Dmitrii Kuvaiskii
Dmitrii Kuvaiskii
We use TOML basic strings for `sgx.trusted_files` entries, so you can check the TOML spec: https://toml.io/en/v1.0.0#string
@dzygann Awesome analysis! You rock :) As you correctly mentioned, only entry 2 is a bad case (because it has the unescaped backslash `\`). The other two suspicious entries are...
@dzygann Oh look at this: https://github.com/gramineproject/gsc/blob/21b30f28e96d8ff83e1d7365ff84fea368d35bd3/gsc.py#L104 We actually have escaping, but only for environment variables, not for filenames :( So you can just take this one line and use it...
> @dimakuv didn't we move to TOML in GSC? Seems like the move is incomplete and we're still handcrafting the strings? But here we are adding strings to the TOML...
> In my case it was sufficient to exclude the /usr/lib/systemd/system/system-systemd\x2dcryptsetup.slice from the trusted files. @dzygann How did you exclude it? By manually changing some code in GSC? Or by...
> But there we do something really weird, we generate TOML data by just appending to a string and then calling `toml.loads()`? Yes, we do it in a few places...
@jkr0103 @anjalirai-intel @aneessahib Does this PR make sense to you?
We hit this again on a ~~MariaDB~~ MongoDB workload -- without this PR it fails with `ftruncate: Permission denied` on a Protected File. With this PR, it succeeds initialization and...
@mythi Thanks for raising this issue! It's yet another angle of view for the "remove the SGX token" discussion. Actually, we have a long-standing PR to remove the token on...
I revived the core Gramine PR to remove the dependency on the SGX Launch Token: https://github.com/gramineproject/gramine/pull/363 I will create another PR in this (GSC) repo to *not* invoke `gramine-sgx-get-token` tool...