search

gramineproject / gramine

A library OS for Linux multi-process applications, with Intel SGX support
GNU Lesser General Public License v3.0
603 stars 201 forks source link

Remove `gramine` dependency from gramine-ratls-dcap/-epid attestation packages #1260

Open fnerdman opened 1 year ago

fnerdman commented 1 year ago

Description of the feature

We'd like to only install the dcap attestation packages, without having to install the gramine main package dependency.

Currently we are using a trick by downloading the RA-TLS attestation package and then installing it via dpkg --ignore-depends=gramine to achieve this but we have discovered that the ra_tls_set_measurement_callback function gets ignored if the gramine main package is missing.

Why Gramine should implement it?

The main gramine package pulls in a lot of dependencies such as python. All of these are not necessary if one only wants to create a slim container image used solely for RA-TLS attestation.

dimakuv commented 1 year ago

we have discovered that the ra_tls_set_measurement_callback function gets ignored if the gramine main package is missing

What does that mean? This function doesn't do anything special: https://github.com/gramineproject/gramine/blob/ce7556d14996cba3d58f9a8858ca170a91b46e68/tools/sgx/ra-tls/ra_tls_verify_common.c#L234-L237

So how do you install Gramine itself then?

Anyway, this feels like a question to @woju, our packaging guru.

fnerdman commented 1 year ago

What does that mean? This function doesn't do anything special:

Sorry, I should have been more verbose. The function call passes without issues but the library doesn't register the callback function. It executes as if no measurement callback function was provided.

So how do you install Gramine itself then?

Our use case is plain remote attestation from a trusted environment. Gramine is not needed. Here you can see how we install the dependencies.

woju commented 1 year ago

Looking through 1.4 packages and how they're linked, this can be done. gramine-ratls-dcap would have to still depend on libsgx-dcap-quote-verify from intel sgx repo and gramine-ratls-epid needs to directly depend on libcjson1, though cjson might have changed between 1.4 and current master (@dimakuv is this accurate?).

Also, @dimakuv can you confirm that this library really can't be used without any libraries from gramine package present? For example, aren't there any surprise dlopen() or other things that wouldn't show up on objdump?

Here are the contents of the packages:

gramine-ratls-dcap:

./
./usr/
./usr/lib/
./usr/lib/x86_64-linux-gnu/
./usr/lib/x86_64-linux-gnu/gramine/
./usr/lib/x86_64-linux-gnu/gramine/runtime/
./usr/lib/x86_64-linux-gnu/gramine/runtime/glibc/
./usr/lib/x86_64-linux-gnu/libra_tls_verify_dcap.so
./usr/lib/x86_64-linux-gnu/libra_tls_verify_dcap_gramine.so
./usr/lib/x86_64-linux-gnu/libsecret_prov_verify_dcap.so
./usr/share/
./usr/share/doc/
./usr/share/doc/gramine-ratls-dcap/
./usr/share/doc/gramine-ratls-dcap/changelog.gz
./usr/share/doc/gramine-ratls-dcap/copyright
./usr/lib/x86_64-linux-gnu/gramine/runtime/glibc/libra_tls_verify_dcap.so -> ../../../libra_tls_verify_dcap.so
./usr/lib/x86_64-linux-gnu/gramine/runtime/glibc/libra_tls_verify_dcap_gramine.so -> ../../../libra_tls_verify_dcap_gramine.so
./usr/lib/x86_64-linux-gnu/gramine/runtime/glibc/libsecret_prov_verify_dcap.so -> ../../../libsecret_prov_verify_dcap.so

gramine-ratls-epid:

./
./usr/
./usr/lib/
./usr/lib/x86_64-linux-gnu/
./usr/lib/x86_64-linux-gnu/gramine/
./usr/lib/x86_64-linux-gnu/gramine/runtime/
./usr/lib/x86_64-linux-gnu/gramine/runtime/glibc/
./usr/lib/x86_64-linux-gnu/libra_tls_verify_epid.so
./usr/lib/x86_64-linux-gnu/libsecret_prov_verify_epid.so
./usr/share/
./usr/share/doc/
./usr/share/doc/gramine-ratls-epid/
./usr/share/doc/gramine-ratls-epid/changelog.gz
./usr/share/doc/gramine-ratls-epid/copyright
./usr/lib/x86_64-linux-gnu/gramine/runtime/glibc/libra_tls_verify_epid.so -> ../../../libra_tls_verify_epid.so
./usr/lib/x86_64-linux-gnu/gramine/runtime/glibc/libsecret_prov_verify_epid.so -> ../../../libsecret_prov_verify_epid.so
dimakuv commented 1 year ago

... gramine-ratls-epid needs to directly depend on libcjson1, though cjson might have changed between 1.4 and current master (@dimakuv is this accurate?).

This is accurate. We removed the need for libcjson1 package in this commit (after v1.4 was released, so it will be available only starting from v1.5): https://github.com/gramineproject/gramine/commit/d19fe516d40fc1984f6f2cc41ba7000779f61fde

Also, @dimakuv can you confirm that this library really can't be used without any libraries from gramine package present? For example, aren't there any surprise dlopen() or other things that wouldn't show up on objdump?

I cannot parse the first sentence, sorry (is there a typo? can't be used -> can be used).

There are no surprise dlopen() or anything of this sort in the libra_tls*.so and librasecret_prov*.so libraries. In this sense, these packages are self-contained (with the exception of libsgx-dcap-quote-verify dependency for the DCAP version of the libraries).

woju commented 1 year ago

Also, @dimakuv can you confirm that this library really can't be used without any libraries from gramine package present? For example, aren't there any surprise dlopen() or other things that wouldn't show up on objdump?

I cannot parse the first sentence, sorry (is there a typo? can't be used -> can be used).

Yes, it's a typo, sorry.

There are no surprise dlopen() or anything of this sort in the libra_tls*.so and librasecret_prov*.so libraries. In this sense, these packages are self-contained (with the exception of libsgx-dcap-quote-verify dependency for the DCAP version of the libraries).

OK, if so, then it can be done.