DOCSLIB.ORG

SGX-LKL: a Linux-Based Runtime System for SGX Enclaves

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
SGX-LKL: a Linux-Based Runtime System for SGX Enclaves Large-Scale Data & Systems Group SGX-LKL: A Linux-Based Runtime System for SGX Enclaves Peter Pietzuch Imperial College London http://lsds.doc.ic.ac.uk <[email protected]> Joint work with Microsoft Research SGX Community Workshop – July 2020 Design Space for Enclave Execution (a) SDK (b) Syscalls (c) LibOS (d) Full OS kernel Application code Unmodifed Application Application (trusted) application Shim layer System libraries System libraries System libraries Internal Internal Narrow Shim layer syscall syscall call handling handling interface Wide system call Library OS Full OS kernel interface Narrow/ Application code Narrow (untrusted) wide hypervisor Loader/starter host interface interface Loader/starter Loader/starter Host OS Host OS Host OS Host OS We want a complete Library OS to get a hypervisor host interface Peter Pietzuch - Imperial College London 2 Why is making a Library OS complete hard? 500 450 400 350 300 250 Evolution of the Linux system call interface 200 150 Number of Linux system calls 100 50 Peter Pietzuch 0 1 - Imperial College London 2 2.0.28 2.2 2.4 2.4.8.1 2.4.13 2.5.36 2.6.0 2.6.3 2.6.10 2.6.13 2.6.17 2.6.19 2.6.23 2.6.27 Linux kernel version 2.6.30 2.6.33 2.6.36 2.6.39 3.1 3.5 3.8 3.14 3.17 3.19 4.3 4.5 4.8 4.11 4.15 5.1 5.3 3 SGX-LKL Design SGX enclave Mounted Root Application binary root file file Application files system system System libraries Paravirtualised host interface Initialisation, Linux kernel threading, attestation SGX-LKL Virtual I/O device (virtio) layer ocalls Virtualized Host disk/network devices SGX-LKL launcher Virtio Network Root disk device image Peter Pietzuch - Imperial College London 4 SGX-LKL Implementation SGX enclave Unmodified application Application binary Dynamic library Dynamic library User space Standard C library (musl) System call layer (implemented as function calls) Linux Kernel Library (LKL) Page Cache Work queues Network stack Filesystem stack Encryption and integrity protection Subsystems Crypto Wireguard Device mapper No MMU Standard Linux VirtIO drivers architecture LKL host interface Console Network Block device Timer Kernel space driver driver driver Setup Attestation SGX-LKL Memory Threading Signals Open Enclave Open Enclave SDK SGX-LKL launcher Synchronous ocalls Shared memory transport Paravirtualised host interface Page Signal Virtual Virtual console Virtual net Virtual block Idle protection handling timer device device device device Peter Pietzuch - Imperial College London 5 Paravirtualised Host Interface • Host layer is minimal hypervisor • Narrow host interface: Enclave Shared memory (untrusted) Host – 4 hypercalls Block data Virtual block – 3 upcalls device ring buffer device – Virtio devices driver interrupts event channel • Follows OASIS Virtual I/O device Network Virtual net driver specification device – virtio-block – virtio-net Console Virtual console – virtio-console driver device • Ring buffer per device • Event channels for notifications Peter Pietzuch - Imperial College London 6 Disk protection using Linux Volume Encryption • Applications and data provided via encrypted ext4 disk images – Encryption/integrity protection at block level – Mounted by LKL inside enclave • Uses standard Linux device mapper API: Root disk – dm-crypt for encryption of file systems image – dm-integrity for integrity of read-only file systems – dm-verity for integrity protection for read/write file systems – Merkle tree for disk block verification – Leaf nodes contain hashes of disk blocks • Support for any Linux file systems – e.g. overlayfs for read-only volumes Peter Pietzuch 7 Network protection using Linux in-kernel VPN • In-enclave trusted Linux network stack – Protects arbitrary application traffic Network device • TUN/TAP interface to send/receive packets via host – Public unencrypted network device – Wireguard VPN network device • Wireguard to create VPN between enclaves – Layer 3 VPN protocol – Protects enclave <-> enclave communication Peter Pietzuch 8 Comparison of TCB Sizes TEE runtime system Component LoC (in 1000s) Total LoC (in 1000s) Panoply 20 20 GNU C library 1,292 Graphene-SGX Library OS 34 1,348 Shield module 22 Drawbridge library OS 5,505 Haven 5,528 Shield module 23 LKL 598 SGX-LKL Musl C library 88 736 Core 50 Peter Pietzuch - Imperial College London 9 SGX-LKL Roadmap • Support for