-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why is the sgx token generated during runtime vs. during container build? #37
Comments
No, that's how SGX tokens must be generated -- they must be generated on the same machine where the SGX enclave runs (so, during runtime and not during container build). This is the SGX hardware requirement. It's not something that Gramine invented. See also these explanations:
By the way, "SGX token" is actually EINITTOKEN (in SGX hardware terms). You can read about EINITTOKENs a bit here: https://gramine.readthedocs.io/en/latest/sgx-intro.html and for example here: https://community.intel.com/t5/Intel-Software-Guard-Extensions/Questions-about-launch-token-and-EINITTOKEN/td-p/1094870 The SGX token has nothing to do with insecure arguments. |
@dimakuv thanks for the clarification, all makes sense now. Should I file an issue for gramine to remove the python dependency of |
Sorry, I don't understand what you mean. Could you expand? |
Sure! As |
Do you mean that you don't want to install/ship Python executables and libraries inside your slim container? I see, this is reasonable. On the other hand, you still have the Intel SGX PSW/DCAP dependencies in the container, because you need them for Gramine to run properly (especially for SGX attestation). But I guess these dependencies do not require Python to be installed. |
On Fri, Dec 03, 2021 at 02:10:19AM -0800, Dmitrii Kuvaiskii wrote:
Do you mean that you don't want to install/ship Python executables and
libraries inside your slim container?
I see, this is reasonable. On the other hand, you still have the Intel SGX
PSW/DCAP dependencies in the container, because you need them for Gramine to
run properly (especially for SGX attestation). But I guess these
dependencies do not require Python to be installed.
@woju @mkow Does this make sense for you?
Yes, yeeting python from the container if it's just for gramine-sgx-get-token
is perfectly reasonable.
Also, because tokens aren't gramine-specific, in SGX SDK there should already
be something for this, so before writing anything I'd ask the reporter to
check SDK if there is anything to reuse.
|
Is it to support (insecure) arguments?
gsc/templates/apploader.template
Line 14 in 21b30f2
The text was updated successfully, but these errors were encountered: