PostgreSQL with Gramine

[廖 昶]

Hi all,

 

Sorry to disrupt. I am currently working on moving PostgreSQL inside enclave using gramine, but I am a bit confused about how to make it work.

 

There’re several commands required to make a PostgreSQL server working: initdb to initialize the directory for database cluster, postgres/pg_ctl to start the database backend, and also psql to issue queries. So shall I write manifests for every one of them, or run initdb outside enclave, or put them all together in a bash script and run it with gramine shielded container?

 

It will be great if someone successfully run PostgreSQL with gramine before and share the experience with me.

 

Looking forward to hearing from you.

 

Warmest regards,

Scott

 

[Michał Kowalczyk]

Hi,

You can prepare the initial database together with the build of the whole solution and ship as an encrypted file. Running this inside Gramine should also work, you just need to write an entrypoint script which will do all the work (same as you'd do with Docker) and write the manifest (only) for it.

There's another problem though: PostgreSQL relies heavily on shared memory, which is not supported by SGX technology. See https://github.com/gramineproject/gramine/issues/136. There's no easy solution to this, probably the easiest one is to patch postgres to use different primitives.

Best,
Michał