WIP Add support for Gramine-TDX

templates/Dockerfile.common.compile.template

@@ -29,7 +29,7 @@ RUN mkdir -p /gramine/driver/asm \
 RUN cd /gramine \
     && meson setup build/ --prefix="/gramine/meson_build_output" \
        --buildtype={{buildtype}} \
-       -Ddirect=enabled -Dsgx=enabled \
+       -Ddirect=enabled -Dsgx=enabled -Dvm=enabled \
        {% if template_path(Distro) == 'ubuntu' %}-Ddcap=enabled{% endif %} \
        {% if "linux-sgx-driver" in SGXDriver.Repository %} \
        -Dsgx_driver=oot -Dsgx_driver_include_path=/gramine/driver \

templates/apploader.common.template

@@ -34,8 +34,12 @@ if [ -n "$GRAMINE_MODE" ]; then
         GRAMINE_EXEC=gramine-sgx
     elif [ "$GRAMINE_MODE" == "direct" ]; then
         GRAMINE_EXEC=gramine-direct
+    elif [ "$GRAMINE_MODE" == "vm" ]; then
+        GRAMINE_EXEC=gramine-vm
+    elif [ "$GRAMINE_MODE" == "tdx" ]; then
+        GRAMINE_EXEC=gramine-tdx
     else
-        echo "ERROR: unrecognized GRAMINE_MODE; can only be 'direct' or 'sgx'."
+        echo "ERROR: unrecognized GRAMINE_MODE; can only be 'direct', 'sgx', 'vm' or 'tdx'."
         exit 1
     fi
 fi

templates/debian/Dockerfile.build.template

@@ -5,6 +5,10 @@
 # Combine all installation and removal steps in a single RUN command to reduce the final image size.
 # This is because each Dockerfile command creates a new layer which necessarily adds size to the
 # final image. This trick allows to decrease the image size by hundreds of MBs.
+#
+# For Gramine-TDX, need socat and virtiofsd. The former can be installed in Ubuntu 22.04 and later
+# (we need at least v1.7.4). The latter can't be installed in most Ubuntu versions, so install
+# manually by downloading the zip archive and copying.
 RUN apt-get update \
     && env DEBIAN_FRONTEND=noninteractive apt-get install -y \
         binutils \
@@ -14,8 +18,13 @@ RUN apt-get update \
         python3 \
         python3-cryptography \
         python3-protobuf \
+        python3-psutil \
         python3-pyelftools \
         python3-voluptuous \
+        qemu-kvm \
+        socat \
+        unzip \
+        wget \
 # Debian 12 and Ubuntu 23.04 adopted PEP 668, which dictates that `pip` can no longer install
 # packages managed by the distro's general-purpose package manager, hence we use `apt-get`
         {%- if (distro[0] == "debian" and distro[1] | int >= 12) or
@@ -34,6 +43,18 @@ RUN apt-get update \
     && apt-get autoremove -y \
     && rm -rf /var/lib/apt/lists/*
 
+RUN ln -s /usr/bin/qemu-system-x86_64 /usr/local/bin/qemu
+
+RUN mkdir -p /gramine/virtiofsd \
+    && mkdir -p /usr/local/bin \
+    && cd /gramine/virtiofsd \
+    && wget --timeout=10 -O virtiofsd.zip \
+        https://gitlab.com/virtio-fs/virtiofsd/uploads/2cf9068046720699531407101f2bcb60/virtiofsd-v1.10.1.zip \
+    && sha256sum virtiofsd.zip | grep -q 8166b47d80ed16cc6df4bfd350063e98f70039a212d10cc5c1ea99251dbd2945 \
+    && unzip virtiofsd.zip \
+    && cp target/x86_64-unknown-linux-musl/release/virtiofsd /usr/local/bin/ \
+    && rm virtiofsd.zip
+
 {% if buildtype != "release" %}
 RUN apt-get update \
     && env DEBIAN_FRONTEND=noninteractive apt-get install -y \

test/README.rst

@@ -44,3 +44,32 @@ version of the Intel SGX driver if needed):
    docker run --device=/dev/sgx_enclave \
       -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket \
       gsc-ubuntu20.04-bash -c ls
+
+Building for Gramine-TDX
+------------------------
+
+Note that we need at least Ubuntu 22.04.
+
+.. code-block:: sh
+
+   docker build --tag ubuntu22.04-hello-world --file test/ubuntu22.04-hello-world.dockerfile .
+
+   ./gsc build --buildtype debug ubuntu22.04-hello-world test/ubuntu22.04-hello-world.manifest
+   ./gsc sign-image ubuntu22.04-hello-world enclave-key.pem
+
+   docker run --env GRAMINE_MODE=vm --security-opt seccomp=unconfined \
+       --shm-size 4G --env GRAMINE_CPU_NUM=1 \
+       --device=/dev/vhost-vsock:/dev/vhost-vsock \
+       --device=/dev/kvm:/dev/kvm --group-add `getent group kvm | cut -d: -f3` \
+       gsc-ubuntu22.04-hello-world
+   # or to peek into the image
+   docker run -it --entrypoint /bin/bash gsc-ubuntu22.04-hello-world
+
+Note that in ``docker run``, we must specify the following:
+
+- ``--shm-size 4G`` -- our QEMU/KVM uses ``/dev/shm`` for virtio-fs shared
+  memory. However, Docker containers start with 64MB by default. Thus, we need
+  to explicitly specify the shared memory limit. ``4G`` is just an example; this
+  limit depends on the app running inside Gramine-TDX.
+- ``--env GRAMINE_CPU_NUM=1`` -- this instructs QEMU to spawn a Gramine-TDX VM
+  with 1 vCPU. Modify this to have more vCPUs.