Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sgx.nonpie_binary option causes failure in Gramine but passes in GSC #219

Open
anjalirai-intel opened this issue Oct 24, 2024 · 1 comment
Open

sgx.nonpie_binary option causes failure in Gramine but passes in GSC #219

anjalirai-intel opened this issue Oct 24, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@anjalirai-intel
Copy link
Contributor

Description of the problem

Gramine has deprecated the sgx.nonpie_binary manifest option and introduced a manifest check tool that flags any unsupported entries in the manifest file.

gramineproject/gramine@970b62f
gramineproject/gramine@f1258cc

Steps to reproduce

We updated the helloworld example to include the sgx.nonpie_binary option in the manifest file. When running the make SGX=1 command, build fails:

$ make SGX=1
cc -Wall -Wextra -O3   -c -o helloworld.o helloworld.c
cc   helloworld.o   -o helloworld
gramine-manifest \
        -Dlog_level=error \
        helloworld.manifest.template helloworld.manifest
WARNING: error in manifest (after rendering): extra keys not allowed @ data['sgx']['nonpie_binary']
gramine-manifest-check helloworld.manifest
error in manifest: extra keys not allowed @ data['sgx']['nonpie_binary']
make: *** [Makefile:26: helloworld.manifest] Error 1

As expected, the make command fails during the gramine-manifest-check step with the error extra keys not allowed. However, this check is not integrated into GSC (Gramine Shielded Containers), which uses a different logic for generating the manifest file.

When we add sgx.nonpie_binary=true to the GSC test and build the workload, the build completes successfully without any errors and workload is running successfully.

GSC Log attached
gsc_nopie.log

Expected results

gramine-manifest-check tool should be integrated into gsc

Actual results

GSC build completes successfully without throwing any errors
@dimakuv
Copy link

dimakuv commented Oct 24, 2024

As expected, the make command fails during the gramine-manifest-check step with the error extra keys not allowed. However, this check is not integrated into GSC (Gramine Shielded Containers), which uses a different logic for generating the manifest file.

True.

I think the fix would be to add the following line somewhere around here:

gsc/templates/Dockerfile.common.sign.template

Line 12 in e57a501 

+RUN {% block path %}{% endblock %} gramine-manifest-check /gramine/app_files/entrypoint.manifest

Any volunteers for this change?

@dimakuv dimakuv added the enhancement New feature or request label Oct 24, 2024
@DukeDavis12 DukeDavis12 mentioned this issue Nov 5, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dimakuv @anjalirai-intel