layered attestation • Support for GNU standard C library • Porting of other OS kernels to enclaves • Hypervisor-based host launcher implementation • More efficient kernel-bypass I/O (DPDK, SPDK) Peter Pietzuch - Imperial College London 10 SGX-LKL is available on GitHub Peter Pietzuch - Imperial College London 11 Summary: Linux in Enclaves with SGX-LKL • Supporting a narrow host interface is key! • SGX-LKL: Running OS kernels inside SGX enclaves – Benefits from a mature and popular POSIX implementation (Linux) – We encourage people to experiment with other OS kernels • Trade-off between TCB size and POSIX functionality Thank You — Any Questions? Peter Pietzuch https://lsds.doc.ic.ac.uk — [email protected] Peter Pietzuch - Imperial College London 12.
Load more

Recommended publications
  • Glibc and System Calls Documentation Release 1.0
    Glibc and System Calls Documentation Release 1.0 Rishi Agrawal <[email protected]> Dec 28, 2017 Contents 1 Introduction 1 1.1 Acknowledgements...........................................1 2 Basics of a Linux System 3 2.1 Introduction...............................................3 2.2 Programs and Compilation........................................3 2.3 Libraries.................................................7 2.4 System Calls...............................................7 2.5 Kernel.................................................. 10 2.6 Conclusion................................................ 10 2.7 References................................................ 11 3 Working with glibc 13 3.1 Introduction............................................... 13 3.2 Why this chapter............................................. 13 3.3 What is glibc .............................................. 13 3.4 Download and extract glibc ...................................... 14 3.5 Walkthrough glibc ........................................... 14 3.6 Reading some functions of glibc ................................... 17 3.7 Compiling and installing glibc .................................... 18 3.8 Using new glibc ............................................ 21 3.9 Conclusion................................................ 23 4 System Calls On x86_64 from User Space 25 4.1 Setting Up Arguements......................................... 25 4.2 Calling the System Call......................................... 27 4.3 Retrieving the Return Value......................................
    [Show full text]
  • Red Hat Enterprise Linux 6 Developer Guide
    Red Hat Enterprise Linux 6 Developer Guide An introduction to application development tools in Red Hat Enterprise Linux 6 Dave Brolley William Cohen Roland Grunberg Aldy Hernandez Karsten Hopp Jakub Jelinek Developer Guide Jeff Johnston Benjamin Kosnik Aleksander Kurtakov Chris Moller Phil Muldoon Andrew Overholt Charley Wang Kent Sebastian Red Hat Enterprise Linux 6 Developer Guide An introduction to application development tools in Red Hat Enterprise Linux 6 Edition 0 Author Dave Brolley [email protected] Author William Cohen [email protected] Author Roland Grunberg [email protected] Author Aldy Hernandez [email protected] Author Karsten Hopp [email protected] Author Jakub Jelinek [email protected] Author Jeff Johnston [email protected] Author Benjamin Kosnik [email protected] Author Aleksander Kurtakov [email protected] Author Chris Moller [email protected] Author Phil Muldoon [email protected] Author Andrew Overholt [email protected] Author Charley Wang [email protected] Author Kent Sebastian [email protected] Editor Don Domingo [email protected] Editor Jacquelynn East [email protected] Copyright © 2010 Red Hat, Inc. and others. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
    [Show full text]
  • Rootless Containers with Podman and Fuse-Overlayfs
    CernVM Workshop 2019 (4th June 2019) Rootless containers with Podman and fuse-overlayfs Giuseppe Scrivano @gscrivano Introduction 2 Rootless Containers • “Rootless containers refers to the ability for an unprivileged user (i.e. non-root user) to create, run and otherwise manage containers.” (https://rootlesscontaine.rs/ ) • Not just about running the container payload as an unprivileged user • Container runtime runs also as an unprivileged user 3 Don’t confuse with... • sudo podman run --user foo – Executes the process in the container as non-root – Podman and the OCI runtime still running as root • USER instruction in Dockerfile – same as above – Notably you can’t RUN dnf install ... 