EGo lets you build, debug und run Go apps on Intel SGX - as simple as conventional Go programming!

Overview

EGo

EGo logo

GitHub Actions Status GitHub license Go Report Card PkgGoDev Gitter Chat

EGo is a framework for building confidential apps in Go. Confidential apps run in always-encrypted and verifiable enclaves on Intel SGX-enabled hardware. EGo simplifies enclave development by providing two user-friendly tools:

  • ego-go, an adapted Go compiler that builds enclave-compatible executables from a given Go project - while providing the same CLI as the original Go compiler.
  • ego, a CLI tool that handles all enclave-related tasks such as signing and enclave creation.

Building and running a confidential Go app is as easy as:

ego-go build hello.go
ego sign hello
ego run hello

Quick Start

If you are on Ubuntu 18.04 or above and do not want to build EGo from source, you can install the binary release:

wget -qO- https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add
sudo add-apt-repository 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main'
wget https://github.com/edgelesssys/ego/releases/download/v0.1.0/ego_0.1.0_amd64.deb
sudo apt install ./ego_0.1.0_amd64.deb

Now you are ready to build applications with EGo! To start, check out the samples.

Build and Install

Prerequisite: Edgeless RT is installed and sourced.

mkdir build
cd build
cmake ..
make
make install

Samples

  • helloworld is a minimal example of an enclave application.
  • remote_attestation shows how to do remote attestation in EGo.
  • vault demonstrates how to port a Go application exemplified by Hashicorp Vault.

Documentation

Comments
  • grpc server gets stuck under stress test

    grpc server gets stuck under stress test

    Issue description

    CPU:Intel 5318Y kernel: 5.12.19 os: debian 10 EGO:v0.4.0 (ecc1a705b7de8c15e1243f6ae888886647d838db)

    Grpc server which starts with ego run will become stuck and can not deal with any requests after low stress test. strace result:
    image htop result:
    image

    I try to use numactl to bind server pid in serveral cpus, and the problem can not be reproduced any more.

    To reproduce

    sample code:

    ...
    
    func PKCS7Padding(ciphertext []byte, blockSize int) []byte {
        padding := blockSize - len(ciphertext)%blockSize
        padtext := bytes.Repeat([]byte{byte(padding)}, padding)
        return append(ciphertext, padtext...)
    }
    
    func PKCS7UnPadding(origData []byte) []byte {
        length := len(origData)
        unpadding := int(origData[length-1])
        return origData[:(length - unpadding)]
    }
    
    func AesEncrypt(plaintext []byte, key, iv []byte) ([]byte, error) {
        block, err := aes.NewCipher(key)
        if err != nil {
            return nil, err
        }
        blockSize := block.BlockSize()
        plaintext = PKCS7Padding(plaintext, blockSize)
        blockMode := cipher.NewCBCEncrypter(block, iv)
        crypted := make([]byte, len(plaintext))
        blockMode.CryptBlocks(crypted, plaintext)
        return crypted, nil
    }
    
    func AesDecrypt(ciphertext []byte, key, iv []byte) ([]byte, error) {
        block, err := aes.NewCipher(key)
        if err != nil {
            return nil, err
        }
        blockSize := block.BlockSize()
        blockMode := cipher.NewCBCDecrypter(block, iv[:blockSize])
        origData := make([]byte, len(ciphertext))
        blockMode.CryptBlocks(origData, ciphertext)
        origData = PKCS7UnPadding(origData)
        return origData, nil
    }
    
    func testAes() {
        key, _ := hex.DecodeString("6368616e676520746869732070617373")
        plaintext := []byte("hello ming")
    
        c := make([]byte, aes.BlockSize+len(plaintext))
    iv := c[:aes.BlockSize]
    
        ciphertext, err := AesEncrypt(plaintext, key, iv)
        if err != nil {
            panic(err)
        }
    fmt.Println(base64.StdEncoding.EncodeToString(ciphertext))
    
        plaintext, err = AesDecrypt(ciphertext, key, iv)
        if err != nil {
            panic(err)
        }
        fmt.Println(string(plaintext))
    }
    
    const (
    	port = ":50051"
    )
    
