (TEEs).

In order to use all the functionalities that auditee can provide, the Intel SGX SDK must be installed. If you don't want to bother with, the easiest is to clone the repo and use the provided Dockerfile and docker-compose.yml. The examples assume this setup for now. See below for an alternative installation, without docker, in which the Intel SGX SDK is installed.

Clone the GitHub repository:

git clone --recurse-submodules https://github.com/initc3/auditee.git

Note the --recurse-submodules option to initialize the git submodules used in the examples.

IMPORTANT: The Intel SGX SDK version 2.14 must be installed.

Create a virtual environment, e.g.:

python3.9 -m venv ~/.venvs/auditee

Enter the Wu-Tang (36 Chambers) aka virtual environment:

source ~/.venvs/auditee/bin/activate

Install auditee from GitHub:

pip install git+https://github.com/initc3/auditee.git

To install the SGX SDK, see https://01.org/intel-softwareguard-extensions/downloads/intel-sgx-linux-2.14-release.

Here's an example for installing the SDK on Ubuntu 20.04, under $HOME:

wget -O sdk.bin https://download.01.org/intel-sgx/sgx-linux/2.14/ubuntu20.04-server/sgx_linux_x64_sdk_2.14.100.2.bin --progress=dot:giga echo d0626ffb36c2e20c589d954fb968fded24ce51529b8b61a42febb312fd9debfc sdk.bin" | sha256sum --strict --check - chmod +x sdk.bin ./sdk.bin --prefix=~/ echo 'source ~/sgxsdk/environment' >> ~/.bashrc

See the examples documented under https://auditee.readthedocs.io/en/latest/examples.html for an in-depth look into how auditee can be used.

Documentation of the main interfaces is at https://auditee.readthedocs.io/en/latest/tool.html.

There's also simple command-line, still under development that can be used, e.g.:

auditee mrenclave --help usage: auditee mrenclave [-h]  [--signed-binary SIGNED_BINARY | --src SRC | --ias-response IAS_RESPONSE | --quote-binary QUOTE_BINARY] Compute the MRENCLAVE of an enclave. optional arguments:  -h, --help show this help message and exit  --signed-binary SIGNED_BINARY  signed enclave binary  --src SRC enclave source code (local file path or git repository URL)  --ias-response IAS_RESPONSE  --quote-binary QUOTE_BINARY examples:  Compute the MRENCLAVE from a signed enclave binary:  $ auditee mrenclave --signed-binary enclave.signed.so  Compute the MRENCLAVE from local source code:  $ auditee mrenclave --src sgx-iot/  Compute the MRENCLAVE from source code of a remote git repository:  $ auditee mrenclave --src https://github.com/sbellem/sgx-iot  Specify a branch or a commit:  $ auditee mrenclave --src https://github.com/sbellem/sgx-iot@dev  $ auditee mrenclave --src https://github.com/sbellem/sgx-iot@313fb50  Compute the MRENCLAVE from an IAS verification report:  $ auditee mrenclave --ias-response ias_response.json

Contributions are welcome! We use the Fork and pull model to collaborate.

Feel free to ask questions on gitter at https://gitter.im/auditee/community.