4 Don’t confuse with... • podman run --uidmap – Execute containers as a non-root user, using user namespaces – Most similar to rootless containers, but still requires podman and runc to run as root 5 Motivation of Rootless Containers • To mitigate potential vulnerability of container runtimes • To allow users of shared machines (e.g. HPC) to run containers without the risk of breaking other users environments • To isolate nested containers 6 Caveat: Not a panacea • Although rootless containers could mitigate these vulnerabilities, it is not a panacea , especially it is powerless against kernel (and hardware) vulnerabilities – CVE 2013-1858, CVE-2015-1328, CVE-2018-18955 • Castle approach : it should be used in conjunction with other security layers such as seccomp and SELinux 7 Podman 8 Rootless Podman Podman is a daemon-less alternative to Docker • $ alias
    [Show full text]
  • Reference Architecture Specification
    Linux based 3G Multimedia Mobile-phone Reference Architecture Specification Draft 1.0 NEC Corporation Panasonic Mobile Communication Ltd. CE Linux Forum Technical Document Contents Preface......................................................................................................................................iii 1. Introduction.............................................................................................................................1 2. Scope .....................................................................................................................................1 3. Reference................................................................................................................................1 4. Definitions and abbreviations ....................................................................................................1 5. Architecture ............................................................................................................................3 5.1 A-CPU ..................................................................................................................................3 5.2 C-CPU..................................................................................................................................5 6. Description of functional entities ..............................................................................................5 6.1 Kernel....................................................................................................................................5
    [Show full text]
  • In Search of the Ideal Storage Configuration for Docker Containers
    In Search of the Ideal Storage Configuration for Docker Containers Vasily Tarasov1, Lukas Rupprecht1, Dimitris Skourtis1, Amit Warke1, Dean Hildebrand1 Mohamed Mohamed1, Nagapramod Mandagere1, Wenji Li2, Raju Rangaswami3, Ming Zhao2 1IBM Research—Almaden 2Arizona State University 3Florida International University Abstract—Containers are a widely successful technology today every running container. This would cause a great burden on popularized by Docker. Containers improve system utilization by the I/O subsystem and make container start time unacceptably increasing workload density. Docker containers enable seamless high for many workloads. As a result, copy-on-write (CoW) deployment of workloads across development, test, and produc- tion environments. Docker’s unique approach to data manage- storage and storage snapshots are popularly used and images ment, which involves frequent snapshot creation and removal, are structured in layers. A layer consists of a set of files and presents a new set of exciting challenges for storage systems. At layers with the same content can be shared across images, the same time, storage management for Docker containers has reducing the amount of storage required to run containers. remained largely unexplored with a dizzying array of solution With Docker, one can choose Aufs [6], Overlay2 [7], choices and configuration options. In this paper we unravel the multi-faceted nature of Docker storage and demonstrate its Btrfs [8], or device-mapper (dm) [9] as storage drivers which impact on system and workload performance. As we uncover provide the required snapshotting and CoW capabilities for new properties of the popular Docker storage drivers, this is a images. None of these solutions, however, were designed with sobering reminder that widespread use of new technologies can Docker in mind and their effectiveness for Docker has not been often precede their careful evaluation.
