9
2
Fork
You've already forked platform
2

fix(cli): apps build honors e2e/locksmith and records app_source #277

Manually merged
anton merged 1 commit from vkobel/caution-platform:fix/apps-build-honor-e2e-locksmith into main 2026年06月09日 19:21:49 +02:00

caution apps build (build_local) hardcoded e2e=false/locksmith=false and passed None for the app branch/commit, so its enclave image never matched a real deployment of the same app.
For any app using e2e: true (steve) or locksmith: true, the locally-built PCR0/PCR1 were wrong — and the embedded manifest.json was missing the app_source block (also measured into the ramdisk).

This makes build_local read the same inputs the deploy/verify paths already do:

  • read e2e and locksmith flags from the Procfile
  • capture the git commit and branch and pass them through, so the manifest records app_source

With this, caution apps build reproduces a deployed enclave's PCR0 exactly (verified against a live caution verify --attestation-url), given the deployment's BOOTPROOF_COMMIT/STEVE_COMMIT (read from its attestation manifest):

BOOTPROOF_COMMIT=<manifest.bootproof_commit> STEVE_COMMIT=<manifest.steve_commit> caution apps build --no-cache

to follow up on

apps build still needs BOOTPROOF_COMMIT/STEVE_COMMIT passed by hand — it has no manifest to read them from. These are resolved server-side from mutable env (api/builder.rs), so today the only way to learn a deployment's actual values is to read them back from its attestation manifest after deploying. We should be able to get them before a deploy (e.g. a command/endpoint reporting the builder's current defaults, or pinning them in the Procfile/manifest) so a local apps build can match a future deployment deterministically.

example

caution verify:

❯ caution verify --no-cache --attestation-url https://minitel.kobl.one/attestation
Verifying enclave attestation...
[...]
Extracting remote PCR values...
Remote PCR values (from deployed enclave):
 PCR0: 7624732ce51a68c4a44b40aead26e3eee7b60a94460fd1f55f32ca93dfd0cb6add7f60c449be67b092ede3aa5dae870e
 PCR1: 7624732ce51a68c4a44b40aead26e3eee7b60a94460fd1f55f32ca93dfd0cb6add7f60c449be67b092ede3aa5dae870e
 PCR2: 21b9efbc184807662e966d34f390821309eeac6802309798826296bf3e8bec7c10edb30948c90ba67310f7b964fc500a
Manifest information:
 App source: https://github.com/vkobel/minitel commit: 296335bddb7eaf1264e25a2190b8454708845531 branch: feat/caution-enclave
 Enclave source: https://git.distrust.co/public/enclaveos/archive/9582e25239430070667fdd0a6b64d887f1c308df.tar.gz commit: 9582e25239430070667fdd0a6b64d887f1c308df
 Framework source: https://codeberg.org/caution/platform/archive/main.tar.gz commit: 639bc8adc600563d9903fed228d93523a7d66fe2
[...]
Expected PCR values:
 PCR0: 7624732ce51a68c4a44b40aead26e3eee7b60a94460fd1f55f32ca93dfd0cb6add7f60c449be67b092ede3aa5dae870e
 PCR1: 7624732ce51a68c4a44b40aead26e3eee7b60a94460fd1f55f32ca93dfd0cb6add7f60c449be67b092ede3aa5dae870e
 PCR2: 21b9efbc184807662e966d34f390821309eeac6802309798826296bf3e8bec7c10edb30948c90ba67310f7b964fc500a
[...]

then from the cloned repo, same commit (296335bddb7e):

