Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

SGX in virtualized environment

Svart_K_
Beginner
‎01-09-2017 12:22 AM
1,287 Views

Hello,

Is it possible to start and run enclaves from within a virtualized environment such as VirtualBox or Docker?

Thanks

0 Kudos

Link Copied

7 Replies
Rodolfo_S_
New Contributor III
‎01-09-2017 03:06 AM
1,287 Views

Hi, Svart.

It is possible to run and start enclaves from virtual machines. However, the virtualization software must be able to support the SGX instruction set. AFAIK VirtualBox and Docker still don't support SGX, but KVM and Xen both have patches available to support SGX.

For more details see here: https://01.org/intel-software-guard-extensions/sgx-virtualization

Best regards,

Rodolfo

0 Kudos
Copy link
Svart_K_
Beginner
‎01-09-2017 03:22 AM
1,287 Views

Hi Rodolfo,

Thanks for the link.

I can understand that VirtualBox does not work since the instruction set is not supported, but shouldn't Docker still work? Since it's lightweight containers are still accessing the hardware from the "real" system they are running on and not simulating any of that?
 

0 Kudos
Copy link
Rodolfo_S_
New Contributor III
‎01-09-2017 03:47 AM
1,287 Views

Hi, Svart.

The incompatibility with Docker is actually because Intel runs the SGX PSW aesm as a daemon and not as a regular process. This is not allowed inside Docker containers. There are some patches (attached) written by sean-jc that make SGX compatible with Docker containers, but they are not compatible with the SGX 1.7 commit (current version of Linux SGX).

The following commits are known by me to work with these patches, and I have successfully launched/executed enclaves inside Docker containers by using them:

PSW + SDK: https://github.com/01org/linux-sgx/commit/f4005be591a82b1bedfbf8021cec8929a3911bb1

Driver: https://github.com/01org/linux-sgx-driver/commit/d2d50c36f62693ba629bd1efe4076a1a1f7a06d7

Best regards,

Rodolfo

docker_patches.zip
0 Kudos
Copy link
Svart_K_
Beginner
‎01-09-2017 04:10 AM
1,287 Views

Thanks for the clarification

0 Kudos
Copy link
pascal_f_
Beginner
‎02-24-2017 06:56 AM
1,287 Views

We have run into the same issue trying to run SGX with Docker containers and I was wondering if there has been some progress to support the latest version of Linux SGX (1.7), or if we should use the previous version. Thanks!

Pascal

0 Kudos
Copy link
Michalevsky__Yan
Beginner
‎05-23-2019 06:06 PM
1,287 Views

It's possible to run enclaves within Docker. It however needs configuring access to the PSW AESM service and exposing the SGX driver to the container. But aside from that, we're successfully running SGX applications in Docker containers.

0 Kudos
Copy link
Johnston-Watt__Dunca
Beginner
‎07-08-2019 01:44 AM
1,287 Views

Yan

Is this documented anywhere? Many thanks

Michalevsky, Yan wrote:

It's possible to run enclaves within Docker. It however needs configuring access to the PSW AESM service and exposing the SGX driver to the container. But aside from that, we're successfully running SGX applications in Docker containers.

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.