Awesome talk on the importance of reproducible builds in measured boot / confidential computing environments by my colleagues @malte and @katexochen!

They talk about the (sad) reality of a fully open software stack and reproducible builds in practice, but also mention some positive examples and show how anyone can reproducibly build software (notably OS images) themselves.

Find the slides and VOD here: https://fosdem.org/2024/schedule/event/fosdem-2024-1769-reproducible-builds-for-confidential-computing-why-remote-attestation-is-worthless-without-it/

#fosdem #linux #cryptography #confidentialcomputing
#security #fosdem2024 #infosec #nix

@moritz @malte @katexochen

Actually the value of remote attestation and price to pay for it are related to the control of the machines where you are running your software.

If you run a software in your local hardware or controlled data center, then TPM2 by practical means does all you need for remote attestation.

Confidential computing comes beneficial when you run in the cloud and need to attest that while the deployment is out of your control, it still runs unmodified, and does the expected computation.

One corner case example of this is Signal’s contact delivery, which is claimed to be sealed by Intel SGX. This is a false marketing claim because:

1. Signal controls its own data centers, so 3rd parties are not a high risk.
2. Signal source is unmodified by legal enforcement given AGPLv3.
3. Signal does not deliver CPU attestation to the Signal app so that the app could verify it against Intel CA. This should be done periodically.

This means that Signal can hold into AGPLv3 but they could still just emulate SGX opcodes and do nothing at all. So objectively we can conclude that Signal does fake marketing with SGX.

Remote attestation is worthless if:

1. You don’t need it.
2. If you spend money on using wrong type of attestation in a wrong place without proper risk analysis.

Confidential computing is literally broken because there’s no developers. I still use NUC7 from 2018 with a Celeron CPU equipped with SGX2. In that sense all remote attestation in that arena is broken because you don’t have low barrier developing anything on top of it…

Nothing does high waves without low-barrier developer ecosystem, including local machines that can run the payloads...

Signal actually still defines best possible framework, despite not being fully implemented for something you claim to be truly confidential:

1. Create legal barrier with AGPL, this guarantees that the source code is unmodified.
2. Create run-time barrier with SGX/SNP/TDX, this guarantees that the run-time is unmodified. Attestation needs to have an expiration time somewhat like you need to expire share session key.

Signal implements (1) but lacks (2).