Known issues for production deployment #7
Comments
|
Support Basic file locking function support which is required to enable Spark with Graphene #437 |
|
@debin-yang This issue is only to aggregate general issues with Graphene which block it from being used in production for all purposes, not just specific workloads. |
Isn't this done already? @pwmarcz @mkow .
This is done I think. See gramineproject/graphene#2084 (for Graphene proper) and gramineproject/graphene#2165 (for GSC). |
Here's where we are:
The problems in PAL code are perhaps less harmful, because it's used only for loading PAL and LibOS binaries. However, I recall running into issues at least once (the relocation code crashing on CFI directives for hardcoded return address). Somewhat related: fix linking of Graphene binaries to enable use of normal EDIT: The second checkbox is also done now. EDIT: @dimakuv rewrote PAL dynamic linking, so we're done here. |
Marked as done. |
|
@mkow Do we still want to keep this meta-issue open? There is one item left ("Documenting possible misuses of Graphene and its limitations"), and we don't have immediate plans to write a document like this. @pwmarcz Could you mark your todo item ("rewrite db_rtld in PAL") as solved, after I submitted my PRs on this? |
|
Done. |
|
@dimakuv: I'd keep it and in the meantime try to write up at least a short "secure deployment guidelines" doc, with all the dangers we are aware of clearly listed. |
|
Nope, this one is completely different? Your document is describing current Gramine state and limitations from the compatibility point of view, the one here is about security. Although reading it now I think I should have describe it better... |
This issue lists items that need to be kept in mind as you consider using Graphene in a production deployment scenario.
Issues: (checked means "already fixed on master")
More information: Known security issues #8.
Graphene has some limitations (some depends one the backends, e.g. that under SGX you can't get trusted time) and users should be aware of them.
Upstreaming is still in progress, we're blocked on this.SGX support made its way to Linux 5.11 and Graphene supports it.This driver is insecure and dangerous (see its README) and is only a temporary solution. We will drop it once FSGSBASE patches are upstreamed (that's the only functionality currently left in the driver).
Currently all subsystems output logs in totally random fashion. We also need a better way to control log level.
Currently those are mixed, which makes the output not really useful in production setup.
Update: Graphene logs can now be redirected to a separate file in the manifest. App stdout and stderr are currently printed to the same host fd and the error codes are still "ANDed", but that's is probably not a blocker for production deployments.
First version almost done, see [Linux-SGX] Add protected files implementation (SGX SDK file format) graphene#1325. Required for most production use-cases.
Using argv and environment from the untrusted world may easily lead to TEE compromise. See Provide a way to pass verified argv and environments graphene#508.
The text was updated successfully, but these errors were encountered: