利用在Ubuntu 20.04下安装的sgx运行python程序

官方的手册：https://graphene.readthedocs.io/en/latest/quickstart.html
如果您的系统是Ubuntu 20.04默认安装且kernel version为5.11+的话，可以无脑执行下面的命令

Common dependencies

https://graphene.readthedocs.io/en/latest/building.html#id1

sudo apt-get install -y autoconf bison build-essential gawk meson python3 python3-click python3-jinja2 wget
sudo apt-get install -y libunwind8 python3-pyelftools python3-pytest

Dependencies for SGX 1. Required packages

sudo apt-get install -y libcurl4-openssl-dev libprotobuf-c-dev protobuf-c-compiler python3-pip python3-protobuf 
python3 -m pip install toml>=0.10

2. Upgrade to the Linux kernel patched with FSGSbase

Note that if your kernel version is 5.9 or higher, then the FSGSbase feature is already supported and you can skip this step.
检测kernel version

uname -r

If your current kernel version is lower than 5.9, then you have two options:

Update the Linux kernel to at least 5.9 in your OS distro. If you use Ubuntu, you can follow e.g. this tutorial.Use our provided patches to the Linux kernel version 5.4. See section Advanced: installing Linux kernel with FSGSbase patches for the exact steps.

3. Install the Intel SGX driver

Note that if your kernel version is 5.11 or higher, then the Intel SGX driver is already installed and you can skip this step.

If you have an older CPU without FLC support, you need to download and install the the following Intel SGX driver: https://github.com/intel/linux-sgx-driver

Alternatively, if your CPU supports FLC, you can choose to install the DCAP version of the Intel SGX driver from: https://github.com/intel/SGXDataCenterAttestationPrimitives

4. Install Intel SGX SDK/PSW

https://github.com/intel/linux-sgx

4.1 Prerequisites:

sudo apt-get install build-essential ocaml ocamlbuild automake autoconf libtool wget python-is-python3 libssl-dev git cmake perl
sudo apt-get install libssl-dev libcurl4-openssl-dev protobuf-compiler libprotobuf-dev debhelper cmake reprepro unzip

To install latest Intel® SGX SDK Installer Ensure that you have downloaded latest Intel® SGX SDK Installer from the Intel® SGX SDK and followed the Installation Guide in the same page to install latest Intel® SGX SDK Installer.

sudo apt-get install libssl-dev libcurl4-openssl-dev libprotobuf-dev
sudo apt-get install build-essential python-is-python3
sudo apt-get install build-essential ocaml automake autoconf libtool wget python libssl-dev 
sudo wget - https://download.01.org/intel-sgx/sgx-linux/2.15.1/distro/ubuntu20.04-server/sgx_linux_x64_driver_${version}.bin
sudo wget - https://download.01.org/intel-sgx/sgx-linux/2.15.1/distro/ubuntu20.04-server/sgx_linux_x64_driver_${version}.bin
sudo wget - https://download.01.org/intel-sgx/sgx-linux/2.15.1/distro/ubuntu20.04-server/sgx_linux_x64_sdk_${version}.bin
sudo chmod 777 sgx_linux_x64_* 
sudo apt-get install dkms

4.2. Install SDK and PSW

Install the components in following order:

Intel® SGX driverIntel® SGX SDKIntel® SGX PSW

4.2.1. Intel SGX driver

sudo apt-get install build-essential ocaml automake autoconf libtool wget python libssl-dev
sudo ./sgx_linux_x64_driver_${version}.bin
sudo git clone https://github.com/intel/linux-sgx.git
cd linux-sgx
sudo make preparation
sudo cp external/toolset/ubuntu20.04/{as,ld,objdump} /usr/local/bin/
which ld.gold
sudo cp /usr/bin/ld.gold /usr/local/bin/
sudo make sdk
sudo make sdk_install_pkg

4.2.2. Intel SGX SDK

sudo apt-get install build-essential python
cd linux/installer/bin
sudo ./sgx_linux_x64_sdk_${version}.bin
# Enter no，/opt/intel/
source /opt/intel/sgxsdk/environment

Compile and run each code sample in Hardware mode, Debug build, as follows:

cd ${sgx-sdk-install-path}/SampleCode/LocalAttestation
sudo make
cd bin
./app

4.2.3. Intel SGX PSW

echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
sudo apt-get update
sudo apt-get install libsgx-launch libsgx-urts
sudo apt-get install libsgx-epid libsgx-urts
sudo apt-get install libsgx-quote-ex libsgx-urts
sudo apt-get install libsgx-dcap-ql

以上是 building，下面运行sgx

---

1. Ensure

Ensure that Intel SGX is enabled on your platform using is_sgx_available.

2. Repository:

Clone the Graphene repository:

git clone https://github.com/oscarlab/graphene.git
cd graphene

3. Prepare a signing key:

sudo openssl genrsa -3 -out Pal/src/host/Linux-SGX/signer/enclave-key.pem 3072

4. Build Graphene and Graphene-SGX:

sudo apt-get install -y autoconf bison build-essential gawk libcurl4-openssl-dev libprotobuf-c-dev meson protobuf-c-compiler python3 python3-click python3-jinja2 python3-pip python3-protobuf wget
sudo python3 -m pip install toml>=0.10
sudo make
sudo make ISGX_DRIVER_PATH="" SGX=1                  # this assumes Linux 5.11+
sudo meson setup build/ --buildtype=release -Ddirect=enabled -Dsgx=enabled
sudo ninja -C build/
sudo ninja -C build/ install

5. Set vm.mmap_min_addr=0in the system (only required for the legacy SGX driver and not needed for newer DCAP/in-kernel drivers):

sudo sysctl vm.mmap_min_addr=0

Note that this is an inadvisable configuration for production systems.

6. Build and run helloworld:

cd LibOS/shim/test/regression
sudo make SGX=1
sudo make SGX=1 sgx-tokens
graphene-sgx helloworld

以上就是安装好了sgx了，下面进行运行python代码

---

Python example

cd /linux-sgx/graphene/Examples/python/

This directory contains an example for running Python 3 in Graphene, including
the Makefile and a template for generating the manifest.

Generating the manifest Installing prerequisites

For generating the manifest and running the test scripts, please run the following command to install the required packages (Ubuntu-specific):

sudo apt-get install libnss-mdns python3-numpy python3-scipy

Building for Linux

Run make (non-debug) or make DEBUG=1 (debug) in the directory.

Building for SGX

Run make SGX=1 (non-debug) or make SGX=1 DEBUG=1 (debug) in the directory.

Building with a local Python installation

By default, the make command creates the manifest for the Python binary from the system installation. If you have a local installation, you may create the manifest with the PYTHONPATH variable set accordingly. You can also specify a particular version of Python. For example:

make PYTHonPATH= PYTHonVERSION=python3.6 SGX=1

Run Python with Graphene

Here’s an example of running Python scripts under Graphene:

Without SGX:

graphene-direct ./python scripts/helloworld.py
graphene-direct ./python scripts/test-numpy.py
graphene-direct ./python scripts/test-scipy.py

With SGX:

graphene-sgx ./python scripts/helloworld.py
graphene-sgx ./python scripts/test-numpy.py
graphene-sgx ./python scripts/test-scipy.py

You can also manually run included tests:

SGX=1 ./run-tests.sh

---

谢谢大家！