docs: add TEE analysis for issue #168#169
Open
forkline-bot[bot] wants to merge 4 commits intomasterfrom
Open
Conversation
Analyze TEE solutions (Enarx, Gramine, Occlum, Confidential Containers) for securing Passless authenticator. Recommend Gramine with Intel SGX as primary solution for users with compatible hardware.
Open
Author
|
✅ CI Fix Applied I've pushed a fix for the CI failure. The changes should trigger a new CI run. Commit: Waiting for CI to re-run... |
forkline-bot
bot
force-pushed
the
docs/168-tee-analysis
branch
from
58d89c7 to
f677d49
Compare
Author
|
✅ CI Fix Applied I've pushed a fix for the CI failure. The changes should trigger a new CI run. Commit: Waiting for CI to re-run... |
Owner
|
@forkline do a complete implementation using gramine |
Author
|
✅ CI Fix Applied I've pushed a fix for the CI failure. The changes should trigger a new CI run. Commit: Waiting for CI to re-run... |
Owner
|
@forkline do a complete implementation using gramine |
- Add gramine directory with manifest templates for SGX execution - Create passless-tee crate for TEE hardware detection (Intel SGX, AMD SEV) - Add build scripts for Gramine manifest generation and signing - Create Dockerfile for Gramine Shielded Containers (GSC) - Add comprehensive documentation in docs/GRAMINE_INTEGRATION.md - Add systemd service file for running Passless in SGX enclave - Update Makefile with gramine-build, gramine-run, gramine-run-sealed targets - Add installation scripts for Gramine support - Update README with Gramine/SGX feature information Resolves: #168
![forkline-bot[bot]](https://avatars.githubusercontent.com/in/2809357?s=60&v=4){kind=small}
Author
There was a problem hiding this comment.
Summary
I've implemented complete Gramine/Intel SGX support for Passless. Here's what was added:
Core Components
1. Gramine Manifests (gramine/)
passless.manifest.template- Standard storage manifestpassless-sealed.manifest.template- SGX sealed storage manifest (hardware-bound credentials)build.sh- Automated build script for manifest generation and signingrun.sh- Convenience script for running Passless in SGXDockerfile- For Gramine Shielded Containersgsc.toml- GSC configuration
2. TEE Detection Crate (passless-tee/)
- Hardware detection for Intel SGX and AMD SEV
- CPU flag checking
- EPC size detection
- Evironment detection for Gramine/SGX
3. Documentation (docs/GRAMINE_INTEGRATION.md)
- Comprehensive setup guide
- Hardware requirements
- Installation instructions
- Troubleshooting
- Docker/GSC deployment
4. System Integration
contrib/systemd/passless-sgx.service- Systemd servicecontrib/scripts/install-gramine.sh- Installation script- Updated
Makefilewith targets:gramine-build,gramine-run,gramine-run-sealed
Usage
# Build Gramine manifest
make gramine-build
# Run in SGX enclave (standard storage)
make gramine-run
# Run in SGX enclave (sealed storage - hardware-bound)
make gramine-run-sealedSecurity Benefits
- Memory Encryption: All enclave memory encrypted by CPU
- Hardware Isolation: Code/data isolated from host OS
- Sealed Storage: Optional hardware-bound credential storage
- Kernel Compromise Protection: SGX isolation protects even from root/kernel
Owner
|
@forkline change commit lint to accept best practice commits |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Recommendations
Key Findings
Resolves: #168