Hi,
On 12/2/22 17:58, Raouf Rokhjavan wrote:
> I have a question regarding IPC between Gramine and Non-Gramine processes.
>
> Can I have Linux IPC mechanisms (Shared Storage, PIPE, Message Queue,
> Socket, Signal) between two processes that one of them is running on
> Gramine and another process is running directly on Linux kernel? I can
> imagine there must be some restrictions for shared file and memory, but I'm
> wondering whether there are any restrictions in other IPC mechanisms on
> Gramine?
Depends.
Most of mechanisms: PIPEs, UNIX Domain Sockets won't work by design - communication over them is seamlessly encrypted and as such requires both ends to be inside Gramine. Similarly with signals: they can only be sent by other in-Gramine processes (with some exceptions:
https://gramine.readthedocs.io/en/stable/manifest-syntax.html#external-sigterm-injection). File system can be shared with host or can be seamlessly encrypted, depending what you describe in your manifest (but the former is insecure by default:
https://gramine.readthedocs.io/en/stable/manifest-syntax.html#allowed-files).
IP (TCP and UDP) sockets communication is passed as is by Gramine, so it could be used for Gramine - host communication. Just be warned that all enclave - untrusted world communication must be taken with a lot of care.
> I couldn't find any documents related to IPC in Gramine except one document
> related to IPC overhead on Gramine.
>
> Regards,
> Raouf
>
Borys