How to deploy Graphene in the cloud?¶
Graphene without Intel SGX can be deployed on arbitrary cloud VMs. Please see our Quick Start guide for the details.
To deploy Graphene with Intel SGX, the cloud VM has to support Intel SGX. Please see the installation and usage guide for each cloud VM offering individually below (currently only for Microsoft Azure).
Azure Confidential Computing VMs¶
Azure confidential computing services are
generally available and provide access to VMs with Intel SGX enabled in DCsv2
VM instances. The
description below uses a VM running Ubuntu 18.04 with a the preinstalled Intel
SGX DCAP driver
LD_1.22). To use a different Intel SGX driver, please follow the
instructions to uninstall the driver.
Update and install the required packages for Graphene:
sudo apt update sudo apt install -y build-essential autoconf gawk bison python3-protobuf \ libprotobuf-c-dev protobuf-c-compiler libcurl4 python3
Build and Test¶
git clone https://github.com/oscarlab/graphene.git cd graphene git submodule update --init -- Pal/src/host/Linux-SGX/sgx-driver/
Prepare the signing keys and Graphene kernel driver:
openssl genrsa -3 -out enclave-key.pem 3072 cp enclave-key.pem Pal/src/host/Linux-SGX/signer cd Pal/src/host/Linux-SGX/sgx-driver ISGX_DRIVER_PATH=/usr/src/linux-azure-headers-`uname -r`/arch/x86/ make # WARNING: read "Security Implications" section before running this command sudo insmod gsgx.ko cd -
ISGX_DRIVER_PATH=/usr/src/linux-azure-headers-`uname -r`/arch/x86/ \ make SGX=1
vm.mmap_min_addr=0in the system:
# WARNING: read "Security Implications" section before running this command sudo sysctl vm.mmap_min_addr=0
Build and Run helloworld:
cd LibOS/shim/test/native make SGX=1 sgx-tokens SGX=1 ./pal_loader helloworld
Note that this guide assumes that you deploy Graphene on an untrusted cloud VM. The two steps in this guide significantly weaken the security of the cloud VM’s Linux kernel.
sudo insmod gsgx.ko introduces a local privilege escalation
vulnerability. This kernel module enables the FSGSBASE processor feature
without proper enabling in the host Linux kernel. Please refer to the
Pal/src/host/Linux-SGX/sgx-driver for more information.
sudo sysctl vm.mmap_min_addr=0 weakens the security of the Linux
kernel. This kernel tunable specifies the minimum virtual address that a
process is allowed to mmap. Setting it to zero makes it easier for attackers to
exploit “kernel NULL pointer dereference” defects.
Both these steps are temporary workarounds and will not be required in the future. Be aware that the current guide must not be used to set up production environments.