Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

SGX in virtualized environment

Svart_K_
Beginner
1,847 Views

Hello,

Is it possible to start and run enclaves from within a virtualized environment such as VirtualBox or Docker?

Thanks

0 Kudos
7 Replies
Rodolfo_S_
New Contributor III
1,847 Views

Hi, Svart.

It is possible to run and start enclaves from virtual machines. However, the virtualization software must be able to support the SGX instruction set. AFAIK VirtualBox and Docker still don't support SGX, but KVM and Xen both have patches available to support SGX.

For more details see here: https://01.org/intel-software-guard-extensions/sgx-virtualization

Best regards,

Rodolfo

0 Kudos
Svart_K_
Beginner
1,847 Views

Hi Rodolfo,

Thanks for the link.

I can understand that VirtualBox does not work since the instruction set is not supported, but shouldn't Docker still work? Since it's lightweight containers are still accessing the hardware from the "real" system they are running on and not simulating any of that?
 

0 Kudos
Rodolfo_S_
New Contributor III
1,847 Views

Hi, Svart.

The incompatibility with Docker is actually because Intel runs the SGX PSW aesm as a daemon and not as a regular process. This is not allowed inside Docker containers. There are some patches (attached) written by sean-jc that make SGX compatible with Docker containers, but they are not compatible with the SGX 1.7 commit (current version of Linux SGX).

The following commits are known by me to work with these patches, and I have successfully launched/executed enclaves inside Docker containers by using them:

PSW + SDK: https://github.com/01org/linux-sgx/commit/f4005be591a82b1bedfbf8021cec8929a3911bb1

Driver: https://github.com/01org/linux-sgx-driver/commit/d2d50c36f62693ba629bd1efe4076a1a1f7a06d7

Best regards,

Rodolfo

0 Kudos
Svart_K_
Beginner
1,847 Views

Thanks for the clarification

0 Kudos
pascal_f_
Beginner
1,847 Views

We have run into the same issue trying to run SGX with Docker containers and I was wondering if there has been some progress to support the latest version of Linux SGX (1.7), or if we should use the previous version. Thanks!

Pascal

0 Kudos
Michalevsky__Yan
Beginner
1,847 Views

It's possible to run enclaves within Docker. It however needs configuring access to the PSW AESM service and exposing the SGX driver to the container. But aside from that, we're successfully running SGX applications in Docker containers.

0 Kudos
Johnston-Watt__Dunca
1,847 Views

Yan

Is this documented anywhere? Many thanks

Michalevsky, Yan wrote:

It's possible to run enclaves within Docker. It however needs configuring access to the PSW AESM service and exposing the SGX driver to the container. But aside from that, we're successfully running SGX applications in Docker containers.

0 Kudos
Reply