Skip to content

Latest commit

 

History

History
245 lines (171 loc) · 6.92 KB

README.md

File metadata and controls

245 lines (171 loc) · 6.92 KB

Overview

Phoenix is an extension of the Graphene libOS for Intel SGX hardware enclaves. Phoenix adds to Graphene:

  • an encrypted and integrity-protected filesystem
  • shared memory
  • the ability to proxy time-related system calls to a time server

Phoenix also includes an OpenSSL engine that proxies RSA-2048 key operations to an enclaved key server.

Phoenix implements all extensions as servers. For instance, the encrypted filesystem is a userspace server that runs on top of the Phoenix libOS in an enclave; a user can configure other instances of Phoenix (such as those running applications) to use the remote filesystem.

The Phoenix design is thus evocative of a micro-kernel, and we refer to the servers as "kernel servers".

We perform our tests on the Intel NUC Skull Canyon NUC6i7KYK Kit with 6th generation Intel Core i7-6770HQ Processor (2.6 GHz), with 32 GiB of RAM. The processor consists of four hyperthreaded cores, and has a 6 MiB cache.

For our operating system, we use lubuntu-16.04.1-desktop-amd64.iso, with the following kernels:

  • 4.10.0-38-generic #42~16.04.1-Ubuntu SMP Tue Oct 10 16:32:20 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
  • 4.4.0-157-generic #185-Ubuntu SMP Tue July 23 09:17:01 UTC 2019

At the time of developing Phoenix, Graphene only suppported Ubuntu 16.04.

In this guide, we assume all source is downloaded to ~/src and all artifacts installed under $HOME.

SGX SDK and Driver

Download and install the Intel SGX Driver:

mkdir ~/src
cd ~/src
wget https://github.com/intel/linux-sgx-driver/archive/sgx_driver_1.9.tar.gz
tar zxvf sgx_driver_1.9.tar.gz
rm sgx_driver_1.9.tra.gz
cd linux-sgx-driver-sgx_driver_1.9
make

Download and install the Intel SGX SDK:

cd ~/src
wget https://github.com/intel/linux-sgx/archive/sgx_2.6.tar.gz
tar zxvf sgx_2.6.tar.gz
cd linux-sgx-sgx_2.6
sudo apt-get install build-essential ocaml automake autoconf \
         libtool wget python libssl-dev libcurl14-openssl-dev \
         protobuf-compiler libprotobuf-dev debhelper cmake \
         python

./download_prebuilt.sh
make                    # builds the SDK and PSW
make sdk_install_pkg    # builds the SDK installer
make deb_pkg            # builds the PWS installer

cd linux/installer/bin

# install the SDK to /opt
sudo ./sgx_linux_x64_sdk_2.6.100.51363.bin

#install the PSW
cd ~/src/linux-sgx-sgx_2.6/linux/installer/deb
sudo dpkg -i ./libsgx-urts_2.6.100.51363-xenial1_amd64.deb \
    ./libsgx-enclave-common_2.6.100.51363-xenial1_amd64.deb

Phoenix needs the PSW, but not the SDK. That said, if using the SDK for other purposes, first set a few environment variables:

source /opt/sgxsdk/environment

Phoenix libOS

First, install the dependencies:

sudo apt-get install -y build-essential autconf gawk bison \
         python-protobuf libprotobuf-c-dev \
         protobuf-c-compiler

Download Pheonix and update the driver submodule (Graphene slightly modifies Intel's default driver):

cd ~/src
git clone https://github.com/smherwig/phoenix
cd phoenix
git submodule update --init -- Pal/src/host/Linux-SGX/sgx-driver

Generate an enclave signing key

cd Pal/src/host/Linux-SGX/signer
openssl genrsa -3 -out enclave-key.pem 3072
mkdir -p ~/share/phoenix
cp enclave-key.pem ~/share/phoenix

Phoenix uses a slightly modified version of BearSSL; first build this component, as it is not yet integrated into Graphene's Makefile system:

cd ~/src/phoenix/bearssl-0.6
make

Next, build Phoenix:

cd ~/src/phoenix
make SGX=1

When prompted for the Intel SGX driver and version, enter (changing the home directory, as appropriate):

Enter the Intel SGX driver directory: /home/smherwig/src/linux-sgx-driver-sgx_driver_1.9

Enter the driver version (default: 1.9): 1.9

The script Tools/make_phoenix_keys.sh may be used to generate a root certificate (root.crt) and a leaf certificate (proc.crt) and key (proc.key). The kernel servers and Phoenix application instances use this keying material. For convenience, a copy of the keying material is present in this directory. Copy the keying material to ~/share/phoenix:

cd ~/src/phoenix/Tools
cp root.crt proc.crt proc.key ~/share/phoenix/

Base components

The kernel servers depend on the following libraries: the links below go to each library's instructions for building and installing:

Kernel servers

Instructions for building the kernel servers are at the following links:

Additional Tools

The makemanifest tool is used to create a manifest for running an executable on Phoenix:

spf (SGX Page fault) is a performance tool that measures SGX paging events:

After building, set the vm.mmap_in_addr sysctl and load graphene's Linux kernel module: graphene_sgx.

sudo sysctl vm.mmap_min_addr=0
cd ~/src/phoenix/Pal/src/host/Linux-SGX/sgx-driver
./load.sh

Instructions for running NGINX macro-benchmarks:

Instrutions for running RPC micro-benchmarks:

and the kernel server micro-benchmarks:

The following features are not yet implemented:

  • local and remote attestation (though these features have been maturing in main-line Graphene)
  • binding an SGX quote to an X.509 certificate
  • the provisioning servers and agents
  • bundling all executables and resources into a single image