Question on shared libraries in gramine

41 views
Skip to first unread message

Anja Rabich

unread,
May 23, 2022, 9:50:34 AM5/23/22
to us...@gramineproject.io
Hi,

I was wondering if it is possible to only have gramine execute a shared
library (.so) in an enclave when it is evoked by a binary. So, if for
example I have a program that calls a function from a .so library, would
it be possible to only have the execution of the called function be
within the enclave and have the result passed back to the binary?

Regards,

Anja Rabich

Michał Kowalczyk

unread,
May 23, 2022, 10:12:10 AM5/23/22
to Anja Rabich, us...@gramineproject.io
Hi,

No, you'll need a custom wrapper which will change this interface to an
RPC over sockets. But keep in mind that you need to be careful with
exposing custom interfaces outside the enclave, as it's super easy to
introduce security issues this way (because the arguments to the calls
will be untrusted even with RPC).

Best,
Michał

Michał Kowalczyk

unread,
May 25, 2022, 7:39:22 AM5/25/22
to Anja Rabich, us...@gramineproject.io
// re-adding us...@gramineproject.io to CC

- Is it possible to package a binary running in gramine-sgx as a new binary?
Sorry, I don't understand this question / what you are trying to do.
- Is there a way of retrieving information such as the base address of the enclave?
Yes, but that's not really useful for anything, I think. You should be able to see it in outputs of our tools when e.g. signing an enclave.
- Is it possible to combine gramine execution with sgx_urts?
Why would you do that? Gramine is an SGX framework, and SGX SDK is another framework. It's like trying to build one web app in both Flask and Django at the same time ;)

On 5/25/22 09:38, Anja Rabich wrote:
Hi,

thanks for the quick reply. I have some more questions:

- Is it possible to package a binary running in gramine-sgx as a new binary?

- Is there a way of retrieving information such as the base address of the enclave?

- Is it possible to combine gramine execution with sgx_urts?

Regards,

Anja Rabich

Michał Kowalczyk

unread,
May 25, 2022, 11:22:55 AM5/25/22
to Anja Rabich, us...@gramineproject.io
No, we're a completely different framework which works in a different way - we run unmodified Linux binaries, while SGX SDK is a framework for writing custom, SGX-aware software in C/C++.

p.s. Please don't remove us...@gramineproject.io from CC, otherwise the discussion won't be visible on the mailing list for others.

On 5/25/22 17:14, Anja Rabich wrote:

- Is it possible to combine gramine execution with sgx_urts?
Why would you do that? Gramine is an SGX framework, and SGX SDK is another framework. It's like trying to build one web app in both Flask and Django at the same time ;)

Does Gramine not use the SDK? What I meant to ask is if it's possible to combine Gramine execution with the ability to call an Enclave with sgx_create_enclave() after the enclave was built using make and Gramine's manifest (where the enclave is a *.so).  Apologies if its a stupid question...

I was hoping of being able to combine Gramine's functionality of running binaries in SGX with another SGX Framework's functionality.

Anja Rabich

unread,
May 30, 2022, 11:49:41 AM5/30/22
to Michał Kowalczyk, us...@gramineproject.io

Hello again,

so more specifically, I was hoping on being able to combine the single stepping ability of sgx-step with gramine. Essentially this patch https://github.com/jovanbulck/sgx-step/blob/56ec2ad08dd10aa6539dadec3b49dae435f390c5/sdk/intel-sdk/0001-reconfigure-AEP-TCS-ebase.patch is applied to the SGX SDK in order to hand the aep and tcp to the sgx-step driver.  My understanding of your gdb integration is that it does something rather similar? Would it be possible to apply a similar patch to gramine? Not for anything production level ofcource, purely for academic purposes O:)

Reply all
Reply to author
Forward
0 new messages