This repository is a small demo to show how to run a Rust application inside an Intel SGX enclave with Gramine.
About The Project • Getting started • Gramine Rust Image structure • Modifying the PoC
With the increasing movement to the cloud and zero-trust infrastructure, the field of confidential computing is becoming increasingly important for developers. With Gramine, an existing code base can be migrated quickly and easily without requiring a complete re-write.
This project was developed in the context of the system security lecture by @sebastiangajek at the Flensburg University of Applied Sciences.
An enclaved application has some great advantages
- You don't lose the trust of an on-premise cloud in the public cloud
- Better security against exploits for kernel-space, insider attack (malicious or not), corrupted UEFI Firmware and other "root" attacks that use application corruption.
- Regardless of the geolocation, the privacy export regulation are complied with
- Through the enclave the processing data are encrypted and anonymized, so it is GDRP/CCPA complaint
An enclave-ready computing platform with flexible launch control. Check for Intel SGX with
grep sgx /proc/cpuinfoand look for the flags sgx and sgx_lc or look at Intel's Guide to find it out.
In addition, Intel SGX drivers are necessary. They are integrated into Linux kernel version 5.11. If the kernel version is 5.9 or higher, install Intel SGX DCAP.
Docker and Docker Compose are also necessary for this PoC; for installation, consider the Docker documentation for your OS.
After fulfilling the pre-requirements, clone the repository and run the following inside the project
docker-compose upUnder http://{your_host_ip}, you should be greeted by your enclave after the console prints Server is running.
The build process of the image contains two Stage
- First Stage ("builder"): Uses the official Rust Docker image to compile the project to an executable using cargo
- Second Stage: Gathers all additional required resources, generates the manifest form template and signs it
During the build, ARG projectName specifies the name of the project directory and executable. Further
ARG webFiles specifies the directory for *.html, *.js, ... . Both are defined in the docker-compose.yml
If more packages are required during build or runtime, they can be added to the package.txt or build/package.txt
to install them during the build.
After the build is finished, the app environment looks like this by default
/entrypoint/
+ app #executable
+ $webFiles/
+ *.html
The entrypoint.sh is executed on container-start to get the required token and launches the application
To run another Rust executable, it is enough to replace the hello_world project with yours and change the argument projectName in docker-compose.yml to your project name.
The same applies to the argument webFiles; if not needed, this part can be removed.
Note: After the image is built the $webFiles are located in /entrypoint/$webFiles/.
This project is distributed under the GPLv3 License. See LICENSE for further information.
This project greatly celebrates all contributions from the gramine team and the amazing progress made by the enclaive team.