提交 · 461849d7643a475f9d8e5b651e8e7ad6f9f5943f · openanolis / inclavare-containers

02 6月, 2020 3 次提交

J
Use pipe instead of net.FileConn to read protobuf. · 461849d7
由 jack.wxz 提交于 6月 02, 2020
```
Signed-off-by: Njack.wxz <wangxiaozhe@linux.alibaba.com>
```
461849d7

rune/libenclave: Sanity check the returned error of rune exec · a937ea0b

由 jia zhang 提交于 6月 02, 2020

If the returned error is empty, don't raise an error in any way.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>

a937ea0b

rune/libenclave: Fix runelet process to exit · 68547a5f

由 jia zhang 提交于 6月 02, 2020

If the program launched by rune exec is terminated, runelet process
is unstoppable. Just kick off it through the channel notifyExit.
Signed-off-by: NXiaozhe Wang <wangxiaozhe@linux.alibaba.com>
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>

68547a5f

27 5月, 2020 2 次提交

rune/libenclave: Close exec fifo fd twice · 5b951e6d

由 jia zhang 提交于 5月 27, 2020

Unlike what is done in the process of initialization of container
entrypoint, the exec fifo fd is not closed without closing it
explicitly, resulting in rune start cannot be terminated.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>

5b951e6d

rune/libenclave: Fix duplications of staging fds · cae9a39b

由 jia zhang 提交于 5月 27, 2020

It was intended to have fds without close-on-exec with the side
effect of dup(), but acutally all fds staged are already
close-on-exec clear. Thus dup() makes extra duplications of fds
passed to init-runelet.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>

cae9a39b

26 5月, 2020 2 次提交

rune: Add the sgx devices according to the actual situation · addc406d

由 hustliyilin 提交于 5月 26, 2020

If the enclave devices doesn't exist, don't add them into the default device list and cgroup whitelist.
Signed-off-by: NYilin Li <YiLin.Li@linux.alibaba.com>

addc406d

H
rune: Pass the actual log level to Enclave Runtime · 0e7a77ee
由 hustliyilin 提交于 5月 26, 2020
```
Instead using the hard code "off".
Signed-off-by: NYilin Li <YiLin.Li@linux.alibaba.com>
```
0e7a77ee

22 5月, 2020 1 次提交

pal: Fix function declaration error in PAL API Specification (#6) · 44f4f703

由 tianjia 提交于 5月 22, 2020

The prototype declaration of pal_init() is wrong, this is a
copy-paste error, this patch fixes it.
Signed-off-by: NTianjia Zhang <tianjia.zhang@linux.alibaba.com>

44f4f703

15 5月, 2020 1 次提交
- rune: add the banner info about rune · 90e41aaf
  由 jia zhang 提交于 5月 15, 2020
```
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
```
  90e41aaf
12 5月, 2020 1 次提交

inclavare-containers: an implementation of protected container · c9751df2

由 jia zhang 提交于 5月 12, 2020

inclavare-containers is a set of tools for running trusted
applications in containers with the hardware-assisted enclave
technology. Enclave, referred to as a protected execution
environment, prevents the untrusted entity from accessing the
sensitive and confidential assets in use.

Currently, inclavare-containers consists of two core components:
rune and enclave runtime.

rune is a CLI tool for spawning and running enclaves in containers
according to the OCI specification. The codebase of rune is
a fork of runc, so rune can be used as runc if enclave is not
configured or available.

Enclave runtime is the backend of rune, which is responsible
for loading and running applications inside enclaves. The
interface between rune and enclave runtime is Enclave Runtime PAL
API, which allows invoking enclave runtime through well-defined
functions. The software for confidential computing may benefit
from this interface to interact with OCI runtime.

Additionally, this commit includes additional information about the
use of inclavare-containers.
- Run sample enclave runtime skeleton with rune
- Run enclave runtime Occlum with rune

See README.md for more details.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
Signed-off-by: NXiaozhe Wang <wangxiaozhe@linux.alibaba.com>
Signed-off-by: NYilin Li <YiLin.Li@linux.alibaba.com>

c9751df2