Skip to content

Commit

Permalink
WIP Add support for Gramine-TDX
Browse files Browse the repository at this point in the history
Currently only Gramine-VM. I'll update with Gramine-TDX in the next
iteration. Need to think how to automatically start socat for
virtio-vsock networking.

Signed-off-by: Dmitrii Kuvaiskii <[email protected]>
  • Loading branch information
Dmitrii Kuvaiskii committed Oct 1, 2024
1 parent 3168b08 commit 3aabbd6
Show file tree
Hide file tree
Showing 4 changed files with 56 additions and 2 deletions.
2 changes: 1 addition & 1 deletion templates/Dockerfile.common.compile.template
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ RUN mkdir -p /gramine/driver/asm \
RUN cd /gramine \
&& meson setup build/ --prefix="/gramine/meson_build_output" \
--buildtype={{buildtype}} \
-Ddirect=enabled -Dsgx=enabled \
-Ddirect=enabled -Dsgx=enabled -Dvm=enabled \
{% if template_path(Distro) == 'ubuntu' %}-Ddcap=enabled{% endif %} \
{% if "linux-sgx-driver" in SGXDriver.Repository %} \
-Dsgx_driver=oot -Dsgx_driver_include_path=/gramine/driver \
Expand Down
6 changes: 5 additions & 1 deletion templates/apploader.common.template
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,12 @@ if [ -n "$GRAMINE_MODE" ]; then
GRAMINE_EXEC=gramine-sgx
elif [ "$GRAMINE_MODE" == "direct" ]; then
GRAMINE_EXEC=gramine-direct
elif [ "$GRAMINE_MODE" == "vm" ]; then
GRAMINE_EXEC=gramine-vm
elif [ "$GRAMINE_MODE" == "tdx" ]; then
GRAMINE_EXEC=gramine-tdx
else
echo "ERROR: unrecognized GRAMINE_MODE; can only be 'direct' or 'sgx'."
echo "ERROR: unrecognized GRAMINE_MODE; can only be 'direct', 'sgx', 'vm' or 'tdx'."
exit 1
fi
fi
Expand Down
21 changes: 21 additions & 0 deletions templates/debian/Dockerfile.build.template
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@
# Combine all installation and removal steps in a single RUN command to reduce the final image size.
# This is because each Dockerfile command creates a new layer which necessarily adds size to the
# final image. This trick allows to decrease the image size by hundreds of MBs.
#
# For Gramine-TDX, need socat and virtiofsd. The former can be installed in Ubuntu 22.04 and later
# (we need at least v1.7.4). The latter can't be installed in most Ubuntu versions, so install
# manually by downloading the zip archive and copying.
RUN apt-get update \
&& env DEBIAN_FRONTEND=noninteractive apt-get install -y \
binutils \
Expand All @@ -14,8 +18,13 @@ RUN apt-get update \
python3 \
python3-cryptography \
python3-protobuf \
python3-psutil \
python3-pyelftools \
python3-voluptuous \
qemu-kvm \
socat \
unzip \
wget \
# Debian 12 and Ubuntu 23.04 adopted PEP 668, which dictates that `pip` can no longer install
# packages managed by the distro's general-purpose package manager, hence we use `apt-get`
{%- if (distro[0] == "debian" and distro[1] | int >= 12) or
Expand All @@ -34,6 +43,18 @@ RUN apt-get update \
&& apt-get autoremove -y \
&& rm -rf /var/lib/apt/lists/*

RUN ln -s /usr/bin/qemu-system-x86_64 /usr/local/bin/qemu

RUN mkdir -p /gramine/virtiofsd \
&& mkdir -p /usr/local/bin \
&& cd /gramine/virtiofsd \
&& wget --timeout=10 -O virtiofsd.zip \
https://gitlab.com/virtio-fs/virtiofsd/uploads/2cf9068046720699531407101f2bcb60/virtiofsd-v1.10.1.zip \
&& sha256sum virtiofsd.zip | grep -q 8166b47d80ed16cc6df4bfd350063e98f70039a212d10cc5c1ea99251dbd2945 \
&& unzip virtiofsd.zip \
&& cp target/x86_64-unknown-linux-musl/release/virtiofsd /usr/local/bin/ \
&& rm virtiofsd.zip

{% if buildtype != "release" %}
RUN apt-get update \
&& env DEBIAN_FRONTEND=noninteractive apt-get install -y \
Expand Down
29 changes: 29 additions & 0 deletions test/README.rst
Original file line number Diff line number Diff line change
Expand Up @@ -44,3 +44,32 @@ version of the Intel SGX driver if needed):
docker run --device=/dev/sgx_enclave \
-v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket \
gsc-ubuntu20.04-bash -c ls
Building for Gramine-TDX
------------------------

Note that we need at least Ubuntu 22.04.

.. code-block:: sh
docker build --tag ubuntu22.04-hello-world --file test/ubuntu22.04-hello-world.dockerfile .
./gsc build --buildtype debug ubuntu22.04-hello-world test/ubuntu22.04-hello-world.manifest
./gsc sign-image ubuntu22.04-hello-world enclave-key.pem
docker run --env GSC_PAL=VM --security-opt seccomp=unconfined \
--shm-size 4G --env GRAMINE_CPU_NUM=1 \
--device=/dev/vhost-vsock:/dev/vhost-vsock \
--device=/dev/kvm:/dev/kvm --group-add `getent group kvm | cut -d: -f3` \
gsc-ubuntu22.04-hello-world
# or to peek into the image
docker run -it --entrypoint /bin/bash gsc-ubuntu22.04-hello-world
Note that in ``docker run``, we must specify the following:

- ``--shm-size 4G`` -- our QEMU/KVM uses ``/dev/shm`` for virtio-fs shared
memory. However, Docker containers start with 64MB by default. Thus, we need
to explicitly specify the shared memory limit. ``4G`` is just an example; this
limit depends on the app running inside Gramine-TDX.
- ``--env GRAMINE_CPU_NUM=1`` -- this instructs QEMU to spawn a Gramine-TDX VM
with 1 vCPU. Modify this to have more vCPUs.

0 comments on commit 3aabbd6

Please sign in to comment.