Graphene
Fleeting- External reference: https://www.usenix.org/conference/atc17/technical-sessions/presentation/tsai
- External reference: https://graphene.readthedocs.io/en/latest/
- External reference: https://graphene.readthedocs.io/en/latest/building.html
- External reference: https://github.com/oscarlab/graphene
- External reference: https://grapheneproject.io/
oscarlab/graphene: Graphene / Graphene-SGX - a library OS for Linux multi-process applications, with Intel SGX support
- see,
the FSGSBASE functionality must be enabled in the Linux kernel, the Intel SGX driver must be running, and Intel SGX SDK/PSW/DCAP must be installed
Graphene is a lightweight guest OS, designed to run a single application with minimal host requirements. Graphene can run applications in an isolated environment with benefits comparable to running a complete OS in a virtual machine – including guest customization, ease of porting to different OSes, and process migration.
Graphene supports native, unmodified Linux applications on any platform. Currently, Graphene runs on Linux and Intel SGX enclaves on Linux platforms
fully-featured library OS can rapidly deploy unmodified applications on SGX with overheads comparable to applications modified to use “shim” layers.
— https://www.usenix.org/conference/atc17/technical-sessions/presentation/tsai
performance overheads of Graphene- SGX range from matching a Linux process to less than 2× in most single-process cases; these overheads are largely attributable to current SGX hardware or missed opportunities to optimize Graphene internals, and are not necessarily fundamental to leaving the application unmodified
— https://www.usenix.org/conference/atc17/technical-sessions/presentation/tsai
Graphene runs unmodified applications inside Intel SGX. It supports dynamically loaded libraries, runtime linking, multi-process abstractions, and file authentication.
Graphene can run applications in an isolated environment with benefits comparable to running a complete OS in a virtual machine
able to run unmodified applications inside SGX enclaves, without the toll of manually porting the application to the SGX environment
the FSGSBASE functionality must be enabled in the Linux kernel, the Intel SGX driver must be running, and Intel SGX SDK/PSW/DCAP must be installed
several components:
The Library OS itself (a shared library named libsysdb.so, called the “shim” in our source code) The Platform Adaptation Layer, or PAL (a shared library named libpal.so) A patched GNU C Library (a set of shared libraries libc.so, libpthread.so, libm.so, etc.)
Graphene is currently tested on Ubuntu 16.04 and 18.04 (both server and desktop version), along with Linux kernel versions 3.x/4.x/5.x. We recommend building and installing Graphene on the same host platform.
full SGX Attestation support (EPID/DCAP)
Graphene is ready to be deployed in cloud environments with full support for automatic container integration, using Graphene Shielded Containers (GSC).
functionality must be enabled in the Linux kernel, the Intel SGX driver must be running, and Intel SGX SDK/PSW/DCAP must be installed
FSGSBASE is a feature in recent processors which allows direct access to the FS and GS segment base addresses.
kernel supports FSGSBASE (the below command must return that bit 2 is set): LD_SHOW_AUXV=1 /bin/true | grep AT_HWCAP2
To install the Graphene FSGSBASE driver, run the following commands: git clone https://github.com/oscarlab/graphene-sgx-driver cd graphene-sgx-driver make sudo insmod gsgx.ko