Graminized Container Security Verification

[Sudip Maitra]

Hello,

Does an application inside a graminized container run inside the enclave automatically? Are there any methods to verify that the app is indeed running inside the container? Thank you.

Best regards,

Sudip

[Vij, Mona]

Yes.

 

You mean to verify that app is running inside an enclave? If yes, then remote attestation is a way to verify. Locally you can also try and dump process memory and you will get garbage.

 

Thanks

Mona

--
You received this message because you are subscribed to the Google Groups "Gramine Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gramine-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gramine-users/CAOcR%2BfYdQiQnYwMaNsy78Mzub_tBq4gdZFtLrQC59QEiR1F22w%40mail.gmail.com.

[Dmitrii Kuvaiskii]

Dear Sudip,

> Does an application inside a graminized container run inside the enclave automatically?

Yes. (I assume you're talking about GSC.)

> Are there any methods to verify that the app is indeed running inside the container?

If you mean "How can my application check that it is inside a Gramine
SGX enclave", then the quickest way is to check for existence of the
`/dev/attestation/report` file. This pseudo-file appears only inside
of Gramine that runs inside of the SGX enclave. There are some other
files that are enclave-specific too, please see
https://gramine.readthedocs.io/en/latest/attestation.html#low-level-dev-attestation-interface

> --
> You received this message because you are subscribed to the Google Groups "Gramine Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to gramine-user...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/gramine-users/CAOcR%2BfYdQiQnYwMaNsy78Mzub_tBq4gdZFtLrQC59QEiR1F22w%40mail.gmail.com.

--
Yours sincerely,
Dmitrii Kuvaiskii