    // server is used to implement helloworld.GreeterServer.
    type server struct {
    	pb.UnimplementedGreeterServer
    }
    
    // SayHello implements helloworld.GreeterServer
    func (s *server) SayHello(ctx context.Context, in *pb.HelloRequest) (*pb.HelloReply, error) {
    	log.Printf("Received: %v", in.GetName())
            testAes()
    	return &pb.HelloReply{Message: "Hello " + in.GetName()}, nil
    }
    
    func main() {
    	lis, err := net.Listen("tcp", port)
    	if err != nil {
    		log.Fatalf("failed to listen: %v", err)
    	}
    	s := grpc.NewServer()
    	pb.RegisterGreeterServer(s, &server{})
    	log.Printf("server listening at %v", lis.Addr())
    	if err := s.Serve(lis); err != nil {
    		log.Fatalf("failed to serve: %v", err)
    	}
    }
    

    Steps to reproduce the behavior:

    1. Run a simple grpc server through ego. And do aes encryption in it's handler.
    2. use ghz to test the server. ghz -c 5000 -n 50000 --insecure --proto helloworld.proto --import-paths=/mnt/storage09/ego/samples/test/platform/vendor/googleapis,/mnt/storage09/ego/samples/test/platform/vendor/ --call helloworld.Greeter/SayHello -d '{"name":"xxx"}' 127.0.0.1:50051
    3. repeat step 2 serveral times, the server will stuck and client becomes timeout.

