/gramine-java-poc

Primary LanguageDockerfileGNU General Public License v3.0GPL-3.0

Gramine Java Proof of Concept

Contributors Forks Stargazers License Last Commit

This repo contains a small demo of running a JVM inside an SGX enclave using Gramine

About The ProjectGetting startedGramine JVM Image structureModifying the PoC

About The Project

Enclave log

Confidential computing is a fast-growing space. Developers will face growing pressure to move applications to a zero-trust infrastructure. Using Gramine, developers can deploy their existing source code inside an enclave instead of doing a full rewrite.

This PoC has its origin in the system security lecture by @sebastiangajek at Flensburg University of Applied Sciences.

Experienced issues in this PoC:

  • Broken EPOLL support -> Webservers such as Netty fail to start
  • Poor performance (running gramine-sgx java to seeing "Hello world!" took around 15 seconds)

Getting started

Platform requirements

Check for Intel Security Guard Extension (SGX) presence by running the following

grep sgx /proc/cpuinfo

Alternatively have a thorough look at Intel's processor list.

Running this PoC

Assuming all necessary SGX drivers are installed on the host, run the following

git clone git@github.com:mortenboettger/gramine-java-poc.git
cd gramine-java-poc
docker-compose up

Gramine JVM Image structure

Build

The Docker image build consists of two stages. The first ("builder") stage uses Gradle to build the Gradle-based Java project and creates a runnable JAR.

The second ("gramine") stage gathers all the necessary resources and generates and signs the manifest based on the existing template.

Run

On container startup, the entrypoint script acquires the necessary token and launches the enclave.

Modifying the PoC to run a different JVM-based application

Gradle-based JVM application

Replace the project folder, at src/project, with your Gradle-based project and change the referenced folders and Gradle tasks inside the builder stage in the Dockerfile accordingly.

Non-Gradle-based JVM application

Replace the project folder, at src/project, with your JVM application project and exchange the builder stage inside the Dockerfile with your needed build config. Make sure to copy the resulting jar to the root folder of your builder stage and for convenience name it enclave.jar. This way you most likely won´t have to touch the second stage.

License

Distributed under the GPLv3 License. See LICENSE for more information.

Acknowledgments

This project greatly celebrates all contributions from the gramine team and the amazing progress made by the enclaive team.