Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Why is the sgx token generated during runtime vs. during container build? #37

Closed
fnerdman opened this issue Dec 3, 2021 · 6 comments
Closed

Comments

@fnerdman
Copy link

fnerdman commented Dec 3, 2021

Is it to support (insecure) arguments?

gramine-sgx-get-token --sig /entrypoint.sig --output /entrypoint.token

@dimakuv
Copy link

dimakuv commented Dec 3, 2021

No, that's how SGX tokens must be generated -- they must be generated on the same machine where the SGX enclave runs (so, during runtime and not during container build).

This is the SGX hardware requirement. It's not something that Gramine invented.

See also these explanations:

By the way, "SGX token" is actually EINITTOKEN (in SGX hardware terms). You can read about EINITTOKENs a bit here: https://gramine.readthedocs.io/en/latest/sgx-intro.html and for example here: https://community.intel.com/t5/Intel-Software-Guard-Extensions/Questions-about-launch-token-and-EINITTOKEN/td-p/1094870

The SGX token has nothing to do with insecure arguments.

@fnerdman
Copy link
Author

fnerdman commented Dec 3, 2021

@dimakuv thanks for the clarification, all makes sense now.

Should I file an issue for gramine to remove the python dependency of gramine-sgx-get-token, to fullfill the goal in #13? (Current implementation increases TCB (trusted files) by required software packages to generate manifest files or sgx-token (including Python), minimize these dependencies)

@fnerdman fnerdman closed this as completed Dec 3, 2021
@dimakuv
Copy link

dimakuv commented Dec 3, 2021

Should I file an issue for gramine to remove the python dependency of gramine-sgx-get-token, to fullfill the goal in #13?

Sorry, I don't understand what you mean. Could you expand?

@fnerdman
Copy link
Author

fnerdman commented Dec 3, 2021

Sure! As gramine-sgx-get-token needs to be run on the enclave executing machine it needs to be part of the container runtime. To reduce the python dependency of the container runtime, it would make sense to rewrite gramine-sgx-get-token in C.

@dimakuv
Copy link

dimakuv commented Dec 3, 2021

Do you mean that you don't want to install/ship Python executables and libraries inside your slim container?

I see, this is reasonable. On the other hand, you still have the Intel SGX PSW/DCAP dependencies in the container, because you need them for Gramine to run properly (especially for SGX attestation). But I guess these dependencies do not require Python to be installed.

@woju @mkow Does this make sense for you?

@woju
Copy link
Member

woju commented Dec 3, 2021 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants