31. January 2023

[dimakuv]

Agenda

(please write your proposed agenda items in comments under this discussion)

• There was no agenda, so we discussed opens (miscellaneous topics raised during the meeting)

Gramine features document

[ Dmitrii shows "Gramine features" doc he is working on. This document comprehensively shows all Linux features implemented/partially implemented/not implemented in Gramine, with syscall and pseudo-files references. ]

Woju: the next step would be to have a comparison with other SGX runtimes?

• Mona: no, this will require a lot of effort.
• Woju: we can just check using a set of tests (e.g. LTP), no need to browse their code/docs.

Woju: other SGX frameworks may claim that they have X more syscalls than Gramine (even if they are partially implemented or incorrectly or insecurely implemented).

• So having a counter-point to this statement (like cross-analysis of all supported features) would be helpful in such debates.

Mona: we are also thinking about a tool to check whether Gramine is able to run some workload.

• But the question is: what do we do when Gramine doesn't support some required feature? Gramine will stop with some error, but what is the next step? If nothing is advised, then customers will just go away.
• Michal: the tool's idea is simply a quick check if the app may work in current Gramine or not. Nothing more than that.
• Mona: is it possible to ship this tool as a separate package? We don't want users to install whole Gramine.

Discussion on adding new syscalls

Mona: we would like to integrate with Enclave-CC project. For this, we'll need to add functionality to Gramine:

• utimes family of syscalls (+ security checks for at least monotonically increasing timestamps).

Anees: flock syscall is also needed.