by202 / graphene Goto Github PK

Note: Graphene project was renamed to Gramine and moved to a new location: https://github.com/gramineproject/gramine. All development will continue there.

A Linux-compatible Library OS for Multi-Process Applications

NOTE: We are in the middle of transitioning our buildsystem to Meson, and the build procedures are changing. See Building instructions for an up-to-date build tutorial.

Graphene is a lightweight library OS, designed to run a single application with minimal host requirements. Graphene can run applications in an isolated environment with benefits comparable to running a complete OS in a virtual machine -- including guest customization, ease of porting to different OSes, and process migration.

Graphene supports native, unmodified Linux binaries on any platform. Currently, Graphene runs on Linux and Intel SGX enclaves on Linux platforms.

In untrusted cloud and edge deployments, there is a strong desire to shield the whole application from rest of the infrastructure. Graphene supports this “lift and shift” paradigm for bringing unmodified applications into Confidential Computing with Intel SGX. Graphene can protect applications from a malicious system stack with minimal porting effort.

Graphene is a growing project and we have a growing contributor and maintainer community. The code and overall direction of the project are determined by a diverse group of contributors, from universities, small and large companies, as well as individuals. Our goal is to continue this growth in both contributions and community adoption.

Graphene has evolved a lot since our last major release. Over the last few months, we have made significant updates to provide a stable version that supports deploying key workloads with Intel SGX. We’ve rewritten major subsystems, done a significant update to the build and packaging scripts, extended test coverage, and improved the CI/CD process. We’ve reviewed and hardened specific security aspects of Graphene, and increased stability for long-running and heavy workloads.

Graphene also includes full SGX Attestation support, protected files support, multi-process support with encrypted IPC, and support for the upstreamed SGX driver for Linux. We’ve introduced a number of performance optimizations for SGX, and provide mechanisms to more easily deploy in cloud environments with full support for automatic Docker container integration using Graphene Shielded Containers (GSC).

We have a growing set of well-tested applications including machine learning frameworks, databases, webservers, and programming language runtimes.

This version of Graphene is tagged 'v1.2-rc1'. We encourage you to try this out with your workloads and let us know if you’re facing any issues. Please see the release page for release notes and installation instructions.

While we have made significant progress, we are continuing to work towards making Graphene better and adding support for more workloads. The items that we are most immediately working on are tracked in #1544.

In the meantime, we are also in the process of transitioning the Graphene project to a new home within the Confidential Computing Consortium under the Linux Foundation. In Q3 2021 we will provide more details on this, and we expect the next version of Graphene to be released once this transition is complete.

The official Graphene documentation can be found at https://graphene.readthedocs.io. Below are quick links to some of the most important pages:

• Quick start and how to run applications
• Complete building instructions
• Graphene manifest file syntax
• The Graphene Shielded Containers (GSC) tool
• Performance tuning & analysis of SGX applications in Graphene
• Remote attestation in Graphene

For any questions, please send an email to [email protected] (public archive).

For bug reports, post an issue on our GitHub repository: https://github.com/oscarlab/graphene/issues.

Graphene Project benefits from generous help of fosshost.org: they lend us a VPS, which we use as toolserver and package hosting.