    Expected behavior

    Additional info / screenshot

    opened by zcc35357949 29
  • Lack of AIO library related implementation

    Lack of AIO library related implementation

    When I run ego-go to build something some error occurd

    /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.13.rcgu.o): in function nix::sys::aio::AioCb::cancel': nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio5AioCb6cancel17hbf37e4caf0e7d1a5E+0x8): undefined reference toaio_cancel' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.13.rcgu.o): in function nix::sys::aio::AioCb::error': nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio5AioCb5error17hf891cc64bc4a258fE+0x6): undefined reference toaio_error' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.13.rcgu.o): in function nix::sys::aio::AioCb::fsync': nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio5AioCb5fsync17h2170c97a55ede5a7E+0xb): undefined reference toaio_fsync' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.13.rcgu.o): in function nix::sys::aio::AioCb::read': nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio5AioCb4read17h6ab20e9ec57ec7c4E+0xf): undefined reference toaio_read' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.13.rcgu.o): in function nix::sys::aio::AioCb::aio_return': nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio5AioCb10aio_return17h02e5428ffd38d90dE+0xa): undefined reference toaio_return' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.13.rcgu.o): in function nix::sys::aio::AioCb::write': nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio5AioCb5write17h1d0189666438a4cdE+0x6): undefined reference toaio_write' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.13.rcgu.o): in function nix::sys::aio::aio_cancel_all': nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio14aio_cancel_all17h131da5da30c298cdE+0x5): undefined reference toaio_cancel' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.13.rcgu.o): in function nix::sys::aio::aio_suspend': nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio11aio_suspend17h6a76657106d21cfeE+0x14): undefined reference toaio_suspend' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.13.rcgu.o): in function nix::sys::aio::LioCb::listio': nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio5LioCb6listio17hf4f7f0e84d530c21E+0xeb): undefined reference tolio_listio' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.13.rcgu.o): in function nix::sys::aio::LioCb::listio_resubmit': nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio5LioCb15listio_resubmit17h916197d632bb2286E+0x100): undefined reference toaio_error' /usr/local/bin/ld: nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio5LioCb15listio_resubmit17h916197d632bb2286E+0x155): undefined reference to aio_return' /usr/local/bin/ld: nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio5LioCb15listio_resubmit17h916197d632bb2286E+0x19d): undefined reference toaio_error' /usr/local/bin/ld: nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio5LioCb15listio_resubmit17h916197d632bb2286E+0x242): undefined reference to lio_listio' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.13.rcgu.o): in functionnix::sys::aio::LioCb::aio_return': nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio5LioCb10aio_return17h184cf383cae18f5dE+0x39): undefined reference to aio_return' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.13.rcgu.o): in functionnix::sys::aio::LioCb::error': nix.1cf2ddbb-cgu.13:(.text._ZN3nix3sys3aio5LioCb5error17hd159a6dccbce33bfE+0x33): undefined reference to aio_error' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.5.rcgu.o): in functionnix::mqueue::mq_open': nix.1cf2ddbb-cgu.5:(.text._ZN3nix6mqueue7mq_open17he7df94924c300521E+0xd): undefined reference to mq_open' /usr/local/bin/ld: nix.1cf2ddbb-cgu.5:(.text._ZN3nix6mqueue7mq_open17he7df94924c300521E+0x1e): undefined reference tomq_open' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.5.rcgu.o): in function nix::mqueue::mq_unlink': nix.1cf2ddbb-cgu.5:(.text._ZN3nix6mqueue9mq_unlink17hc705c9ffc9c0f4afE+0x6): undefined reference tomq_unlink' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.5.rcgu.o): in function nix::mqueue::mq_close': nix.1cf2ddbb-cgu.5:(.text._ZN3nix6mqueue8mq_close17h7d761cdb4c0b3a15E+0x3): undefined reference tomq_close' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.5.rcgu.o): in function nix::mqueue::mq_receive': nix.1cf2ddbb-cgu.5:(.text._ZN3nix6mqueue10mq_receive17h5fe711652e61d632E+0x3): undefined reference tomq_receive' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.5.rcgu.o): in function nix::mqueue::mq_send': nix.1cf2ddbb-cgu.5:(.text._ZN3nix6mqueue7mq_send17hf3e8ba66fdb6c7f6E+0x3): undefined reference tomq_send' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.5.rcgu.o): in function nix::mqueue::mq_getattr': nix.1cf2ddbb-cgu.5:(.text._ZN3nix6mqueue10mq_getattr17h387ecd7c907a9f4aE+0x11): undefined reference tomq_getattr' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.5.rcgu.o): in function nix::mqueue::mq_setattr': nix.1cf2ddbb-cgu.5:(.text._ZN3nix6mqueue10mq_setattr17h7efc98b84d060136E+0x15): undefined reference tomq_setattr' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.5.rcgu.o): in function nix::mqueue::mq_set_nonblock': nix.1cf2ddbb-cgu.5:(.text._ZN3nix6mqueue15mq_set_nonblock17h03a5cf5a318e775cE+0x17): undefined reference tomq_getattr' /usr/local/bin/ld: nix.1cf2ddbb-cgu.5:(.text._ZN3nix6mqueue15mq_set_nonblock17h03a5cf5a318e775cE+0x4b): undefined reference to mq_setattr' /usr/local/bin/ld: ../internal/vm/wasm/wasmer-go/libwasmer.a(nix-73ba03e35152d5cb.nix.1cf2ddbb-cgu.5.rcgu.o): in functionnix::mqueue::mq_remove_nonblock': nix.1cf2ddbb-cgu.5:(.text._ZN3nix6mqueue18mq_remove_nonblock17hd97691f08d4c3b46E+0x17): undefined reference to mq_getattr' /usr/local/bin/ld: nix.1cf2ddbb-cgu.5:(.text._ZN3nix6mqueue18mq_remove_nonblock17hd97691f08d4c3b46E+0x4b): undefined reference tomq_setattr' collect2: error: ld returned 1 exit status

    Does ego not implement AIO-related functions, or is it difficult to implement?

    opened by weitianyuan 21
  • Enclave not authorized to run

    Enclave not authorized to run

    Hello all,

    I run helloworld sample well in sim mode, but failed when running in enclave. The error says

    '[erthost] loading enclave ... [error_driver2api sgx_enclave_common.cpp:273] Enclave not authorized to run, .e.g. provisioning enclave hosted in app without access rights to /dev/sgx_provision. You need add the user id to group sgx_prv or run the app as root. ERROR: enclave_load_data failed (addr=0xc0f6c000, prot=0x1, err=0x6) (oe_result_t=OE_PLATFORM_ERROR) [openenclave-src/host/sgx/sgxload.c:oe_sgx_load_enclave_data:695] ERROR: oe_create_enclave failed. (Set OE_SIMULATION=1 for simulation mode.) [src/tools/erthost/erthost.cpp:main:265] ' Have tried as root, not help.

