Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow to skip SGX token generation #62

Closed
wants to merge 1 commit into from

Conversation

dimakuv
Copy link

@dimakuv dimakuv commented Jun 1, 2022

Description of the changes

SGX Launch Token (aka EINITTOKEN) is generated right-before Gramine launch via the gramine-sgx-get-token tool. For DCAP platforms, the SGX token is unused, so there is no need to generate it. This commit introduces a GSC switch --skip-token-generation for this.

This is useful for DCAP platforms (one less file in the Docker container), and enables such scenarios as docker run --read-only.
Also, skipping running gramine-sgx-get-token paves a path to removing Python as a run-time dependency for GSC-built Docker images.

Related PR in core Gramine: gramineproject/gramine#363

How to test this PR?

A Python example from docs with ./gsc build --skip-token-generation --insecure-args python test/generic.manifest. You'll see that gramine-sgx-get-token tool is not called during the last step (docker run).


This change is Reviewable

SGX Launch Token (aka EINITTOKEN) is generated right-before Gramine
launch via the `gramine-sgx-get-token` tool. For DCAP platforms, the
SGX token is unused, so there is no need to generate it. This commit
introduces a GSC switch `--skip-token-generation` for this.

This is useful for DCAP platforms (one less file in the Docker
container), and enables such scenarios as `docker run --read-only`.
Also, skipping running `gramine-sgx-get-token` paves a path to removing
Python as a run-time dependency for GSC-built Docker images.

Signed-off-by: Dmitrii Kuvaiskii <[email protected]>
@mythi
Copy link

mythi commented Jun 1, 2022

I tested this fix and it works well!

FWIW, the resulting apploader.sh looks like this but that's probably fine :-)

then

    gramine-sgx /entrypoint  "${@}"
else

@dimakuv
Copy link
Author

dimakuv commented Jun 1, 2022

FWIW, the resulting apploader.sh looks like this but that's probably fine :-)

I think we can live with it :) Btw, we'll need to remove set -x from the apploader script; it's annoying to see all those logs "hey user, look what I'm executing now".

@dimakuv
Copy link
Author

dimakuv commented Jun 3, 2022

Closing this PR as it is considered as a stop-gap solution, and also it is not high priority. We better fix it properly.

See gramineproject/gramine#363 for details.

@dimakuv dimakuv closed this Jun 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants