gsc
gsc copied to clipboard
gramineproject
Alpine Linux support
Description of the problem
Since Gramine doesn't support Alpine Linux (https://github.com/gramineproject/gramine/issues/993), same thing for GSC.
Note that this issue depends on the feature of supporting Gramine in Alpine.
This also depends on: are all Gramine run-time dependencies available as packages on Alpine?
When I look at our minimalistic Docker image: https://github.com/gramineproject/gramine/blob/master/packaging/docker/Dockerfile
I see:
-
curl gnupg2 binutilspackages -- should be available on Alpine - SGX SDK/PSW packages -- AFAIK they are not available on Alpine
@mssun Do you know if SGX SDK/PSW is supported on Alpine? Also, did you try to build Gramine on Alpine (I think it should work if we enable musl and maybe disable glibc during meson setup)?
I don't think SGX SDK/PSW supports Apline officially.
For SGX SDK/PSW, what functions does Gramine use with the SDK/PSW specifically? If this is for architectural enclaves, we can suggest to use the host AESM service and map the domain socket file (/run/aesmd/aesmd.socket) into container.
I did an initial PoC of Gramine on Alpine. I compiled Gramine with Ubuntu, copied all Gramine artifacts to Alpine (Alpine may have different directory structure), resolved library dependencies (e.g., Python, glibc, protobuf, make, etc.). With these efforts, I can successfully compile the manifest file, sign the enclave, and run the hello world sample with gramine-sgx. However, this is just a PoC and a complete testing is needed.
Gramine needs SGX SDK/PSW for two purposes:
- AESM services (Launch arch enclave for older machines, EPID Quoting arch enclave, DCAP Quoting arch enclave)
-
libsgx_dcap_quoteverify.soDCAP-quote-verification shared library (part of the SDK/PSW packagelibsgx-dcap-quote-verify), required for RA-TLS attestation: https://github.com/gramineproject/gramine/blob/db86ad2eab2ab449508b85263818f4d6d6e10a50/tools/sgx/ra-tls/ra_tls_verify_dcap.c#L162-L166
I agree that for the first purpose (AESM services), we can suggest to use AESM service from the host and map its socket into the container. This will unfortunately mean that it will be impossible to use a bare-metal (non-container) deployment of Gramine, but maybe it's good enough for now.
The second purpose (libsgx_dcap_quoteverify.so) is more complicated. Gramine links against this library, so it must be placed into the Alpine container. I'm unclear if e.g. one can simply copy this shared library (and maybe some of its dependency files) from an Ubuntu system to the Alpine container, and it will just work.
Well, the second purpose is only relevant if Gramine wants to use DCAP remote attestation (more specifically, DCAP quote verification). I would say that this doesn't happen in all scenarios, but I guess it's a pretty important part of SGX flows. So we need to solve this issue somehow, otherwise Gramine-on-Alpine will have a serious limitation.
@mssun It would be interesting to perform a test of DCAP quote verification in Gramine. For example, to run a ra-tls-mbedtls example. If we make this example work (in a not too hacky way), then I think we can work on a real Alpine support.
@mwshan (a maintainer of Intel SGX SDK/PSW/DCAP) told me that the libsgx_dcap_quoteverify.so library can be simply built inside of the Alpine container, against the Musl C lib. The library should be built from https://github.com/intel/SGXDataCenterAttestationPrimitives/, under the QuoteVerification/ directory. It should be straight-forward since it doesn't depend on anything special.
Is there any plans to support Alpine in GSC soon ? I see gramine got the support in here.
@aneessahib @anjalirai-intel @sahason Do you know if anyone is working on this support?
@sahason will start some work on this, but priority will be best effort.