    I use ego 0.41, Ubuntu 20.04 with kernel version 5.13.0-30-generic and sgx driver 2.11.

    opened by pillowsofwind 20
  • Remote attestation fails

    Remote attestation fails

    Issue description

    I have set up a self-hosted PCCS according to the instructions provided in EGo docs (https://docs.edgeless.systems/ego/#/reference/attest), I try to launch the example of remote attestation (https://github.com/edgelesssys/ego/tree/master/samples/remote_attestation). When launching the server I get the following output:

    EGo v1.0.0 (f1255317ec583ed72947f65d83881a0e46ad1ed8)
    [erthost] loading enclave ...
    [erthost] entering enclave ...
    [ego] starting application ...
    [get_platform_quote_cert_data ../qe_logic.cpp:378] Error returned from the p_sgx_get_quote_config API. 0xe011
    ERROR: quote3_error_t=SGX_QL_NO_PLATFORM_CERT_DATA
     (oe_result_t=OE_PLATFORM_ERROR) [openenclave-src/host/sgx/sgxquote.c:oe_sgx_qe_get_target_info:706]
    ERROR: SGX Plugin _get_report(): failed to get ecdsa report. OE_PLATFORM_ERROR (oe_result_t=OE_PLATFORM_ERROR) [openenclave-src/enclave/sgx/attester.c:_get_report:324]
    OE_PLATFORM_ERROR
    listening ...
    
    opened by EErikas 19
  • cgo links host libc

    cgo links host libc

    OE won't load a binary i'm trying to build with ego, because it contains R_X86_64_IRELATIV

    it's a relocation caused by calling any GLIBC stdio function. but according to https://github.com/openenclave/openenclave/issues/4469 glibc isnt even supposed to be involved in the build process.

    since ego just calls cgo, cgo will call gcc which usually links the host libc. was i supposed to use CC=musl-gcc to avoid this?

    opened by aep 15
  • Dockerfile parse error: ARG requires exactly one argument

    Dockerfile parse error: ARG requires exactly one argument

    Hey, I am trying to setup docker image and faced issue when I run the build commands for docker images. My system information is

      Operating System: Debian GNU/Linux 9 (stretch)
                Kernel: Linux 5.13.9.rsk.1-amd64
          Architecture: x86-64
    

    Docker version is as follows

    Client: Docker Engine - Community
     Version:           19.03.15
     API version:       1.40
     Go version:        go1.13.15
     Built:             Sat Jan 30 03:17:11 2021
     OS/Arch:           linux/amd64
     Experimental:      false
    
    Server: Docker Engine - Community
     Engine:
      Version:          19.03.15
      API version:      1.40 (minimum version 1.12)
      Go version:       go1.13.15
      Built:            Sat Jan 30 03:15:40 2021
      OS/Arch:          linux/amd64
      Experimental:     false
     containerd:
      Version:          1.4.3
     runc:
      Version:          1.0.0-rc92
     docker-init:
      Version:          0.18.0
    

    When I run any of the following commands inside dockerfiles folder DOCKER_BUILDKIT=1 docker build -o. - < Dockerfile.build OR DOCKER_BUILDKIT=1 docker build --build-arg egotag=master --build-arg erttag=master -o. - < Dockerfile.build I encounter following error. image

    This is what line 16 of Dockerfile.build looks like. image

    Anyone recommended fix?

    opened by mHassan11 13
  • Remote attestation fails - Error: SGX_QL_ERROR_INVALID_PRIVILEGE

    Remote attestation fails - Error: SGX_QL_ERROR_INVALID_PRIVILEGE

    Issue description

    Followed the tutorial to get the TLS attestation sample working. Local machine deployment not cloud. Have PCCS running, docker logs output:

