WIP Add support for Gramine-TDX#199
Conversation
dimakuv
left a comment
dimakuv
left a comment
There was a problem hiding this comment.
Reviewable status: 0 of 6 files reviewed, 2 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "WIP" found in commit messages' one-liners
templates/apploader.common.template line 21 at r1 (raw file):
exec gramine-vm /gramine/app_files/entrypoint \ {% if insecure_args %}{{ binary_arguments | map('shlex_quote') | join(' ') }} \ "${@}"{% endif %}
Maybe this should go into another PR that changes GSC_PAL to something more adequate, like GSC_GRAMINE_BINARY which is equal to gramine-sgx, gramine-direct, ...
In this case, this apploader script will end up as a simple:
exec ${GSC_GRAMINE_BINARY:-gramine-sgx} /gramine/app_files/entrypoint \
{% if insecure_args %}{{ binary_arguments | map('shlex_quote') | join(' ') }} \
"${@}"{% endif %}
templates/debian/Dockerfile.build.template line 46 at r1 (raw file):
&& rm -rf /var/lib/apt/lists/* RUN ln -s /usr/bin/qemu-system-x86_64 /usr/local/bin/qemu
FYI: This is purely for convenience (to be able to type qemu inside the container). Maybe I should add a comment about this.
test/README.rst line 73 at r1 (raw file):
memory. However, Docker containers start with 64MB by default. Thus, we need to explicitly specify the shared memory limit. ``4G`` is just an example; this limit depends on the app running inside Gramine-TDX.
--shm-size was painful to debug, so here are some references for history:
- https://gist.github.com/mcastelino/b31f0648707b25478eb2a44f94a861fd
- docker-library/postgres#416
- https://docs.docker.com/engine/reference/run/#runtime-constraints-on-resources
test/ubuntu22.04-hello-world.dockerfile line 1 at r1 (raw file):
FROM ubuntu:22.04
The two test/ files probably should go in a separate PR that updates our GSC tests.
dimakuv
left a comment
dimakuv
left a comment
There was a problem hiding this comment.
Reviewable status: 0 of 6 files reviewed, 2 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "WIP" found in commit messages' one-liners (waiting on @dimakuv)
test/ubuntu22.04-hello-world.dockerfile line 1 at r1 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
The two
test/files probably should go in a separate PR that updates our GSC tests.
Done, split into #200.
Will need to rebase after #200 is merged.
dimakuv
left a comment
dimakuv
left a comment
There was a problem hiding this comment.
Reviewable status: 0 of 6 files reviewed, 2 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "WIP" found in commit messages' one-liners
templates/apploader.common.template line 21 at r1 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Maybe this should go into another PR that changes
GSC_PALto something more adequate, likeGSC_GRAMINE_BINARYwhich is equal togramine-sgx,gramine-direct, ...In this case, this apploader script will end up as a simple:
exec ${GSC_GRAMINE_BINARY:-gramine-sgx} /gramine/app_files/entrypoint \ {% if insecure_args %}{{ binary_arguments | map('shlex_quote') | join(' ') }} \ "${@}"{% endif %}
Done, split into #201.
Will need to rebase after #201 is merged.
Currently only Gramine-VM. I'll update with Gramine-TDX in the next iteration. Need to think how to automatically start socat for virtio-vsock networking. Signed-off-by: Dmitrii Kuvaiskii <dmitrii.kuvaiskii@intel.com>
dimakuv
force-pushed
the
dimakuv/support-gramine-tdx
branch
from
e640eb6 to
3aabbd6
Compare
dimakuv
left a comment
dimakuv
left a comment
There was a problem hiding this comment.
Reviewable status: 0 of 6 files reviewed, all discussions resolved, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "WIP" found in commit messages' one-liners
templates/apploader.common.template line 21 at r1 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Done, split into #201.
Will need to rebase after #201 is merged.
Done
test/ubuntu22.04-hello-world.dockerfile line 1 at r1 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Done, split into #200.
Will need to rebase after #200 is merged.
Done
dimakuv
force-pushed
the
dimakuv/support-gramine-tdx
branch
from
3aabbd6 to
3b98d51
Compare
1 participant
Description of the changes
This is Work In Progress, adding support for https://github.com/gramineproject/gramine-tdx
Currently only Gramine-VM. I'll update with Gramine-TDX in the next iteration. Need to think how to automatically start socat for virtio-vsock networking.
How to test this PR?
README is updated with instructions.
This change is