Graphene Library OS with Intel SGX Support
A Linux-compatible Library OS for Multi-Process Applications
What is Graphene?
Graphene is a lightweight guest OS, designed to run a single application with minimal host requirements. Graphene can run applications in an isolated environment with benefits comparable to running a complete OS in a virtual machine -- including guest customization, ease of porting to different OSes, and process migration.
Graphene supports native, unmodified Linux applications on any platform. Currently, Graphene runs on Linux and Intel SGX enclaves on Linux platforms.
With Intel SGX support, Graphene can secure a critical application in a hardware-encrypted memory region. Graphene can protect applications from a malicious system stack with minimal porting effort.
Our papers describe the motivation, design choices, and measured performance of Graphene:
How to get Graphene?
The latest version of Graphene can be cloned from GitHub:
git clone https://github.com/oscarlab/graphene.git
At this time Graphene is available only as source code. Building instructions are available.
How to run an application in Graphene?
Graphene library OS uses the PAL (
libpal.so) as a loader to bootstrap
applications in the library OS. To start Graphene, PAL (
libpal.so) will have
to be run as an executable, with the name of the program, and a "manifest
file" (per-app configuration) given from the command line. Graphene provides
three options for specifying the programs and manifest files:
option 1 (automatic manifest):
[PATH TO Runtime]/pal_loader [PROGRAM] [ARGUMENTS]... (Manifest file: "[PROGRAM].manifest" or "manifest")
option 2 (given manifest):
[PATH TO Runtime]/pal_loader [MANIFEST] [ARGUMENTS]...
option 3 (manifest as a script):
[PATH TO MANIFEST]/[MANIFEST] [ARGUMENTS]... (Manifest must have "#![PATH_TO_PAL]/libpal.so" as the first line)
Running an application requires some minimal configuration in the application's
manifest file. A sensible manifest file will include paths to the library
OS and other libraries the application requires; environment variables, such as
LD_LIBRARY_PATH; and file systems to be mounted.
Here is an example manifest file:
loader.preload = file:LibOS/shim/src/libsysdb.so loader.env.LD_LIBRAY_PATH = /lib fs.mount.libc.type = chroot fs.mount.libc.path = /lib fs.mount.libc.uri = file:[relative path to Graphene root]/Runtime
More examples can be found in the test directories (
have also tested several applications, such as GCC, Bash, and Apache.
The manifest files for these applications are provided in the
individual directories under
For the full documentation of the Graphene manifest syntax, see the Graphene documentation.
Graphene is not a production-ready software (yet)
We are still in a process of transition from a research proof-of-concept into a more reliable piece of software. The most important problems (which include major security issues) are tracked in #1544 (Production blockers). You should read it before installing and using Graphene.
For the full documentation of the Graphene, see the Graphene documentation.
For bug reports, post an issue on our GitHub repository: https://github.com/oscarlab/graphene/issues.
We have some branches with legacy code (use at your own risk).
We are actively working on adding a proper Docker support. You can find the old and deprecated implementation on DEPRECATED/gsc branch.
Build with Kernel-Level Sandboxing
This feature is marked as EXPERIMENTAL and no longer exists in the master branch. See EXPERIMENTAL/linux-reference-monitor.