    [Show full text]
  • MINCS - the Container in the Shell (Script)
    MINCS - The Container in the Shell (script) - Masami Hiramatsu <[email protected]> Tech Lead, Linaro Ltd. Open Source Summit Japan 2017 LEADING COLLABORATION IN THE ARM ECOSYSTEM Who am I... Masami Hiramatsu - Linux kernel kprobes maintainer - Working for Linaro as a Tech Lead LEADING COLLABORATION IN THE ARM ECOSYSTEM Demo # minc top # minc -r /opt/debian/x86_64 # minc -r /opt/debian/arm64 --arch arm64 LEADING COLLABORATION IN THE ARM ECOSYSTEM What Is MINCS? My Personal Fun Project to learn how linux containers work :-) LEADING COLLABORATION IN THE ARM ECOSYSTEM What Is MINCS? Mini Container Shell Scripts (pronounced ‘minks’) - Container engine implementation using POSIX shell scripts - It is small (~60KB, ~2KLOC) (~20KB in minimum) - It can run on busybox - No architecture dependency (* except for qemu/um mode) - No need for special binaries (* except for libcap, just for capsh --exec) - Main Features - Namespaces (Mount, PID, User, UTS, Net*) - Cgroups (CPU, Memory) - Capabilities - Overlay filesystem - Qemu cross-arch/system emulation - User-mode-linux - Image importing from dockerhub And all are done by CLI commands :-) LEADING COLLABORATION IN THE ARM ECOSYSTEM Why Shell Script? That is my favorite language :-) - Easy to understand for *nix administrators - Just a bunch of commands - Easy to modify - Good for prototyping - Easy to deploy - No architecture dependencies - Very small - Able to run on busybox (+ libcap is perfect) LEADING COLLABORATION IN THE ARM ECOSYSTEM MINCS Use-Cases For Learning - Understand how containers work For Development - Prepare isolated (cross-)build environment For Testing - Test new applications in isolated environment - Test new kernel features on qemu using local tools For products? - Maybe good for embedded devices which has small resources LEADING COLLABORATION IN THE ARM ECOSYSTEM What Is A Linux Container? There are many linux container engines - Docker, LXC, rkt, runc, ..
    [Show full text]
  • The Glib/GTK+ Development Platform
    The GLib/GTK+ Development Platform A Getting Started Guide Version 0.8 Sébastien Wilmet March 29, 2019 Contents 1 Introduction 3 1.1 License . 3 1.2 Financial Support . 3 1.3 Todo List for this Book and a Quick 2019 Update . 4 1.4 What is GLib and GTK+? . 4 1.5 The GNOME Desktop . 5 1.6 Prerequisites . 6 1.7 Why and When Using the C Language? . 7 1.7.1 Separate the Backend from the Frontend . 7 1.7.2 Other Aspects to Keep in Mind . 8 1.8 Learning Path . 9 1.9 The Development Environment . 10 1.10 Acknowledgments . 10 I GLib, the Core Library 11 2 GLib, the Core Library 12 2.1 Basics . 13 2.1.1 Type Definitions . 13 2.1.2 Frequently Used Macros . 13 2.1.3 Debugging Macros . 14 2.1.4 Memory . 16 2.1.5 String Handling . 18 2.2 Data Structures . 20 2.2.1 Lists . 20 2.2.2 Trees . 24 2.2.3 Hash Tables . 29 2.3 The Main Event Loop . 31 2.4 Other Features . 33 II Object-Oriented Programming in C 35 3 Semi-Object-Oriented Programming in C 37 3.1 Header Example . 37 3.1.1 Project Namespace . 37 3.1.2 Class Namespace . 39 3.1.3 Lowercase, Uppercase or CamelCase? . 39 3.1.4 Include Guard . 39 3.1.5 C++ Support . 39 1 3.1.6 #include . 39 3.1.7 Type Definition . 40 3.1.8 Object Constructor . 40 3.1.9 Object Destructor .
