Skip to content

Smil3yFace/docker-gramine-rust

Repository files navigation

Gramine Rust Proof of Concept

Contributors Forks Stargazers License Last Commit

This repository is a small demo to show how to run a Rust application inside an Intel SGX enclave with Gramine.

About The ProjectGetting startedGramine Rust Image structureModifying the PoC

About The Project

With the increasing movement to the cloud and zero-trust infrastructure, the field of confidential computing is becoming increasingly important for developers. With Gramine, an existing code base can be migrated quickly and easily without requiring a complete re-write.

This project was developed in the context of the system security lecture by @sebastiangajek at the Flensburg University of Applied Sciences.

Why use an enclave

An enclaved application has some great advantages

  • You don't lose the trust of an on-premise cloud in the public cloud
  • Better security against exploits for kernel-space, insider attack (malicious or not), corrupted UEFI Firmware and other "root" attacks that use application corruption.
  • Regardless of the geolocation, the privacy export regulation are complied with
  • Through the enclave the processing data are encrypted and anonymized, so it is GDRP/CCPA complaint

Getting started

Pre-requirements

An enclave-ready computing platform with flexible launch control. Check for Intel SGX with

grep sgx /proc/cpuinfo

and look for the flags sgx and sgx_lc or look at Intel's Guide to find it out.

In addition, Intel SGX drivers are necessary. They are integrated into Linux kernel version 5.11. If the kernel version is 5.9 or higher, install Intel SGX DCAP.

Docker and Docker Compose are also necessary for this PoC; for installation, consider the Docker documentation for your OS.

Running the PoC

After fulfilling the pre-requirements, clone the repository and run the following inside the project

docker-compose up

Under http://{your_host_ip}, you should be greeted by your enclave after the console prints Server is running.

Gramine Rust Image structure

Build

The build process of the image contains two Stage

  • First Stage ("builder"): Uses the official Rust Docker image to compile the project to an executable using cargo
  • Second Stage: Gathers all additional required resources, generates the manifest form template and signs it

During the build, ARG projectName specifies the name of the project directory and executable. Further ARG webFiles specifies the directory for *.html, *.js, ... . Both are defined in the docker-compose.yml

If more packages are required during build or runtime, they can be added to the package.txt or build/package.txt to install them during the build.

After the build is finished, the app environment looks like this by default

/entrypoint/
 + app #executable
 + $webFiles/
    + *.html

Run

The entrypoint.sh is executed on container-start to get the required token and launches the application

Modifying the PoC to run another Rust application

To run another Rust executable, it is enough to replace the hello_world project with yours and change the argument projectName in docker-compose.yml to your project name. The same applies to the argument webFiles; if not needed, this part can be removed.

Note: After the image is built the $webFiles are located in /entrypoint/$webFiles/.

License

This project is distributed under the GPLv3 License. See LICENSE for further information.

Acknowledgments

This project greatly celebrates all contributions from the gramine team and the amazing progress made by the enclaive team.