diff --git a/README.md b/README.md index 13e6059e37df527deb80c586955d7b1544c91c68..059998f7234f85eec4587abe0d5b201e876d936c 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,7 @@ sudo make install `shim-rune` resides in between `containerd` and `rune`, conducting enclave signing and management beyond the normal `shim` basis. `shim-rune` and `rune` can compose a basic enclave containerization stack for the cloud-native ecosystem. Please refer to [this guide](https://github.com/alibaba/inclavare-containers/blob/master/shim/README.md) for the details. ### enclave runtime -The backend of `rune` is a component called enclave runtime, which is responsible for loading and running protected applications inside enclaves. The interface between `rune` and enclave runtime is [Enclave Runtime PAL API](https://github.com/alibaba/inclavare-containers/blob/master/rune/libenclave/internal/runtime/pal/spec_v2.md), which allows invoking enclave runtime through well-defined functions. The software for confidential computing may benefit from this interface to interact with OCI runtime. +The backend of `rune` is a component called enclave runtime, which is responsible for loading and running protected applications inside enclaves. The interface between `rune` and enclave runtime is [Enclave Runtime PAL API](https://github.com/alibaba/inclavare-containers/blob/master/rune/libenclave/internal/runtime/pal/spec.md), which allows invoking enclave runtime through well-defined functions. The software for confidential computing may benefit from this interface to interact with OCI runtime. One typical class of enclave runtime implementations is based on library OSes. Currently, the default enclave runtime interacting with `rune` is [Occlum](https://github.com/occlum/occlum), a memory-safe, multi-process library OS for Intel SGX. diff --git a/rune/libenclave/internal/runtime/pal/spec.md b/rune/libenclave/internal/runtime/pal/spec.md new file mode 100644 index 0000000000000000000000000000000000000000..79ccbd19c990ed27c9adb76ac178e2b58d6ca685 --- /dev/null +++ b/rune/libenclave/internal/runtime/pal/spec.md @@ -0,0 +1,30 @@ +# Enclave Runtime PAL API Specification + +## Introduction + +Enclave Runtime PAL API defines a common interface to interact between rune and enclave runtime. + +## Versions + +Enclave Runtime PAL API Specification currently support [PAL API v1](https://github.com/alibaba/inclavare-containers/blob/master/rune/libenclave/internal/runtime/pal/spec_v1.md) and [PAL API v2](https://github.com/alibaba/inclavare-containers/blob/master/rune/libenclave/internal/runtime/pal/spec_v2.md). + +If you want to use `rune` to run you enclave runtime, you can choose one of supported PAL API version to achieve. Using higher PAL API is recommended. + +The PAL API will evolve. You can submit proposal for the extension of PAL API. We will take it after careful consideration. + +## The relationship between `rune` and PAL APIs + +`rune` has a lot of subcommands such as `create`,`start`,`exec`,`run`,`kill`,`delete`, and etc. The relationship between them is shown in the following table. + +| Subcommand | v1 | v2 | +| :-------: | :-------: | :-------: | +| create | pal_get_version | pal_get_version | +| | pal_init | pal_init | +| start | pal_exec | pal_create_process | +| | | pal_exec | +| run | pal_get_version | pal_get_version | +| | pal_init | pal_init | +| | pal_exec | pal_create_process | +| | | pal_exec | +| delete | pal_destroy | pal_destroy | +| kill | | pal_kill | diff --git a/rune/libenclave/internal/runtime/pal/spec_v1.md b/rune/libenclave/internal/runtime/pal/spec_v1.md index a2fcd9a6b3d3555fba68a9f0c0069bfaff724774..0bcca834df5011c807ba8abed97e7f4ac91451c9 100644 --- a/rune/libenclave/internal/runtime/pal/spec_v1.md +++ b/rune/libenclave/internal/runtime/pal/spec_v1.md @@ -1,5 +1,4 @@ # Enclave Runtime PAL API Specification v1 -Enclave Runtime PAL API defines a common interface to interact between `rune` and enclave runtime. ## 1.pal_init() diff --git a/rune/libenclave/internal/runtime/pal/spec_v2.md b/rune/libenclave/internal/runtime/pal/spec_v2.md index 997fedd86241f11f78a1e76c8ad3051964ed6022..c12a3c565525360ec57274ebbb9720f3fa3448ca 100644 --- a/rune/libenclave/internal/runtime/pal/spec_v2.md +++ b/rune/libenclave/internal/runtime/pal/spec_v2.md @@ -1,5 +1,4 @@ # Enclave Runtime PAL API Specification v2 -Enclave Runtime PAL API defines a common interface to interact between `rune` and enclave runtime. ## 1.pal_get_version()