    Generating RSA private key, 2048 bit long modulus (2 primes)
    ..................................................................+++++
    ..............................+++++
    e is 65537 (0x010001)
    Signature ok
    subject=CN = localhost
    Getting Private key
    Wed, 03 Aug 2022 12:49:45 GMT morgan deprecated default format: use combined format at node_modules/esm/esm.js:1:278827
    2022-08-03 12:49:46.871 [info]: DB Migration (Ver.0 -> 1) -- Start
    2022-08-03 12:49:46.879 [info]: DB Migration -- Done.
    2022-08-03 12:49:46.935 [info]: DB Migration (Ver.1 -> 2) -- Start
    2022-08-03 12:49:46.948 [info]: DB Migration -- Done.
    2022-08-03 12:49:47.043 [info]: HTTPS Server is running on: https://localhost:8081
    2022-08-03 13:04:36.004 [info]: Client Request-ID : 07a4756340594e0ab7c84bca10d56f79
    2022-08-03 13:04:36.006 [info]: 172.17.0.1 - - [03/Aug/2022:13:04:36 +0000] "GET /sgx/certification/v3/rootcacrl HTTP/1.1" 200 586 "-" "curl/7.58.0"
    

    As you can see also tried to curl the root ca which worked.

    Error I am seeing is:

    EGo v1.0.0 (f1255317ec583ed72947f65d83881a0e46ad1ed8)
    [erthost] loading enclave ...
    [erthost] entering enclave ...
    [ego] starting application ...
    [load_qe ../qe_logic.cpp:642] Error, call sgx_create_enclave QE fail [load_qe], SGXError:4004.
    ERROR: quote3_error_t=SGX_QL_ERROR_INVALID_PRIVILEGE
     (oe_result_t=OE_PLATFORM_ERROR) [openenclave-src/host/sgx/sgxquote.c:oe_sgx_qe_get_target_info:706]
    ERROR: SGX Plugin _get_report(): failed to get ecdsa report. OE_PLATFORM_ERROR (oe_result_t=OE_PLATFORM_ERROR) [openenclave-src/enclave/sgx/attester.c:_get_report:324]
    panic: OE_PLATFORM_ERROR
    
    goroutine 1 [running]:
    main.main()
    	/root/golang/ego/samples/attested_tls/server.go:14 +0x192
    

    I have seen the earlier issue https://github.com/edgelesssys/ego/issues/158 but as the error is a different one I dont think it is about a BIOS update.

    opened by rockhouse 11
  • Remote attestation over TLS format

    Remote attestation over TLS format

    https://github.com/edgelesssys/ego/blob/3d9a417efb206230a78490fc9773465480c92b9a/samples/remote_attestation/ra_client/client.go#L37-L56

    AFAICT, currently the ego library (or at least, the RA example) rely on exposing additional HTTP endpoints on the same server to serve the self-signed cert and a report that binds that to a verifiable SGX quote, and then requires the client to establish a new connection to the server using that (now verified) certificate. This only works if the server is reachable again over a separate connection by the same client (either because there is a single instance of it, or because of some session stickiness, though that would have to be at the TCP level since load balancers would not have any other information).

    Have you considered instead to embed the quote in an extension of the same TLS cert that is used for the "real" connection, so that a client may verify that contextually to establishing the connection?

    cc @ipetr0v @anghelcovici @dreemkiller

    opened by tiziano88 10
  • Cannot run `ego sign`

    Cannot run `ego sign`

    Issue description

    get lots of errors when ego sign

    To reproduce

    Steps to reproduce the behavior:

