Build
Skip to content

Enclave verification

The WaaS enclave's security relies on code integrity verification.

You have two verification options for a running enclave based on your risk tolerance and technical resources.

Simple Verification Method

Requirements

The verification process works only on Linux or macOS systems. You must have updated versions of these tools installed and set up locally:

Determine the PCR0

Visit this page in your browser or through curl: https://waas.sequence.app/status.

Take note of ver and pcr0 values for later use.

Sample output may appear like:

Remember that the checksum can vary between runs, as it verifies the file's integrity. Conversely, the PCR0 for the same code remains constant, as demonstrated in the example above.

Sample output might look like:

{
  "healthOK": true,
  "startTime": "2024-04-08T17:06:20.177514099Z",
  "uptime": 167168,
  "ver": "v1.1.1",
  "pcr0": "77541a3d09cdf2728417c1537d190be0998cc84f8aec95a4f1e823c91a007d97f276c2453be7f653fd73fb862b42fcee"
}

Build the enclave file

  1. Clone the repository locally, substituting v1.1.1 with the value of ver from the previous step:
git clone -b v1.1.1 https://github.com/0xsequence/waas-authenticator.git
cd waas-authenticator
  1. Run the following command, again substituting the version as before:
make VERSION=v1.1.1 eif
  1. Compare the output of the command with the previously noted PCR0 value, for example:
Output written into /out/waas-auth.v1.1.1.eif
BootMeasurement: Sha384 { ... }: {"HashAlgorithm": "Sha384 { ... }", "PCR0": "77541a3d09cdf2728417c1537d190be0998cc84f8aec95a4f1e823c91a007d97f276c2453be7f653fd73fb862b42fcee", "PCR1": "b7ada9ee8a3fa0a2c74c23ddd04a58f0b095d0465327b2d8461b9b81bcbc7236563ff0326c8614fe9205669636955199", "PCR2": "365294f408bcc5913b44110544bb611255d05666f89fd182900330bc117744fa563c2afcf74808b719ac7a29492099c6"}
SHA256 checksum:
3843b48b32b98fa311cbcd1604c0c6931f03c75075212e8bb4c06d02a3d53509  waas-auth.v1.1.1.eif

Please note that the checksum might differ between runs as it's only used to verify the integrity of the file. However, the PCR0 for the same code will always be the same, as can be seen in the example above.

Complex Verification Method

The simple method allows us to compare the PCR0 of the created enclave file with the "live" enclave. This is not foolproof. A mere comparison of two values provides no real evidence. The enclave could have been tampered with, and what we see could be an illusion. Indeed, the PCR0 values for each release are available to the public (https://github.com/0xsequence/waas-authenticator/releases).

Here, cryptographic attestation becomes necessary. We have not published tools for validation yet, but you can perform it using this AWS guide (https://docs.aws.amazon.com/enclaves/latest/user/verify-root.html).

Every enclave request returns the attestation document. It comes in a Base64-encoded format in the X-Attestation-Document response header. A request may also include a X-Attestation-Nonce header. It contains a value that will be signed and included in the attestation document.

For example, you can get the attestation document by running:

curl -si https://waas.sequence.app/health -H X-Attestation-Nonce:0123456789abcdef | grep x-attestation-document