Home Explore Help
Sign In
miti
/
graphene
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: f2591790d7
Branches Tags
graphene
/
Tools
/
README

README 4.2 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970 
  1. Graphene-SGX Secure Container
    2. 

  2. --------------------------------
    3. 

  3. Graphene-SGX Secure Container (GSC) is a container system where the containerized application can be protected by Graphene-SGX while it is running in a container environment. The GSC system includes two parts: (1) a Docker container instance where the application is running inside Graphene-SGX and both of them are running inside the container instance; (2) a front-end named GSCE (GSC Engine) which takes a legacy Docker container image and automatically launches the contained application inside a GSC container instance.
    4. 

  4. 

  5. Launching a GSC container instance includes following steps:
    6. 

  6. 

  7. (1) Make sure there is a Docker container image of your application in the local or remote image repository.
    8. 

  8. 

  9. (2) Download and Compile Graphene-SGX;
    10. 

  10. 

  11. (2) Go to graphene/Tools
    12. 

  12. 

  13. (3) Run a GSC container via the following command:
    14. 

  14. 

  15.    ./gsce run [All the arguments used for launching a normal Docker container] [docker Image Name:Tag].
    16. 

  16. 

  17. Let's take redis, a key-value, in-memory database as an example. Assume the user runs a normal redis from its docker image as follows.
    18. 

  18. ```bash
    19. 

  19. docker run -i -t -p 6379:6379 redis:latest
    20. 

  20. ```
    21. 

  21. To launch a GSC container running redis, simply change docker to "./gsce", i.e., the user runs the command as follows.
    22. 

  22. ```bash
    23. 

  23. ./gsce run -i -t -p 6379:6379 redis:latest
    24. 

  24. ```
    25. 

  25. --------------------------------
    26. 

  26. Setting up the Dockerfile:
    27. 

  27. 

  28. If running a C++ example your Dockerfile should have the following:
    29. 

  29. ```docker
    30. 

  30. FROM gcc:9.1
    31. 

  31. 

  32. # Ensure you add your path to the graphene folder
    33. 

  33. COPY . /home/username/graphene/LibOS/shim/test/apps/yourImageName
    34. 

  34. 

  35. WORKDIR /home/username/graphene/LibOS/shim/test/apps/yourImageName
    36. 

  36. 

  37. # You can use gcc or g++ and any flags you would like (std flag is for C++ 11 support)
    38. 

  38. RUN g++ -o app sourcefile.cpp -std=c++11
    39. 

  39. 

  40. CMD ["./app"]
    41. 

  41. ```
    42. 

  42. Note: If GSC has issues finding your program and it is added under the trusted files, it is possible that your path has a typo or is incorrect.
    43. 

  43. --------------------------------
    44. 

  44. Issues You May Encounter
    45. 

  45. 1) Graphene is having trouble handling the symbolic links in graphene/Runtime
    46. 

  46. 	- For some reason Graphene doesn't read symbolic links in certain instances. You will need to replace all of the links with a copy of the actual files with the same name to the Runtime folder. Rather than doing this manually (more painful than you may think) use this trick:
    47. 

  47. 	- `shopt -s globstar` <-- enables globstar option
    48. 

  48. 	- `sed -i '' **/*` <-- replaces all of the links
    49. 

  49. 2) Cannot find (generated_offsets)/(site).py
    50. 

  50. 	- Graphene for some reason can't access certain modules it needs to sign enclaves, so all you need to do is copy wherever the modules are located to the folder: `/home/username/graphene/Pal/src/host/Linux-SGX/signer`
    51. 

  51. 3) "Cannot open device /dev/gsgx"
    52. 

  52. 	- cd into `graphene/Pal/src/host/Linux-SGX/sgx-driver/load.sh`
    53. 

  53. 	- run `./load.sh` to load the driver
    54. 

  54. 4) Permission denied on mapping enclave
    55. 

  55. 	- run `sudo sysctl vm.mmap_min_addr=0`
    56. 

  56. 5) If there is an issue when running bash.manifest.sgx
    57. 

  57. 	- edit the Entrypoint in relation to the executable in the Dockerfile
    58. 

  58. 6) Issues with trusted files in GSC
    59. 

  59. 	- Edit the gen_manifest python script and add your trusted files inside of the df.write.
    60. 

  60. 	- The names for the sgx trusted files are arbitrary but need to be unique or overlap issues will occur when signing the enclaves
    61. 

  61. 7) /lib64/ld-linux-x86-64.so.2: version 'SHIM' not found (required by libc.so.6)
    62. 

  62.     - Run `echo $LD_LIBRARY_PATH` and check for a trailing colon at the end of this path
    63. 

  63. 8) "bad_alloc" or "st9_alloc"
    64. 

  64. 	- Your enclave size is too small (default is 256M). Try adding the line: `sgx.enclave_size = 1G` (Size must be a power of 2)
    65. 

  65. 9) Cannot connect to AESMD service (socket cannot connect)
    66. 

  66. 	- Most likley your isgx.ko did not load properly when you ran load.sh. Run load.sh and handle any errors that may appear (most are documented above)
    67. 

  67. 10) "Error while loading shared libraries: cannot open shared object file: No such file or directory"
    68. 

  68.         - Add the library to your graphene/Runtime directory. This is a temporary workaround.
    69. 

  69. 11) "bash.manifest.sgx: file not found"
    70. 

  70.         - Make sure that the location of the executable in your container is in your docker's PATH environment variable. If necessary, change the bin_name in gsce to the name of the binary manually.
    71.