On April 10th, 2019, it was announced that Golem and ITL, that were building Graphene-ng had “unforked” the project and joined forces with the original creators, Chia-Che Tsai and Don Porter, and Intel Labs. This alliance was formed to usher the development of Graphene, a Library OS for portable applications, supporting Intel® Software Guard Extensions (Intel® SGX). Today, the Working Group is proud to announce the first release resulting from the project, dubbed Graphene v1.0.
A short recap: what is Graphene?
The Graphene library OS is a project for running unmodified Linux applications, i.e., native binaries from a standard Linux distribution. Currently, the most popular platform that Graphene ports to is Intel SGX, a novel Intel CPU feature for establishing a trusted execution environment (TEE) on an untrusted host platform. Graphene library OS can run inside the Intel SGX library so that unmodified applications can get the advantages of running inside an enclave.
Enter: Graphene v1.0
The Graphene v1.0 release is the first stable release of the Graphene project. It is a snapshot of the latest stability improvements and OS features.
This release is launched as we have noticed that users often need to repackage and sign their application with Graphene, so we are providing this snapshot as a pre-production version for long-term development and testing.
Graphene v1.0 is a project snapshot for users who desire to experiment or develop Intel SGX applications using existing Linux software and to deploy the applications for evaluation or beta testing purposes.
However, bear in mind that Graphene v1.0 is not completely ready for production use yet, we are getting close to fixing the remaining stability and security issues — watch this space to follow the progress.
Graphene v1.0: Features
Graphene v1.0 release primarily includes bug fixes, stability and security enhancements, and new features which are fundamental to a trusted execution environment. Here is a complete list of the major features in Graphene v1.0:
- Improved stability
- Enhanced interface security for SGX
- Improved documentation and sample app integrations
- Statically linked binaries support (SGX-only now)
- Remote attestation
- Support for Ubuntu 18.04 and newer glibc versions (2.19, 2.23, and 2.27)
- New applications including Memcached, Redis, and Tensorflow.
For those users who are more interested in the latest bugfixes and experimental features, we suggest subscribing to our Github.
For a more detailed changelog, please head over here: https://github.com/oscarlab/graphene/releases/tag/v1.0.
Graphene v1.0 has a built-in remote attestation feature, specifically designed for unmodified applications. Graphene supports the official Intel attestation service with Intel ® Enhanced Privacy ID (Intel® EPID). You can unlock this feature by providing a Software Product ID (SPID) and a subscription key from the Intel service portal: https://api.portal.trustedservices.intel.com/.
With the remote attestation feature enabled, Graphene will ensure that the Intel SGX platform to be genuine and up-to-date before running your application. No modification is needed in the application. You can also export the remote attestation signed by the Intel attestation service to be verified by a remote server. In the future, we plan to add a sealed vault and a key pair for encryption.
Docker compatibility in Graphene v1.0
The Graphene Secure Container (GSC) framework (EXPERIMENTAL) integrates the Docker framework to run a Docker container with enclave protection. GSC takes an unmodified Docker image and converts into a new image for Graphene — Intel SGX, which contains the configurations (i.e., manifest files) for running your Docker application with Graphene — Intel SGX. GSC provider bidirectional protection between the containers and the host systems. You can also use GSC to save the effort of configuring Graphene — Intel SGX.
What comes next? How can other devs help?
The maintenance and technical support from the Graphene project will continue, with more minor and major releases in the future.
As a sneak-peek for the next release, we are working on:
- Better networking support, including a reworked epoll() mechanism and better support of events on the TCP/UDP sockets.
- Exitless (aka switchless) system calls to improve performance of I/O-heavy workloads like Redis.
- Dynamic memory management and thread creation on SGX.
- Hooks for remote attestation to enable application-specific secret-provisioning mechanisms.
- Support DCAP attestation.
- More application examples, including machine learning/AI workloads (OpenVINO), databases (MySQL, MariaDB), and IoT
- Merging all the Graphene-ng features to Graphene.
- Support for Go and Java applications.
We highly encourage all developers who are interested in Graphene and future features to test v1.0 and provide feedback — this is crucial for us to continue building!
Additionally, the doors to our small but ever-growing community are open — reach out.
Thank you for your support, we are very proud of this first milestone, and hope for more to come.
For more details, head over to our website.
Curious about Graphene? Read our Essential Guide.
For questions — e-mail us at email@example.com
For bugs — submit an issue at https://github.com/oscarlab/graphene/issues/
Learn More about Intel SGX here