BOOTPROOF_COMMIT=78f531a2c245404a9d8879fb71cc397096ae0077 \
 STEVE_COMMIT=1dee1a0d55d1106fd8a237c09733406489cc8d12 \
 caution apps build --no-cache
Building EIF locally for inspection...
✓ Application image built: caution-local-build:296335bddb7e
[...]
=== PCR Values ===
PCR0 (Enclave image): 7624732ce51a68c4a44b40aead26e3eee7b60a94460fd1f55f32ca93dfd0cb6add7f60c449be67b092ede3aa5dae870e
PCR1 (Kernel/boot): 7624732ce51a68c4a44b40aead26e3eee7b60a94460fd1f55f32ca93dfd0cb6add7f60c449be67b092ede3aa5dae870e
PCR2 (Application): 21b9efbc184807662e966d34f390821309eeac6802309798826296bf3e8bec7c10edb30948c90ba67310f7b964fc500a
[...]
`caution apps build` (build_local) hardcoded e2e=false/locksmith=false and passed None for the app branch/commit, so its enclave image never matched a real deployment of the same app. For any app using `e2e: true` (steve) or `locksmith: true`, the locally-built PCR0/PCR1 were wrong — and the embedded manifest.json was missing the app_source block (also measured into the ramdisk). This makes build_local read the same inputs the deploy/verify paths already do: - read e2e and locksmith flags from the Procfile - capture the git commit and branch and pass them through, so the manifest records app_source With this, caution apps build reproduces a deployed enclave's PCR0 exactly (verified against a live caution `verify --attestation-url`), given the deployment's BOOTPROOF_COMMIT/STEVE_COMMIT (read from its attestation manifest): ```bash BOOTPROOF_COMMIT=<manifest.bootproof_commit> STEVE_COMMIT=<manifest.steve_commit> caution apps build --no-cache ``` ### ❓ to follow up on apps build still needs BOOTPROOF_COMMIT/STEVE_COMMIT passed by hand — it has no manifest to read them from. These are resolved server-side from mutable env (api/builder.rs), so today the only way to learn a deployment's actual values is to read them back from its attestation manifest after deploying. We should be able to get them before a deploy (e.g. a command/endpoint reporting the builder's current defaults, or pinning them in the Procfile/manifest) so a local apps build can match a future deployment deterministically. ### example caution verify: ```bash ❯ caution verify --no-cache --attestation-url https://minitel.kobl.one/attestation Verifying enclave attestation... [...] Extracting remote PCR values... Remote PCR values (from deployed enclave): PCR0: 7624732ce51a68c4a44b40aead26e3eee7b60a94460fd1f55f32ca93dfd0cb6add7f60c449be67b092ede3aa5dae870e PCR1: 7624732ce51a68c4a44b40aead26e3eee7b60a94460fd1f55f32ca93dfd0cb6add7f60c449be67b092ede3aa5dae870e PCR2: 21b9efbc184807662e966d34f390821309eeac6802309798826296bf3e8bec7c10edb30948c90ba67310f7b964fc500a Manifest information: App source: https://github.com/vkobel/minitel commit: 296335bddb7eaf1264e25a2190b8454708845531 branch: feat/caution-enclave Enclave source: https://git.distrust.co/public/enclaveos/archive/9582e25239430070667fdd0a6b64d887f1c308df.tar.gz commit: 9582e25239430070667fdd0a6b64d887f1c308df Framework source: https://codeberg.org/caution/platform/archive/main.tar.gz commit: 639bc8adc600563d9903fed228d93523a7d66fe2 [...] Expected PCR values: PCR0: 7624732ce51a68c4a44b40aead26e3eee7b60a94460fd1f55f32ca93dfd0cb6add7f60c449be67b092ede3aa5dae870e PCR1: 7624732ce51a68c4a44b40aead26e3eee7b60a94460fd1f55f32ca93dfd0cb6add7f60c449be67b092ede3aa5dae870e PCR2: 21b9efbc184807662e966d34f390821309eeac6802309798826296bf3e8bec7c10edb30948c90ba67310f7b964fc500a [...] ``` then from the cloned repo, same commit (`296335bddb7e`): ```bash ❯ BOOTPROOF_COMMIT=78f531a2c245404a9d8879fb71cc397096ae0077 \ STEVE_COMMIT=1dee1a0d55d1106fd8a237c09733406489cc8d12 \ caution apps build --no-cache Building EIF locally for inspection... ✓ Application image built: caution-local-build:296335bddb7e [...] === PCR Values === PCR0 (Enclave image): 7624732ce51a68c4a44b40aead26e3eee7b60a94460fd1f55f32ca93dfd0cb6add7f60c449be67b092ede3aa5dae870e PCR1 (Kernel/boot): 7624732ce51a68c4a44b40aead26e3eee7b60a94460fd1f55f32ca93dfd0cb6add7f60c449be67b092ede3aa5dae870e PCR2 (Application): 21b9efbc184807662e966d34f390821309eeac6802309798826296bf3e8bec7c10edb30948c90ba67310f7b964fc500a [...] ```
anton manually merged commit 52d3ebfe7e into main 2026年06月09日 19:21:49 +02:00
Owner
Copy link

We can address the follow up about the locksmith and steve hashes using this approach: #278

We can address the follow up about the locksmith and steve hashes using this approach: https://codeberg.org/caution/platform/issues/278
Sign in to join this conversation.
No reviewers
Labels
Clear labels
Compat/Breaking
Breaking change that won't be backward compatible
Component/Enclave-Builder
This issue affects Enclave Builder (git-push and CLI)
Component/Infrastructure
This issue affects generic Caution hosted infra components
Deploy/BYOC
Relates to Caution Bring-your-own-compute
Deploy/Full-managed
Relates to Caution fully managed cloud
Deploy/Self-hosted
Relates to Caution deployed on self-hosted infra
Interface/API
This issue affects the API
Interface/CLI
This issue affects the command line interface
Interface/Git
This issue affects the Git `push` interface
Interface/Web
This issue affects the web dashboard
Kind/Bug
Something is not working
Kind/Documentation
Documentation changes
Kind/Enhancement
Improve existing functionality
Kind/Feature
New functionality
Kind/Security
This is security issue
Kind/Testing
Issue or pull request related to testing
Priority
Critical
The priority is critical
Priority
High
The priority is high
Priority
Low
The priority is low
Priority
Medium
The priority is medium
Reviewed
Confirmed
Issue has been confirmed
Reviewed
Duplicate
This issue or pull request already exists
Reviewed
Invalid
Invalid issue
Reviewed
Won't Fix
This issue won't be fixed
Status
Abandoned
Somebody has started to work on this but abandoned work
Status
Blocked
Something is blocking this issue or pull request
Status
Need More Info
Feedback is required to reproduce issue or to continue work
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
caution/platform!277
Reference in a new issue
caution/platform
No description provided.
Delete branch "vkobel/caution-platform:fix/apps-build-honor-e2e-locksmith"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?