This PR adds Gramine-based TEE support for Task Runner API via the fx workspace dockerize command.
All images are built SGX-ready, with signing key automatically generated if a user does not explicitly provide one. This implies zero change in the command from a user's perspective, with a path forward to move to TDX/COCO.
Running enclaves does require attaching specific volumes and devices as Gramine requires. This is covered in the documentation.
Usage: fx workspace dockerize [OPTIONS]
Package current workspace as a TEE-ready Docker image.
Options:
...
--enclave-key TEXT Path to an enclave signing key. If not provided, a key will be auto-generated in the workspace.
Note that this command builds a TEE-ready image, key is NOT packaged along with the image. You
have the flexibility to not run inside a TEE later.
...
Tests
Added Docker gramine-direct CI test (SGX is not supported on CI yet).
Tested with gramine-direct and gramine-sgx on SGX-supported VMs.
Overview
This PR adds Gramine-based TEE support for Task Runner API via the
fx workspace dockerizecommand. All images are built SGX-ready, with signing key automatically generated if a user does not explicitly provide one. This implies zero change in the command from a user's perspective, with a path forward to move to TDX/COCO.Running enclaves does require attaching specific volumes and devices as Gramine requires. This is covered in the documentation.
Getting-started guide: README.md
Usage (only new changes are shown):
Tests
gramine-directCI test (SGX is not supported on CI yet).gramine-directandgramine-sgxon SGX-supported VMs.