    [Show full text]
  • Porting Musl to the M3 Microkernel TU Dresden
    Porting Musl to the M3 microkernel TU Dresden Sherif Abdalazim, Nils Asmussen May 8, 2018 Contents 1 Abstract 2 2 Introduction 3 2.1 Background.............................. 3 2.2 M3................................... 4 3 Picking a C library 5 3.1 C libraries design factors . 5 3.2 Alternative C libraries . 5 4 Porting Musl 7 4.1 M3andMuslbuildsystems ..................... 7 4.1.1 Scons ............................. 7 4.1.2 GNUAutotools........................ 7 4.1.3 Integrating Autotools with Scons . 8 4.2 Repositoryconfiguration. 8 4.3 Compilation.............................. 8 4.4 Testing ................................ 9 4.4.1 Syscalls ............................ 9 5 Evaluation 10 5.1 PortingBusyboxcoreutils . 10 6 Conclusion 12 1 Chapter 1 Abstract Today’s processing workloads require the usage of heterogeneous multiproces- sors to utilize the benefits of specialized processors and accelerators. This has, in turn, motivated new Operating System (OS) designs to manage these het- erogeneous processors and accelerators systematically. M3 [9] is an OS following the microkernel approach. M3 uses a hardware/- software co-design to exploit the heterogeneous systems in a seamless and effi- cient form. It achieves that by abstracting the heterogeneity of the cores via a Data Transfer Unit (DTU). The DTU abstracts the heterogeneity of the cores and accelerators so that they can communicate systematically. I have been working to enhance the programming environment in M3 by porting a C library to M3. I have evaluated different C library implementations like the GNU C Library (glibc), Musl, and uClibc. I decided to port Musl as it has a relatively small code base with fewer configurations. It is simpler to port, and it started to gain more ground in embedded systems which are also a perfect match for M3 applications.
    [Show full text]
  • High Velocity Kernel File Systems with Bento
    High Velocity Kernel File Systems with Bento Samantha Miller, Kaiyuan Zhang, Mengqi Chen, and Ryan Jennings, University of Washington; Ang Chen, Rice University; Danyang Zhuo, Duke University; Thomas Anderson, University of Washington https://www.usenix.org/conference/fast21/presentation/miller This paper is included in the Proceedings of the 19th USENIX Conference on File and Storage Technologies. February 23–25, 2021 978-1-939133-20-5 Open access to the Proceedings of the 19th USENIX Conference on File and Storage Technologies is sponsored by USENIX. High Velocity Kernel File Systems with Bento Samantha Miller Kaiyuan Zhang Mengqi Chen Ryan Jennings Ang Chen‡ Danyang Zhuo† Thomas Anderson University of Washington †Duke University ‡Rice University Abstract kernel-level debuggers and kernel testing frameworks makes this worse. The restricted and different kernel programming High development velocity is critical for modern systems. environment also limits the number of trained developers. This is especially true for Linux file systems which are seeing Finally, upgrading a kernel module requires either rebooting increased pressure from new storage devices and new demands the machine or restarting the relevant module, either way on storage systems. However, high velocity Linux kernel rendering the machine unavailable during the upgrade. In the development is challenging due to the ease of introducing cloud setting, this forces kernel upgrades to be batched to meet bugs, the difficulty of testing and debugging, and the lack of cloud-level availability goals. support for redeployment without service disruption. Existing Slow development cycles are a particular problem for file approaches to high-velocity development of file systems for systems.
