Dmitrii Kuvaiskii

icon indicating a website link https://dimakuv.github.io/ icon indicating an email [email protected]

icon company AWS icon location Dresden, Germany icon location Low-level programming, OS kernels, security, confidential computing, CPUs

Results 681 comments of Dmitrii Kuvaiskii

IPC leader does not wait for all processes to finish

> (I think it's fine if the main process of a user app just spawns something and then exits right away leaving the child) But then Graphene will have unexpected...

IPC leader does not wait for all processes to finish

Yes, both options don't work for this daemon case. I was thinking about "electing a new IPC leader" third option, but this sounds... complex. If choosing between these two options,...

IPC leader does not wait for all processes to finish

A list of related issues that have this "IPC leader does not wait for all processes to finish" bug: - https://github.com/oscarlab/graphene/issues/2426 - https://github.com/oscarlab/graphene/issues/2531 - https://github.com/oscarlab/graphene/issues/2541 - https://github.com/oscarlab/graphene/issues/2542 We closed these...

fork08 is failing with upgraded LTP suite

This case is interesting. It is currently *not* supported in Gramine. Some analysis follows. ## Correct Linux behavior This `fork08` test looks like this: https://github.com/linux-test-project/ltp/blob/96daba2729112b83bb0a2438023c94f2645ae20f/testcases/kernel/syscalls/fork/fork08.c Basically, the parent opens a...

Security mitigations and hardening

From what I understand, only the first item ("We need better sanitization of OCALL arguments") must be resolved for the release (so priority P0 or P1). The rest (sanitizers/linters) is...

RFC: SGX2 support in Gramine (Phase 1)

Thanks for the great write-up! Very easy to follow. > Should I add a LibOS unit test to dynamically mmap, unmmap, and change permissions for EPC memory or extend our...

Missing certificate chain when starting and attesting an enclave

Hm, let's look at the OpenEnclave source code: - https://github.com/openenclave/openenclave/blob/master/common/sgx/quote.c#L72-L76 -- here we see that OpenEnclave expects `OE_SGX_PCK_ID_PCK_CERT_CHAIN`. https://github.com/openenclave/openenclave/blob/e79d334c7f3b9fb2ab3efddbacf215d1713c2413/include/openenclave/bits/sgx/sgxtypes.h#L832-L840 -- here we see that `type == 3` corresponds to `OE_SGX_PCK_ID_ENCRYPTED_PPID_3072`....

Missing certificate chain when starting and attesting an enclave

@chigarovae I got interested in this error, and googled a bit. I found a hint of what is going on in the official DCAP library documentation from Intel: https://download.01.org/intel-sgx/dcap-1.0.1/docs/Intel_SGX_ECDSA_QuoteGenReference_DCAP_API_Linux_1.0.1.pdf The...

Packaging a complete Node app with Gramine

So your problem is adding all the relevant files to `sgx.trusted_files`? There are three simple solutions I can see: 1. *For testing and development purposes only*, you can put `sgx.file_check_policy...

Packaging a complete Node app with Gramine

> `node[1]: ../src/tracing/agent.cc:55:node::tracing::Agent::Agent(): Assertion `(uv_loop_init(&tracing_loop_)) == (0)' failed.` This is a known "bug" in NodeJS. Please see: https://github.com/gramineproject/examples/blob/master/nodejs/nodejs.manifest.template#L13-L14 So the fix is to add to your manifest file this: ```...