-
Notifications
You must be signed in to change notification settings - Fork 1
/
redis-server.manifest.template
156 lines (128 loc) · 7.46 KB
/
redis-server.manifest.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
# Redis manifest file example
#
# This manifest was prepared and tested on Ubuntu 16.04.
################################## RUNNING ####################################
# Executable to load into Graphene and run. Note that Graphene tries its best
# to find the corresponding manifest file (by appending ".manifest" or
# ".manifest.sgx") based on the executable name, and vice versa. Still, it is
# required to have the explicit name of the executable here.
loader.exec = file:redis-server
################################## GRAPHENE ###################################
# LibOS layer library of Graphene. There is currently only one implementation,
# so it is always set to libsysdb.so. Note that GRAPHENEDIR macro is expanded
# to relative path to Graphene repository in the Makefile as part of the
# build process.
loader.preload = file:$(GRAPHENEDIR)/Runtime/libsysdb.so
# Show/hide debug log of Graphene ('inline' or 'none' respectively). Note that
# GRAPHENEDEBUG macro is expanded to inline/none in the Makefile as part of the
# build process.
loader.debug_type = $(GRAPHENEDEBUG)
################################# ENV VARS ###################################
# Specify paths to search for libraries. The usual LD_LIBRARY_PATH syntax
# applies. Paths must be in-Graphene visible paths, not host-OS paths (i.e.,
# paths must be taken from fs.mount.xxx.path, not fs.mount.xxx.uri).
#
# In case of Redis:
# - /lib is searched for Glibc libraries (ld, libc, libpthread)
# - /lib/x86_64-linux-gnu is searched for Name Service Switch (NSS) libraries
loader.env.LD_LIBRARY_PATH = /lib:/lib/x86_64-linux-gnu
################################# MOUNT FS ###################################
# General notes:
# - There is only one supported type of mount points: 'chroot'.
# - Directory names are (somewhat confusingly) prepended by 'file:'.
# - Names of mount entries (lib, lib2, lib3) are irrelevant but must be unique.
# - In-Graphene visible path names may be arbitrary but we reuse host-OS URIs
# for simplicity (except for the first 'lib' case).
# Mount host-OS directory to Graphene glibc/runtime libraries (in 'uri') into
# in-Graphene visible directory /lib (in 'path'). Note that GRAPHENEDIR macro
# is expanded to relative path to Graphene repository in the Makefile as part
# of the build process.
fs.mount.lib.type = chroot
fs.mount.lib.path = /lib
fs.mount.lib.uri = file:$(GRAPHENEDIR)/Runtime
# Mount host-OS directory to Name Service Switch (NSS) libraries (in 'uri')
# into in-Graphene visible directory /lib/x86_64-linux-gnu (in 'path').
fs.mount.lib2.type = chroot
fs.mount.lib2.path = /lib/x86_64-linux-gnu
fs.mount.lib2.uri = file:/lib/x86_64-linux-gnu
# Mount host-OS directory to NSS files required by Glibc + NSS libs (in 'uri')
# into in-Graphene visible directory /etc (in 'path').
fs.mount.etc.type = chroot
fs.mount.etc.path = /etc
fs.mount.etc.uri = file:/etc
################################## NETWORK ####################################
# Allow binding on any network interface but only on port 6379. This is the
# default port used by Redis. Note how a missing interface name means "any
# interface".
net.allow_bind.redisport = :6379
############################### SGX: GENERAL ##################################
# Set enclave size (somewhat arbitrarily) to 1024MB. Recall that SGX v1 requires
# to specify enclave size at enclave creation time. If Redis exhausts these
# 1024MB then it will start failing with random errors. Greater enclave sizes
# result in longer startup times, smaller enclave sizes are not enough for
# typical Redis workloads.
sgx.enclave_size = 1024M