    [Show full text]
  • Singularityce User Guide Release 3.8
    SingularityCE User Guide Release 3.8 SingularityCE Project Contributors Aug 16, 2021 CONTENTS 1 Getting Started & Background Information3 1.1 Introduction to SingularityCE......................................3 1.2 Quick Start................................................5 1.3 Security in SingularityCE........................................ 15 2 Building Containers 19 2.1 Build a Container............................................. 19 2.2 Definition Files.............................................. 24 2.3 Build Environment............................................ 35 2.4 Support for Docker and OCI....................................... 39 2.5 Fakeroot feature............................................. 79 3 Signing & Encryption 83 3.1 Signing and Verifying Containers.................................... 83 3.2 Key commands.............................................. 88 3.3 Encrypted Containers.......................................... 90 4 Sharing & Online Services 95 4.1 Remote Endpoints............................................ 95 4.2 Cloud Library.............................................. 103 5 Advanced Usage 109 5.1 Bind Paths and Mounts.......................................... 109 5.2 Persistent Overlays............................................ 115 5.3 Running Services............................................. 118 5.4 Environment and Metadata........................................ 129 5.5 OCI Runtime Support.......................................... 140 5.6 Plugins.................................................
    [Show full text]
  • Container-Based Virtualization for Byte-Addressable NVM Data Storage
    2016 IEEE International Conference on Big Data (Big Data) Container-Based Virtualization for Byte-Addressable NVM Data Storage Ellis R. Giles Rice University Houston, Texas [email protected] Abstract—Container based virtualization is rapidly growing Storage Class Memory, or SCM, is an exciting new in popularity for cloud deployments and applications as a memory technology with the potential of replacing hard virtualization alternative due to the ease of deployment cou- drives and SSDs as it offers high-speed, byte-addressable pled with high-performance. Emerging byte-addressable, non- volatile memories, commonly called Storage Class Memory or persistence on the main memory bus. Several technologies SCM, technologies are promising both byte-addressability and are currently under research and development, each with dif- persistence near DRAM speeds operating on the main memory ferent performance, durability, and capacity characteristics. bus. These new memory alternatives open up a new realm of These include a ReRAM by Micron and Sony, a slower, but applications that no longer have to rely on slow, block-based very large capacity Phase Change Memory or PCM by Mi- persistence, but can rather operate directly on persistent data using ordinary loads and stores through the cache hierarchy cron and others, and a fast, smaller spin-torque ST-MRAM coupled with transaction techniques. by Everspin. High-speed, byte-addressable persistence will However, SCM presents a new challenge for container-based give rise to new applications that no longer have to rely on applications, which typically access persistent data through slow, block based storage devices and to serialize data for layers of block based file isolation.
    [Show full text]
  • An Incremental Path Towards a Safer OS Kernel
    An Incremental Path Towards a Safer OS Kernel Jialin Li Samantha Miller Danyang Zhuo University of Washington University of Washington Duke University Ang Chen Jon Howell Thomas Anderson Rice University VMware Research University of Washington LoC Abstract Incremental Progress Tens of Linux Safe Linux Linux has become the de-facto operating system of our age, Millions FreeBSD but its vulnerabilities are a constant threat to service availabil- Hundreds of Singularity ity, user privacy, and data integrity. While one might scrap Thousands Biscuit Linux and start over, the cost of that would be prohibitive due Theseus Thousands RedLeaf seL4 to Linux’s ubiquitous deployment. In this paper, we propose Hyperkernel Safety an alternative, incremental route to a safer Linux through No Type Ownership Functional proper modularization and gradual replacement module by Guarantees Safety Safety Verification module. We lay out the research challenges and potential Figure 1: Our vision and the current state of systems. solutions for this route, and discuss the open questions ahead. security vulnerabilities are reported each year, and lifetime CCS Concepts analysis suggests that the new code added this year has intro- duced tens of thousands of more bugs. ! • Software and its engineering Software verification; While operating systems are far from the only source of se- ! • Computer systems organization Reliability. curity vulnerabilities, it is hard to envision building trustwor- Keywords thy computer systems without addressing operating system correctness. kernel safety, verified systems, reliable systems One attractive option is to scrap Linux and start over. Many ACM Reference Format: past works focus on building more secure and correct op- Jialin Li, Samantha Miller, Danyang Zhuo, Ang Chen, Jon Howell, erating systems from the ground up: ones based on strong and Thomas Anderson.
    [Show full text]