If I run the VMs in a docker, via DOM0 how much does the attack surface increase?
As far as the “pass-through” is concerned, let me try, cause the INTEL SGX has two modes of operation, one is simple “Enabled” other is “Software Controlled”
no, not the vm (container), it the docker itself
if you trust docker(which is acceptable), you can install (at your own risk, but risk in here is small since is just docker)
In this case you stop relying on the Qubes hardware isolation and rely on Docker instead, which is far less secure. If dom0 is compromised, everything is compromised, which is why you should run in dom0 as few things as possible (ideally, nothing!).
See also:
@fsflover I am trying to run the Intel SGX in standalone Debian VM, and trying to run a docker with SGX enabled, so to run sensitive applications. Could you guide me for that?
There is a package called the https://grapheneproject.io/, it is apparently backed by invisible things labs. That allows normal, unmodified applications to utilize the SGX, requires the up-gradation and modification of the kernel.
Gramine? what is your ideal to make this working? (i can’t guide you since i don’t even know what is gramine)
Gramine is a set of libraries, and it can be downloaded on the existing OS, and can be used to run applications in the secure enclave without docker or anything.
It is opensource, GitHub - gramineproject/graphene: Graphene / Graphene-SGX - a library OS for Linux multi-process applications, with Intel SGX support
As of right now, there is SGX virtualization is available for KVM and Xen.
From the last comment on the thread, in 2019
I am primarily interested in using SGX cause I really have an important use for it, and if I am able to make it work, it can be standardized across the the whole qubes.
Interesting. According to the comment by @yann above, something is wrong with Xen’s support of SGX (no Github repo). I’m afraid I can’t help further, since I’m no expert here.
I read that comment, that is why I am using the Gramine (GitHub - gramineproject/graphene: Graphene / Graphene-SGX - a library OS for Linux multi-process applications, with Intel SGX support) library.
It can help use standard applications in a 256 to 512 bit ECC encrypted memory (Enclave)
1 Like
what about the seabios ans linux kernel
i’m not sure about it is 5.12, but you can update to newer version
Intel SGX is supported and enabled. thanks to this GitHub - intel/sgx-software-enable, and can begin running application in enclaves.
1 Like
You can install kernel-latest, currently at least at 5.14
@yann @ppc @fsflover @brendanhoar @Sven @adw Enable SGX Virtualization — Project ACRN™ v 1.6 documentation
Can the set of instructions given on the page be built into Qubes? I would request you to tag and include community managers into this thread.
Sorry to necrobump the topic, but it’s the only one dedicated to SGX and Qubes, so probably better 9like WIndows topics) to keep it here.
My dilemma is that Intel ME is now “hidden” in SGX feature of Intel non-Xeon CPUs. What is better trade off: to get a CPU without SGX if that means no Intel ME (does actually this means that?), or SGX itself is too important even for Qubes so it’s (or it’ll be) better SGX with Intel Me than without it