forked from gramineproject/graphene
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
192 lines (136 loc) · 7.37 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
Graphene Library OS with Intel SGX Support
A Linux-compatible Library OS for Multi-Process Applications
1. WHAT IS GRAPHENE?
Graphene Library OS is a project to provided lightweight guest OSes with
support for Linux multi-process applications. Comparable to virtual
machines, Graphene can run applications in an isolated environment, with
virtualization benefits such as guest customization, platform independence
and migration.
Graphene Library OS supports native, unmodified Linux appliations upon
any platform that Graphene Library OS has been ported to. Currently,
Graphene Library OS is successfully ported to Linux, FreeBSD and Intel SGX
enclaves upon Linux platforms.
With the Intel SGX support, Graphene Library OS can secure a critical
application in a hardware encrypted memory region. Graphene Library OS can
protect applications against malicious system stack, with minimal porting
effort.
Graphene Library OS is a work published in Eurosys 2014. For more
information. see the paper: Tsai, et al, "Cooperation and Security Isolation
of Library OSes for Multi-Process Applications", Eurosys 2014.
2. HOW TO BUILD GRAPHENE?
Graphene Library OS is consist of five parts:
- Instrumented GNU Library C
- LibOS (a shared library named "libsysdb.so")
- PAL, a.k.a Platform Adaption Layer (a shared library named "libpal.so")
- Reference monitor (a shared library named "libpal_sec.so")
- Minor kernel customization and kernel modules
Graphene Library OS currently only works on x86_64 architecture.
Graphene Library OS is tested to be compiling and running on Ubuntu 12.04/14.04
(both server and desktop version), along with Linux kernel 3.5/3.14.
We recommand to build and install Graphene with the same host platform.
Other distributions of 64-bit Linux can potentially, but the result is not
guaranteed. If you find Graphene not working on other distributions, please
contact us with a detailed bug report.
The following packages are required for building Graphene: (can be installed
with 'apt-get install')
- build-essential
- autoconf
- gawk
The following packages are also required for building Graphene for SGX (can
be installed with 'apt-get install'):
- python-protobuf
- python-crypto
To build the system, simply run the following commands in the root of the
source tree:
make
make install
(Add Graphene kernel as a boot option by commands like "update-grub")
(reboot and choose the Graphene kernel)
Please note that the building process may pause before building the Linux
kernel, because it requires you to provide a sensible configuration file
(.config). The Graphene kernel requires the following options to be enabled
in the configuration:
- CONFIG_GRAPHENE=y
- CONFIG_GRAPHENE_BULK_IPC=y
- CONFIG_GRAPHENE_ISOLATE=y
Each part of Graphene can be built separately in the subdirectories.
To build Graphene library OS with debug symbols, run "make DEBUG=1" instead of
"make".
For more details about the building and installation, see the Graphene github
Wiki page: <https://github.com/oscarlab/graphene/wiki>.
2-1. BUILD WITH INTEL SGX SUPPORT
To build Graphene Library OS with Intel SGX support, run "make SGX=1" instead
of "make". "DEBUG=1" can be used to build with debug symbols. Using "make SGX=1"
in the test or regression directory will automatically generate the enclave
signatures (in .sig files).
A 3072-bit RSA private key (PEM format) is required for signing the enclaves.
The default enclave key is placed in 'host/Linux-SGX/signer/enclave-key.pem',
or the key can be specified through environment variable 'SGX_ENCLAVE_KEY'
when building Graphene with Intel SGX support. If you don't have a private key,
create it with the following command:
openssl genrsa -3 -out enclave-key.pem 3072
After signing the enclaves, users may ship the application files with the
built Graphene Library OS, along with a SGX-specific manifest (.manifest.sgx
files) and the signatures, to the Intel SGX-enabled hosts. The Intel SGX
Linux SDK is required for running Graphene Library OS. Download and install
from the official Intel github repositories:
<https://github.com/01org/linux-sgx>
<https://github.com/01org/linux-sgx-driver>
A Linux driver must be installed before runing Graphene Library OS in enclaves.
Simply run the following command to build the driver:
cd Pal/src/host/Linux-SGX/sgx-driver
make
(The console will be prompted to ask for the path of Intel SGX driver code)
sudo ./load.sh
Finally generating the runtime enclave tokens by running "make SGX_RUN=1".
3. HOW TO RUN AN APPLICATION IN GRAPHENE?
Graphene library OS uses PAL (libpal.so) as a loader to bootstrap an
application in the library OS. To start Graphene, PAL (libpal.so) will have
to be run as an executable, with the name of the program, and a "manifest
file" given from the command line. Graphene provides three options for
spcifying the programs and manifest files:
option 1: (automatic manifest)
[PATH TO Pal/src]/pal [PROGRAM] [ARGUMENTS]...
(Manifest file: "[PROGRAM].manifest" or "manifest")
option 2: (given manifest)
[PATH TO Pal/src]/pal [MANIFEST] [ARGUMENTS]...
option 3: (manifest as a script)
[PATH TO MANIFEST]/[MANIFEST] [ARGUMENTS]...
(Manifest must have "#![PATH_TO_PAL]/libpal.so" as the first line)
Using "libpal.so" as loader to start Graphene will not attach the applications
to the Graphene reference monitor. Tha applications will have better
performance, but no strong security isolation. To attach the applications to
the Graphene reference monitor, Graphene must be started with the PAL
reference monitor loader (libpal_sec.so). Graphene provides three options for
spcifying the programs and manifest files to the loader:
option 4: (automatic manifest - with reference monitor)
[PATH TO Pal/src]/pal_sec [PROGRAM] [ARGUMENTS]...
(Manifest file: "[PROGRAM].manifest" or "manifest")
option 5: (given manifest - with reference monitor)
[PATH TO Pal/src]/pal_sec [MANIFEST] [ARGUMENTS]...
option 6: (manifest as a script - with reference monitor)
[PATH TO MANIFEST]/[MANIFEST] [ARGUMENTS]...
(Manifest must have "#![PATH TO Pal/src]/pal_sec" as the first line)
Although manifest files are optional for Graphene, running an application
usually requires some minimal configuration in its manifest file. A
sensible manifest file will include paths to the library OS and GNU
library C, environment variables such as LD_LIBRARY_PATH, file systems to
be mounted, and isolation rules to be enforced in the reference monitor.
Here is an example of manifest files:
loader.preload = file:LibOS/shim/src/libsysdb.so
loader.env.LDL_LIBRAY_PATH = /lib
fs.mount.glibc.type = chroot
fs.mount.glibc.path = /lib
fs.mount.glibc.uri = file:LibOS/build
More examples can be found in the test directories (LibOS/shim/test). We have
also tested several commercial applications such as GCC, Bash and Apache,
and the manifest files that bootstrap them in Graphene are provided in the
individual directories.
For more information and the detail of the manifest syntax, see the Graphene
github Wiki page: <https://github.com/oscarlab/graphene/wiki>.
4. HOW TO CONTACT THE MAINTAINER?
For any questions or bug reports, please contact us:
Chia-Che Tsai <[email protected]>
Donald Porter <[email protected]>
or post an issue on our github repository:
<https://github.com/oscarlab/graphene/issues>