    first run ego-go build and get myprogramme

    then $ ego sign myprogramme

    and get errors

    EGo v0.5.0 (55bad14bb8d00dbae2000a8d603f9b588bb79451)
    /opt/ego/bin/ego-oesign ERROR: oe_sgx_build_enclave(): result=OE_FAILURE (0x1)
    2022-09-22T09:32:34+0000.652640Z [(H)ERROR] tid(0x7f3727832b80) | Unsupported elf relocation type 5
     (oe_result_t=OE_UNSUPPORTED_ENCLAVE_IMAGE) [/ertbuild/3rdparty/openenclave/openenclave-src/host/sgx/elf.c:_elf64_load_relocations:1920]
    2022-09-22T09:32:34+0000.652660Z [(H)ERROR] tid(0x7f3727832b80) | :OE_UNSUPPORTED_ENCLAVE_IMAGE [/ertbuild/3rdparty/openenclave/openenclave-src/host/sgx/elf.c:elf64_load_relocations:1957]
    2022-09-22T09:32:34+0000.652662Z [(H)ERROR] tid(0x7f3727832b80) | :OE_INVALID_IMAGE [/ertbuild/3rdparty/openenclave/openenclave-src/host/sgx/loadelf.c:_load_elf_image:447]
    2022-09-22T09:32:34+0000.652853Z [(H)ERROR] tid(0x7f3727832b80) | :OE_INVALID_IMAGE [/ertbuild/3rdparty/openenclave/openenclave-src/host/sgx/loadelf.c:_load_dependent_image:1450]
    2022-09-22T09:32:34+0000.652855Z [(H)ERROR] tid(0x7f3727832b80) | :OE_INVALID_IMAGE [/ertbuild/3rdparty/openenclave/openenclave-src/host/sgx/loadelf.c:oe_load_elf_enclave_image:1496]
    2022-09-22T09:32:34+0000.653125Z [(H)ERROR] tid(0x7f3727832b80) | :OE_INVALID_IMAGE [/ertbuild/3rdparty/openenclave/openenclave-src/host/sgx/load.c:oe_load_enclave_image:66]
    2022-09-22T09:32:34+0000.653128Z [(H)ERROR] tid(0x7f3727832b80) | :OE_FAILURE [/ertbuild/3rdparty/openenclave/openenclave-src/host/sgx/create.c:oe_sgx_build_enclave:909]
    

    Additional info

    my ego dependency in go.mod:

    go 1.18
    
    require (
    	github.com/edgelesssys/ego v0.5.0
    	// ...
    )
    

    could you pls help me to take a look of this? thanks!

    opened by wafeishushu 9
  • ego built program does not scale well on multi-cores server

    ego built program does not scale well on multi-cores server

    Issue description

    Build a program with ego, run and bind it to 28 CPU cores. It does not scale well on multi-core, only scale to 3 cores with only 50%-60% CPU usage of each, and other cores are idle. Build with native go, it scales well to all 28 cores, the each CPU load is almost the same. Client requests are enough and same for both two scenarios.

    To reproduce

    Steps to reproduce the behavior:

    1. Composed a go program, acting as a http server, mainly use golang crypto package, like ecdsa, elliptic, x509 etc, exposing an interface which generates ecdsa keys and some encoding/decoding.
    2. use ego build/sign the program: http-server
    3. boot command: numactl -C 0-27 ego run http-server
    4. use testing tool: ab to give enough requests

    Expected behavior

    The ego program http-server should scale to 28 cores

    Additional info / screenshot

    image

    opened by Glenrun 9
  • Support for library enclave

    Support for library enclave

    Typically, enclaves are built as trusted libraries that are then loaded by the untrusted application during runtime. Does ego support such interfacing? It appears that the current version can only run an trusted application binary on the enclave directly. I understand that one can use sockets to establish a connection between applications, but it comes with some security concerns.

    Awesome project! Thank you!

    opened by ibalajiarun 9
  • term.ReadPassword in

    term.ReadPassword in "golang.org/x/term" package does not work

    Example:

    package main
    import (
        "fmt"
        "os"
        "syscall"
        "golang.org/x/term"
    )
    func main() {
        fmt.Print("Password: ")
        bytepw, err := term.ReadPassword(int(syscall.Stdin))
        if err != nil {
            os.Exit(1)
        }
        pass := string(bytepw)
        fmt.Printf("\nYou've entered: %q\n", pass)
    }
    

    When running inside SGX, the program hang at term.ReadPassword, not able to input password.

