https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGX-in-virtualized-environment/m-p/1064461#M96 <P>It's possible to run enclaves within Docker. It however needs configuring access to the PSW AESM service and exposing the SGX driver to the container. But aside from that, we're successfully running SGX applications in Docker containers.</P> Fri, 24 May 2019 01:06:04 GMT Michalevsky__Yan 2019-05-24T01:06:04Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGX-in-virtualized-environment/m-p/1064455#M90 <P>Hello,</P> <P>Is it possible to start and run enclaves from within a virtualized environment such as VirtualBox or Docker?</P> <P>Thanks</P> Mon, 09 Jan 2017 08:22:42 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGX-in-virtualized-environment/m-p/1064455#M90 Svart_K_ 2017-01-09T08:22:42Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGX-in-virtualized-environment/m-p/1064456#M91 <P>Hi, Svart.</P> <P>It is possible to run and start enclaves from virtual machines. However, the v<SPAN style="font-size: 12px;">irtualization software must be able to support the SGX instruction set. AFAIK VirtualBox and Docker still don't support SGX, but KVM and Xen both have patches available to support SGX.</SPAN></P> <P>For more details see here: <A href="https://01.org/intel-software-guard-extensions/sgx-virtualization" target="_blank">https://01.org/intel-software-guard-extensions/sgx-virtualization</A></P> <P>Best regards,</P> <P>Rodolfo</P> Mon, 09 Jan 2017 11:06:45 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGX-in-virtualized-environment/m-p/1064456#M91 Rodolfo_S_ 2017-01-09T11:06:45Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGX-in-virtualized-environment/m-p/1064457#M92 <P>Hi Rodolfo,</P> <P>Thanks for the link.</P> <P>I can understand that VirtualBox does not work since the instruction set is not supported, but shouldn't Docker still work? Since it's lightweight containers are still accessing the hardware from the "real" system they are running on and not simulating any of that?<BR /> &nbsp;</P> Mon, 09 Jan 2017 11:22:57 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGX-in-virtualized-environment/m-p/1064457#M92 Svart_K_ 2017-01-09T11:22:57Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGX-in-virtualized-environment/m-p/1064458#M93 <P>Hi, Svart.</P> <P>The incompatibility with Docker is actually because Intel runs the SGX PSW aesm as a daemon and not as a regular process. This is not allowed inside Docker containers. There are some patches (attached) written by <A href="https://github.com/sean-jc">sean-jc</A>&nbsp;that make SGX compatible with Docker containers, but they are not compatible with the SGX 1.7 commit (current version of Linux SGX).</P> <P>The following commits are known by me to work with these patches, and I have successfully launched/executed enclaves inside Docker containers by using them:</P> <P>PSW + SDK: <A href="https://github.com/01org/linux-sgx/commit/f4005be591a82b1bedfbf8021cec8929a3911bb1" target="_blank">https://github.com/01org/linux-sgx/commit/f4005be591a82b1bedfbf8021cec8929a3911bb1</A></P> <P>Driver:&nbsp;https://github.com/01org/linux-sgx-driver/commit/d2d50c36f62693ba629bd1efe4076a1a1f7a06d7</P> <P>Best regards,</P> <P>Rodolfo</P> Mon, 09 Jan 2017 11:47:53 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGX-in-virtualized-environment/m-p/1064458#M93 Rodolfo_S_ 2017-01-09T11:47:53Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGX-in-virtualized-environment/m-p/1064459#M94 <P>Thanks for the clarification</P> Mon, 09 Jan 2017 12:10:52 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGX-in-virtualized-environment/m-p/1064459#M94 Svart_K_ 2017-01-09T12:10:52Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGX-in-virtualized-environment/m-p/1064460#M95 <P>We have run into the same issue trying to run SGX with Docker containers and I was wondering if there has been some progress to support the latest version of Linux SGX (1.7), or if we should use the previous version. Thanks!</P> <P>Pascal</P> Fri, 24 Feb 2017 14:56:59 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGX-in-virtualized-environment/m-p/1064460#M95 pascal_f_ 2017-02-24T14:56:59Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGX-in-virtualized-environment/m-p/1064461#M96 <P>It's possible to run enclaves within Docker. It however needs configuring access to the PSW AESM service and exposing the SGX driver to the container. But aside from that, we're successfully running SGX applications in Docker containers.</P> Fri, 24 May 2019 01:06:04 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGX-in-virtualized-environment/m-p/1064461#M96 Michalevsky__Yan 2019-05-24T01:06:04Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGX-in-virtualized-environment/m-p/1064462#M97 <P>Yan</P><P>Is this documented anywhere? Many thanks</P><P></P><BLOCKQUOTE>Michalevsky, Yan wrote:<BR /><P></P><P>It's possible to run enclaves within Docker. It however needs configuring access to the PSW AESM service and exposing the SGX driver to the container. But aside from that, we're successfully running SGX applications in Docker containers.</P><P></P></BLOCKQUOTE><P></P> Mon, 08 Jul 2019 08:44:19 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGX-in-virtualized-environment/m-p/1064462#M97 Johnston-Watt__Dunca 2019-07-08T08:44:19Z