IPC in Gramine
8 views
Skip to first unread message
Raouf Rokhjavan
Dec 2, 2022, 11:58:49 AM12/2/22
to gramin...@googlegroups.com
I have a question regarding IPC between Gramine and Non-Gramine processes.
Can I have Linux IPC mechanisms (Shared Storage, PIPE, Message Queue, Socket, Signal) between two processes that one of them is running on Gramine and another process is running directly on Linux kernel? I can imagine there must be some restrictions for shared file and memory, but I'm wondering whether there are any restrictions in other IPC mechanisms on Gramine?
I couldn't find any documents related to IPC in Gramine except one document related to IPC overhead on Gramine.
Regards,
Raouf
Borys
Dec 5, 2022, 1:23:52 AM12/5/22
to Raouf Rokhjavan, gramin...@googlegroups.com
Hi,
On 12/2/22 17:58, Raouf Rokhjavan wrote:
> I have a question regarding IPC between Gramine and Non-Gramine processes.
>
> Can I have Linux IPC mechanisms (Shared Storage, PIPE, Message Queue,
> Socket, Signal) between two processes that one of them is running on
> Gramine and another process is running directly on Linux kernel? I can
> imagine there must be some restrictions for shared file and memory, but I'm
> wondering whether there are any restrictions in other IPC mechanisms on
> Gramine?
Depends.
Most of mechanisms: PIPEs, UNIX Domain Sockets won't work by design - communication over them is seamlessly encrypted and as such requires both ends to be inside Gramine. Similarly with signals: they can only be sent by other in-Gramine processes (with some exceptions: https://gramine.readthedocs.io/en/stable/manifest-syntax.html#external-sigterm-injection). File system can be shared with host or can be seamlessly encrypted, depending what you describe in your manifest (but the former is insecure by default: https://gramine.readthedocs.io/en/stable/manifest-syntax.html#allowed-files).
IP (TCP and UDP) sockets communication is passed as is by Gramine, so it could be used for Gramine - host communication. Just be warned that all enclave - untrusted world communication must be taken with a lot of care.
> I couldn't find any documents related to IPC in Gramine except one document
> related to IPC overhead on Gramine.
>
> Regards,
> Raouf
>
Borys
On 12/2/22 17:58, Raouf Rokhjavan wrote:
> I have a question regarding IPC between Gramine and Non-Gramine processes.
>
> Can I have Linux IPC mechanisms (Shared Storage, PIPE, Message Queue,
> Socket, Signal) between two processes that one of them is running on
> Gramine and another process is running directly on Linux kernel? I can
> imagine there must be some restrictions for shared file and memory, but I'm
> wondering whether there are any restrictions in other IPC mechanisms on
> Gramine?
Most of mechanisms: PIPEs, UNIX Domain Sockets won't work by design - communication over them is seamlessly encrypted and as such requires both ends to be inside Gramine. Similarly with signals: they can only be sent by other in-Gramine processes (with some exceptions: https://gramine.readthedocs.io/en/stable/manifest-syntax.html#external-sigterm-injection). File system can be shared with host or can be seamlessly encrypted, depending what you describe in your manifest (but the former is insecure by default: https://gramine.readthedocs.io/en/stable/manifest-syntax.html#allowed-files).
IP (TCP and UDP) sockets communication is passed as is by Gramine, so it could be used for Gramine - host communication. Just be warned that all enclave - untrusted world communication must be taken with a lot of care.
> I couldn't find any documents related to IPC in Gramine except one document
> related to IPC overhead on Gramine.
>
> Regards,
> Raouf
>
Reply all
Reply to author
Forward
0 new messages