    Although you could argue that a password from terminal input is inherently insecure, it is still nice to have this feature for compatibility.

    opened by the729 1
  • Would you help me to add a system call to get system fd limit

    Would you help me to add a system call to get system fd limit

    Hi,we have a problem when our porgram call unix.Getrlimit to get system fd limit, the error is :"failed to get fd limit error function not implemented".Following is our test code:

    package main
    import (
            "fmt"
            "golang.org/x/sys/unix"
    )
    
    func main()  {
            var l unix.Rlimit
            if err := unix.Getrlimit(unix.RLIMIT_NOFILE, &l); err != nil {
                    fmt.Println("failed to get fd limit", "error", err)
            }else{
               fmt.Println("get fd limit success: ,",l.Cur)
            }
    }
    opened by onexie 2
  • Help understanding of EGO

    Help understanding of EGO

    Thanks for the great product. I would appreciate it if anyone could verify if my understanding of EGo's DCAP-based attestation works correct or wrong.

    I understand that EGo uses DCAP-based attestation rather than EPID. And EGo depends on Open Enclave regarding the details of Quoting Enclave.

    However, one thing that does not add up is the fact that remote attestation sample generates a report before the quote is generated and signed by Provisioning Certification Enclave (PCE).

    1. My understanding of DCAP was the quote will be generated and signed by the PCE, which will then become a report. Could you please help me understand this?

    2. Also, where in the code EGo calls the OE APIs regarding QE operations? I don't see any submodule or anything that will use OE. Can you point me to the file/repo?

    3. Again, in the remote attestation sample, how does the client retrieves the TCB information when verifying the cached attestation collateral from PCCS using Azure Quote Provider? In other words, how does client knows which attestation collateral to retrieve? Server never sends this information to help client verify.

    opened by emrahsariboz 3
  • Would you plan to provide a safe file system?

    Would you plan to provide a safe file system?

    Use case

    My processes in encalve can r/w directly to the file system and all operations are automatically protected by ego. Meanwhile, all files are encrypted.

    Describe your solution

    Encrypt all files io using the internal unique key of the enclave.

    Additional context

    Nothing.

    opened by mfang96 1
  • ego run remote-attestation error

    ego run remote-attestation error

    I'v installed ego using release binary and run helloworld successfully. But I got error while running remote-attestation and attestation-tls exmaple. image Please help me to solve this problem.Thanks

    opened by Wyh19980916 20
  • Can ego run dl workload in enclave using https://github.com/sugarme/gotch?

    Can ego run dl workload in enclave using https://github.com/sugarme/gotch?

    Issue description

    When I try to run ml or dl using gotch(Go binding for Pytorch C++ API), ego sign will go wrong. like symbol not found

    ldd gotchTest
            linux-vdso.so.1 (0x00007fff719fb000)
            libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fac7fb4c000)
            libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007fac7f96b000)
            libc10.so => /usr/local/lib/libtorch/lib/libc10.so (0x00007fac7f8e8000)
            libtorch_cpu.so => /usr/local/lib/libtorch/lib/libtorch_cpu.so (0x00007fac68733000)
            libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fac685e4000)
            libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007fac685c7000)
            libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fac683d5000)
            /lib64/ld-linux-x86-64.so.2 (0x00007fac8010e000)
            libgomp-52f2fd74.so.1 => /usr/local/lib/libtorch/lib/libgomp-52f2fd74.so.1 (0x00007fac681a2000)
            librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fac68197000)
            libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fac68191000)
    

    Cgo may cause this, Is there a simple way to solve this problem?

    opened by TYTaO 1
Releases(v1.0.1)
Owner
Edgeless Systems GmbH
Building super-secure and easy-to-use software for Confidential Computing
Edgeless Systems GmbH
CBuild build system - A tiny build system for C

cuild - CBuild A build system for C Building $ go build . Usage Similar to GNU Make, a file named "Cuildfile" is required. You have a few flags to us

Laurentino Luna 0 Jan 17, 2022
☁️ Live reload for Go apps

Air ☁️ Live reload for Go apps Motivation When I get started with developing websites in Go and gin framework, it's a pity that gin lacks live-reloadi

Rick Yu 8.5k Nov 17, 2022
Monitoring changes in the source file and automatically compile and run (restart).

