CloudEdge/wasm-micro-runtime
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
This repository has been archived on 2023-11-05. You can view files and clone it, but cannot push or open issues or pull requests.
717e8a48e2
wasm-micro-runtime/product-mini/platforms/linux-sgx/enclave-sample/App
History
liang.he 717e8a48e2
Enable the semantic version mechanism for WAMR (#1374) 
Use the semantic versioning (https://semver.org) to replace the current date
versioning system, which is more general and is requested by some developers,
e.g. issue #1357.

There are three parts in the new version string:
- major. Any incompatible modification on ABIs and APIs will lead to an increment
  in the value of major, which mainly includes: AOT calling conventions, AOT file
  format, wasm_export.h, wasm_c_api.h, and so on.
- minor. It represents new features, including MVP/POST-MVP features, libraries,
  WAMR private ones, and so one.
- patch. It represents patches.

The new version will start from 1.0.0. Update the help info and version showing for
iwasm and wamrc.
2022-08-18 19:01:05 +08:00
..
App.cpp Enable the semantic version mechanism for WAMR (#1374) 2022-08-18 19:01:05 +08:00
pal_api.h Apply clang-format for core/shared and product-mini files (#785) 2021-10-14 09:12:07 +08:00
README.md Enhance the readability of WAMR SGX docs (#442) 2020-11-13 13:11:34 +08:00
wamr-bundle.md Enhance the readability of WAMR SGX docs (#442) 2020-11-13 13:11:34 +08:00

README.md

Running WAMR as an Enclave Runtime for Inclavare Containers

In order to establish with rune, a novel OCI Runtime for spawning and running enclaves in containers, it is required to implement an enclave runtime PAL to make the communications with WAMR.

With the assist of rune, WAMR is brought to the cloud-native ecosystem beyond the basis. This is the so-called term "WAMR enclave runtime".

This guide will provide the information about the build, integration and deployment for WAMR enclave runtime. Eventually, the resulting docker image will be launched by rune, and the WARM application as the entrypoint of docker image will run in Intel SGX enclave with the hardware-enforced isolation and cryptographically data protection.

Build WAMR vmcore (iwasm) and enclave image

Please follow this guide to build iwasm and enclave image as the prerequisite.

The generated enclave image enclave.signed.so will be consumed by WAMR enclave runtime mentioned below.

Build and install the PAL of WAMR enclave runtime

g++ -shared -fPIC -o libwamr-pal.so App/*.o libvmlib_untrusted.a -L/opt/intel/sgxsdk/lib64 -lsgx_urts -lpthread -lssl -lcrypto
cp ./libwamr-pal.so /usr/lib/libwamr-pal.so

Build WAMR application

As the prerequisite, please

  • refer to this step to install wasi-sdk. Note that the binaries of wasi-sdk must be installed at /opt/wasi-sdk/bin/.
  • refer to this guide to generate wamrc AoT compiler.

The sample WAMR application test.c is provided in this guide. Don't forget to compile the .wasm file to .aot file:

wamrc -sgx -o test.aot test.wasm

The generated test.aot is the WAMR application launched by WAMR enclave runtime.

Build WAMR docker image

Under the enclave-sample directory, to create the WAMR docker images to load the enclave.signed.so and target application wasm files, please type the following commands to create a Dockerfile:

For CentOS:

cat >Dockerfile <<EOF
FROM centos:8.1.1911

RUN mkdir -p /run/rune
WORKDIR /run/rune

COPY enclave.signed.so .
COPY test.aot app
#COPY ${wasm_app.aot} .
ENTRYPOINT ["/run/rune/app"]
EOF

For ubuntu:

cat > Dockerfile <<EOF
FROM ubuntu:18.04

RUN mkdir -p /run/rune
WORKDIR /run/rune

COPY enclave.signed.so .
COPY test.aot app
#COPY ${wasm_app.aot} .
ENTRYPOINT ["/run/rune/app"]
EOF

where ${wasm_app.aot} files are the extra WAMR applications you want to run.

Then build the WAMR docker image with the command:

docker build . -t wamr-sgx-app

Deploy WAMR SGX Docker image

The following guide provides the steps to run WAMR with Docker and OCI Runtime rune.

rune is a novel OCI Runtime used to run trusted applications in containers with the hardware-assisted enclave technology.

Requirements

  • Ensure that you have one of the following required operating systems to build a WAMR docker image:

    • CentOS 8.1
    • Ubuntu 18.04-server

  • Please follow Intel SGX Installation Guide to install Intel SGX driver, Intel SGX SDK & PSW for Linux.

    • For CentOS 8.1, UAE service libraries are needed but may not installed if SGX PSW installer is used. Please manually install it:

      rpm -i libsgx-uae-service-2.11.100.2-1.el8.x86_64.rpm

  • The simplest way to install rune is to download a pre-built binary from Inclavare Containers release page.

Integrate OCI Runtime rune with Docker

Add the associated configuration for rune in dockerd config file, e.g, /etc/docker/daemon.json, on your system.

{
	"runtimes": {
		"rune": {
			"path": "/usr/local/bin/rune",
			"runtimeArgs": []
		}
	}
}

then restart dockerd on your system.

You can check whether rune is correctly enabled or not with:

docker info | grep rune

The expected result would be:

Runtimes: rune runc

Run WAMR SGX docker image

You need to specify a set of parameters to docker run to run:

docker run -it --rm --runtime=rune \
  -e ENCLAVE_TYPE=intelSgx \
  -e ENCLAVE_RUNTIME_PATH=/usr/lib/libwamr-pal.so \
  -e ENCLAVE_RUNTIME_ARGS=debug \
  wamr-sgx-app

where:

  • @ENCLAVE_TYPE: specify the type of enclave hardware to use, such as intelSgx.
  • @ENCLAVE_RUNTIME_PATH: specify the path to enclave runtime to launch. For an WAMR application, you need to specify the path to libwamr-pal.so.
  • @ENCLAVE_RUNTIME_ARGS: specify the specific arguments to enclave runtime, separated by the comma.

Develop and debug WAMR enclave runtime with rune

Please refer to this guide. This is optional, and suits for the developer in most cases.