A Linux-compatible Library OS for Multi-Process Applications
NOTE: We are in the middle of transitioning our buildsystem to Meson, and the build procedures are changing. See Building instructions for an up-to-date build tutorial.
Graphene is a lightweight library OS, designed to run a single application with minimal host requirements. Graphene can run applications in an isolated environment with benefits comparable to running a complete OS in a virtual machine -- including guest customization, ease of porting to different OSes, and process migration.
Graphene supports native, unmodified Linux binaries on any platform. Currently, Graphene runs on Linux and Intel SGX enclaves on Linux platforms.
In untrusted cloud and edge deployments, there is a strong desire to shield the whole application from rest of the infrastructure. Graphene supports this “lift and shift” paradigm for bringing unmodified applications into Confidential Computing with Intel SGX. Graphene can protect applications from a malicious system stack with minimal porting effort.
Graphene is a growing project and we have a growing contributor and maintainer community. The code and overall direction of the project are determined by a diverse group of contributors, from universities, small and large companies, as well as individuals. Our goal is to continue this growth in both contributions and community adoption.
Graphene has evolved a lot since our last major release and at this point we have significantly reworked most of the research code towards building a production ready Graphene by end of Q2’21. We have a growing set of well tested applications including machine learning frameworks, databases, webservers, and programming language runtimes.
Graphene also supports many features for deploying secure solutions with SGX. These include full SGX Attestation support (EPID/DCAP), protected files support, and multi-process support with encrypted IPC. Graphene also supports a number of performance optimizations for SGX including support for asynchronous system calls.
Graphene is ready to be deployed in cloud environments with full support for automatic container integration, using Graphene Shielded Containers (GSC).
We have been actively developing, testing, and validating Graphene. The effort to review and harden security of Graphene is ongoing.
The most important problems (which include major security issues) are tracked in #1544 (Production blockers). Our roadmap is to address the majority of the remaining production blockers by Q2’21 and rest will follow in future releases.
The official Graphene documentation can be found at https://graphene.readthedocs.io. Below are quick links to some of the most important pages:
- Quick start and how to run applications
- Complete building instructions
- Graphene manifest file syntax
- The Graphene Shielded Containers (GSC) tool
- Performance tuning & analysis of SGX applications in Graphene
- Remote attestation in Graphene
For any questions, please send an email to support@graphene-project.io (public archive).
For bug reports, post an issue on our GitHub repository: https://github.com/oscarlab/graphene/issues.