Cloud Deployment

Gramine without Intel SGX can be deployed on arbitrary cloud VMs. Please see our Quick start guide for the details.

To deploy Gramine with Intel SGX, the cloud VM has to support Intel SGX. Please see the installation and usage guide for each cloud VM offering individually below (currently only for Microsoft Azure).

Azure confidential computing VMs

Azure confidential computing services are generally available and provide access to VMs with Intel SGX enabled in DCsv2 VM instances. The description below uses a VM running Ubuntu 18.04.

Prerequisites

Update and install the required packages for Gramine:

sudo apt-get update
sudo apt-get install -y build-essential \
    autoconf bison gawk libcurl4-openssl-dev libprotobuf-c-dev ninja-build \
    protobuf-c-compiler python3 python3-click python3-jinja2 python3-pip \
    python3-protobuf wget
python3 -m pip install 'meson>=0.55' 'toml>=0.10'

Gramine requires the kernel to support FSGSBASE x86 instructions. Older Azure Confidential Compute VMs may not contain the required kernel patches and need to be updated.

To be able to run all tests also install:

sudo apt-get install -y libunwind8 python3-pyelftools python3-pytest

Building

1. Clone Gramine:

   git clone https://github.com/gramineproject/gramine.git
   cd gramine
   

2. Prepare the signing keys:

   openssl genrsa -3 -out Pal/src/host/Linux-SGX/signer/enclave-key.pem 3072
   

3. Build Gramine:

   meson setup build/ --buildtype=release -Dsgx=enabled -Ddirect=disabled
   ninja -C build/
   sudo ninja -C build/ install
   

4. Build and run helloworld:

   cd LibOS/shim/test/regression
   make SGX=1
   make SGX=1 sgx-tokens
   gramine-sgx helloworld