dogo Monitoring changes in the source file and automatically compile and run (restart). 中文 Install go get github.com/liudng/dogo Create config Here's

null 253 Oct 20, 2022
run/stop goroutines/tasks securely, recursively

grunner - run/stop goroutines/tasks securely, recursively. s1 := grunner.New() s1.Defer(func() { fmt.Println("s1 stopped 2") }) s1.Defer(func() {

vogo 0 Apr 22, 2022
Create build pipelines in Go

taskflow Create build pipelines in Go This package aims to simplify the creation of build pipelines in Go instead of using scripts or Make. taskflow A

Robert Pająk 340 Nov 18, 2022
Colorize (highlight) `go build` command output

colorgo colorgo is a wrapper to go command that colorizes output from go build and go test. Installation go get -u github.com/songgao/colorgo Usage c

Song Gao 111 Sep 27, 2022
a build tool for Go, with a focus on cross-compiling, packaging and deployment

goxc NOTE: goxc has long been in maintenance mode. Ever since Go1.5 supported simple cross-compilation, this tool lost much of its value. There are st

Am Laher 1.7k Nov 11, 2022
Build system and task runner for Go projects

Gilbert is task runner that aims to provide declarative way to define and run tasks like in other projects like Gradle, Maven and etc.

Gilbert 104 Nov 14, 2022
KintoHub is an open source build and deployment platform designed with a developer-friendly interface for Kubernetes.

What is Kintohub? KintoHub is an open source build and deployment platform designed with a developer-friendly interface for Kubernetes. Build your cod

KintoHub 30 Jun 7, 2022
Build systems with Go examples

What is this? This is a repository containing all the examples from the book BUILD SYSTEMS with GO (and save the world). This book is written to help

Juan M. Tirado 99 Nov 20, 2022
🌍 Earthly is a build automation tool for the container era

?? Earthly is a build automation tool for the container era. It allows you to execute all your builds in containers. This makes them self-contained, repeatable, portable and parallel. You can use Earthly to create Docker images and artifacts (eg binaries, packages, arbitrary files).

Earthly 8.4k Nov 27, 2022
An experimental way to apply patches to the Go runtime at build time.

go-patch-overlay An experimental way to apply patches to the Go runtime at build time. Assuming you have a directory of patches to apply to the Go sou

Felix Geisendörfer 17 Oct 31, 2022
Please is a cross-language high-performance extensible build system for reproducible multi-language builds.

Please is a cross-language build system with an emphasis on high performance, extensibility and reproducibility. It supports a number of popular languages and can automate nearly any aspect of your build process.

Thought Machine 2.2k Nov 24, 2022
Blueprint Build System For Golang

Blueprint Build System Blueprint is being archived on 2021 May 3. On 2021 May 3, we will be archiving the Blueprint project. This means it will not be

GengKapak WIP 0 Nov 20, 2021
🚀 gowatch is a command line tool that builds and (re)starts your go project everytime you save a Go or template file.

gowatch 中文文档 gowatch is a command line tool that builds and (re)starts your go project everytime you save a Go or template file. Installation To insta

silenceper 730 Nov 10, 2022
Concurrent task runner, developer's routine tasks automation toolkit. Simple modern alternative to GNU Make 🧰

taskctl - concurrent task runner, developer's routine tasks automation toolkit Simple modern alternative to GNU Make. taskctl is concurrent task runne

null 228 Nov 6, 2022
NFPM is Not FPM - a simple deb, rpm and apk packager written in Go

NFPM NFPM is Not FPM - a simple deb, rpm and apk packager written in Go. Why While fpm is great, for me, it is a bummer that it depends on ruby, tar a

GoReleaser 1.6k Nov 17, 2022
A simple tool to help WoW repack administrators manipulate the repack database(s)

WoW Repack Manipulator This tool makes it easier for an administrator of a WoW Repack (private WoW server, basically) to manipulate the database that

Michael Crilly 2 Feb 7, 2022
EGo lets you build, debug und run Go apps on Intel SGX - as simple as conventional Go programming!

EGo lets you build, debug und run Go apps on Intel SGX - as simple as conventional Go programming!

Edgeless Systems GmbH 357 Nov 18, 2022
James is your butler and helps you to create, build, debug, test and run your Go projects

go-james James is your butler and helps you to create, build, debug, test and run your Go projects. When you often create new apps using Go, it quickl

Pieter Claerhout 56 Oct 8, 2022