To address the vulnerability of compilation-phase environments to malicious code injection—thereby threatening application and system security—this paper proposes an end-to-end trusted compilation framework that ensures confidentiality, integrity, and traceability across the entire source-to-executable build pipeline. The framework innovatively integrates hardware-enforced Trusted Execution Environments (Intel SGX/TDX), a lightweight filesystem shield with encrypted storage, and versioned, immutable audit logging. This combination achieves strong isolation of the compilation environment and comprehensive, tamper-proof provenance recording of all compilation operations. Experimental evaluation in representative CI/CD scenarios demonstrates that the framework effectively mitigates compilation-time attacks while incurring an average performance overhead of less than 12%, confirming its practical deployability in real-world software development infrastructure.

During the past few years, we have witnessed various efforts to provide confidentiality and integrity for applications running in untrusted environments such as public clouds. In most of these approaches, hardware extensions such as Intel SGX, TDX, AMD SEV, etc., are leveraged to provide encryption and integrity protection on process or VM level. Although all of these approaches increase the trust in the application at runtime, an often overlooked aspect is the integrity and confidentiality protection at build time, which is equally important as maliciously injected code during compilation can compromise the entire application and system.In this paper, we present Tical, a practical framework for trusted compilation that provides integrity protection and confidentiality in build pipelines from source code to the final executable. Our approach harnesses TEEs as runtime protection but enriches TEEs with file system shielding and an immutable audit log with version history to provide accountability. This way, we can ensure that the compiler chain can only access trusted files and intermediate output, such as object files produced by trusted processes. Our evaluation using micro- and macro-benchmarks shows that Tical can protect the confidentiality and integrity of whole CI/CD pipelines with an acceptable performance overhead.