Skip to content

initc3/docker-gramine

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 
nosgx.Dockerfile
nosgx.Dockerfile
 
 
sgx.Dockerfile
sgx.Dockerfile
 
 

Repository files navigation

docker-gramine

A docker image with gramine, to run examples, with SGX support,

Prerequisites

Make sure SGX is available on your system. Flexible Launch Control (FLC) support is not required. You can use the cpuid command:

cpuid | grep -i sgx

You'll see something like:

  SGX: Software Guard Extensions supported = true
  SGX_LC: SGX launch config supported      = false

Alternatively, you can use https://github.com/ayeks/SGX-hardware#test-sgx.

If your hardware supports SGX but it is not enabled, reboot your computer, go into the BIOS settings, enable it, save and exit.

Install Out-Of-Tree (OOT) SGX Driver

IMPORTANT: SGX MUST be enabled to install the driver.

For Ubuntu 20.04:

wget https://download.01.org/intel-sgx/sgx-linux/2.14/distro/ubuntu20.04-server/sgx_linux_x64_driver_2.11.0_2d2b795.bin
chmod +x sgx_linux_x64_driver_*.bin
sudo ./sgx_linux_x64_driver_*.bin
ls -la /dev/isgx

Set m.mmap_min_addr=0

sudo sysctl vm.mmap_min_addr=0

NOTE: Only needed for out-of-tree driver.

Why? See https://github.com/alibaba/inclavare-containers/blob/master/rune/libenclave/internal/runtime/pal/skeleton/README.md#enclave-null-dereference-protection.

Build

docker-compose build

Hello World Example

docker-compose run --rm gramine bash
cd LibOS/shim/test/regression
make SGX=1
make SGX=1 sgx-tokens
gramine-sgx helloworld
root@353ee34bd80a:/usr/src/gramine/LibOS/shim/test/regression# gramine-sgx helloworld
-----------------------------------------------------------------------------------------------------------------------
Gramine detected the following insecure configurations:

  - sgx.debug = true                           (this is a debug enclave)
  - loader.insecure__use_cmdline_argv = true   (forwarding command-line args from untrusted host to the app)
  - sys.insecure__allow_eventfd = true         (host-based eventfd is enabled)
  - sgx.allowed_files = [ ... ]                (some files are passed through from untrusted host without verification)

Gramine will continue application execution, but this configuration must not be used in production!
-----------------------------------------------------------------------------------------------------------------------

Hello world!

Without SGX Support

Build:

docker build -t gramine:nosgx --file nosgx.Dockerfile .

Hello world:

docker run --rm -it --security-opt seccomp=unconfined  gramine:nosgx bash
cd LibOS/shim/test/regression
make
gramine-direct helloworld

Notes

The argument --security-opt seccomp=unconfined is important. See gramineproject/gramine#164 (comment).

(docs: https://gramine.readthedocs.io/projects/gsc/en/latest/#execute-with-linux-pal-instead-of-linux-sgx-pal)

About

No description, website, or topics provided.

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

0 stars

Watchers

4 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Languages