# Set maximum number of in-enclave threads (somewhat arbitrarily) to 8. Recall
# that SGX v1 requires to specify the maximum number of simulteneous threads at
# enclave creation time.
#
# Note that internally Graphene may spawn two additional threads, one for IPC
# and one for asynchronous events/alarms. Redis is technically single-threaded
# but spawns couple additional threads to do background bookkeeping. Therefore,
# specifying '8' allows to run a maximum of 6 Redis threads which is enough.
sgx.thread_num = 8
############################# SGX: TRUSTED LIBS ###############################
# Specify all libraries used by Redis and its dependencies (including all
# libraries which can be loaded at runtime via dlopen). The paths to libraries
# are host-OS paths. These libraries will be searched for in in-Graphene visible
# paths according to mount points above.
#
# As part of the build process, Graphene-SGX script (`pal-sgx-sign`) finds each
# specified library, measures its hash, and outputs the hash in auto-generated
# entry 'sgx.trusted_checksum.xxx' in auto-generated redis-server.manifest.sgx.
# Note that this happens on the developer machine.
#
# At runtime, during loading of this library, Graphene-SGX measures its hash
# and compares with the one specified in 'sgx.trusted_checksum.xxx'. If hashes
# match, this library is trusted and allowed to be loaded and used. Note that
# this happens on the client machine.
# Glibc libraries. ld, libc, libm, libdl, librt provide common functionality;
# pthread is needed because Redis spawns helper threads for bookkeeping.
sgx.trusted_files.ld = file:$(GRAPHENEDIR)/Runtime/ld-linux-x86-64.so.2
sgx.trusted_files.libc = file:$(GRAPHENEDIR)/Runtime/libc.so.6
sgx.trusted_files.libm = file:$(GRAPHENEDIR)/Runtime/libm.so.6
sgx.trusted_files.libdl = file:$(GRAPHENEDIR)/Runtime/libdl.so.2
sgx.trusted_files.librt = file:$(GRAPHENEDIR)/Runtime/librt.so.1
sgx.trusted_files.libpthread = file:$(GRAPHENEDIR)/Runtime/libpthread.so.0
# Name Service Switch (NSS) libraries. Glibc calls these libraries as part of
# name-service information gathering. libnss_{compat,files,nis} are the
# most widely used libraries, at least on Ubuntu.
# For more info, see 'man nsswitch.conf'.
sgx.trusted_files.libnsscompat = file:/lib/x86_64-linux-gnu/libnss_compat.so.2
sgx.trusted_files.libnssfiles = file:/lib/x86_64-linux-gnu/libnss_files.so.2
sgx.trusted_files.libnssnis = file:/lib/x86_64-linux-gnu/libnss_nis.so.2
# libNSL is a dependency of libnss_compat above. It is a good example of nested
# library dependencies required by Graphene-SGX.
sgx.trusted_files.libnsl = file:/lib/x86_64-linux-gnu/libnsl.so.1
############################ SGX: TRUSTED FILES ###############################
# Trusted no-library files include configuration files, read-only files, and
# other static files. It is useful to specify such files here to make sure
# they are not maliciously modified (modifications will be detected as hash
# mismatch by Graphene-SGX).
#
# Redis by default does not use configuration files, so this section is empty.
# sgx.trusted_files.config = file:<important-configuration-file>
############################# SGX: ALLOWED FILES ###############################
# Specify all non-static files used by app. These files may be accessed by
# Graphene-SGX but their integrity is not verified (Graphene-SGX does not
# measure their hashes). This may pose a security risk!
# Name Service Switch (NSS) files. Glibc reads these files as part of name-
# service information gathering. For more info, see 'man nsswitch.conf'.
sgx.allowed_files.nsswitch = file:/etc/nsswitch.conf
sgx.allowed_files.ethers = file:/etc/ethers
sgx.allowed_files.hosts = file:/etc/hosts
sgx.allowed_files.group = file:/etc/group
sgx.allowed_files.passwd = file:/etc/passwd
# getaddrinfo(3) configuration file. Glibc reads this file to correctly find
# network addresses. For more info, see 'man gai.conf'.
sgx.allowed_files.gaiconf = file:/etc/gai.conf