From aa6489abaf431a89516205da90b9000acafb119a Mon Sep 17 00:00:00 2001
From: Italo Sampaio <100376888+italo-sampaio@users.noreply.github.com>
Date: Thu, 14 Nov 2024 09:48:04 -0300
Subject: [PATCH] SGX reproducible builds (#219)

- Updates SGX Docker base image to `2024.10.2391`
- Removes unnecessary dependencies from SGX Dockerfile
- Freezes open-enclave version to `0.19.4`
- Ensures deterministic build order
---
 docker/sgx/Dockerfile     | 16 ++--------------
 firmware/src/sgx/Makefile | 10 +++++-----
 2 files changed, 7 insertions(+), 19 deletions(-)

diff --git a/docker/sgx/Dockerfile b/docker/sgx/Dockerfile
index 881f8bd7..57785c5f 100644
--- a/docker/sgx/Dockerfile
+++ b/docker/sgx/Dockerfile
@@ -1,23 +1,11 @@
-FROM openenclavedockerregistry.azurecr.io/oetools-20.04:2023.11.21100
+FROM openenclavedockerregistry.azurecr.io/oetools-20.04:2024.10.2391
 
 # Install dependencies
 RUN apt-get update && \
     apt-get install -y apt-utils vim && \
     apt-get install -y tar && \
-    apt-get install -y xz-utils && \
     apt-get install -y curl && \
-    apt-get install -y git && \
-    apt-get install -y clang-11 && \
-    apt-get install -y libssl-dev && \
-    apt-get install -y gdb && \
-    apt-get install -y libsgx-enclave-common && \
-    apt-get install -y libsgx-quote-ex && \
-    apt-get install -y libprotobuf17 && \
-    apt-get install -y libsgx-dcap-ql && \
-    apt-get install -y libsgx-dcap-ql-dev && \
-    apt-get install -y az-dcap-client && \
-    apt-get install -y open-enclave && \
-    apt-get install -y gcc && \
+    apt-get install -y open-enclave=0.19.4 && \
     apt-get install -y make
 
 # Create directory to host symlinks to Open Enclave static libraries
diff --git a/firmware/src/sgx/Makefile b/firmware/src/sgx/Makefile
index ba906f93..5e7db387 100644
--- a/firmware/src/sgx/Makefile
+++ b/firmware/src/sgx/Makefile
@@ -38,13 +38,13 @@ POWHSM_SRC_DIR = ../powhsm/src
 COMMON_SRC_DIR = ../common/src
 
 ## Untrusted source files
-UNTRUSTED_SRC =  $(wildcard $(SGX_UNTRUSTED_SRC_DIR)/*.c)
+UNTRUSTED_SRC =  $(sort $(wildcard $(SGX_UNTRUSTED_SRC_DIR)/*.c))
 
 ## Trusted source files
-TRUSTED_SRC =  $(wildcard $(SGX_TRUSTED_SRC_DIR)/*.c)
-TRUSTED_SRC += $(wildcard $(HAL_TRUSTED_SRC_DIR)/*.c)
-TRUSTED_SRC += $(wildcard $(POWHSM_SRC_DIR)/*.c)
-TRUSTED_SRC += $(wildcard $(COMMON_SRC_DIR)/*.c)
+TRUSTED_SRC =  $(sort $(wildcard $(SGX_TRUSTED_SRC_DIR)/*.c))
+TRUSTED_SRC += $(sort $(wildcard $(HAL_TRUSTED_SRC_DIR)/*.c))
+TRUSTED_SRC += $(sort $(wildcard $(POWHSM_SRC_DIR)/*.c))
+TRUSTED_SRC += $(sort $(wildcard $(COMMON_SRC_DIR)/*.c))
 
 # Enclave definition files
 EDL_FILE = $(SGX_SRC_DIR)/$(ENCLAVE_NAME).edl